Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Hi Collin, it is not (just) about links, it is mainly about stylesheets/js. But we can set a header on that view: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy This should work for every browser != IE/Edge. Cheers, Florian On Friday, February 22, 2019 at 9:35:53

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

On 2/23/19 7:35 AM, Collin Anderson wrote: I wouldn't mind just rolling back the security fix (or maybe making a straightforward way to enable/disable the behavior). We could instead encourage people to use on any links (from the password rest page) to untrusted urls. I don't think it would

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

I wouldn't mind just rolling back the security fix (or maybe making a straightforward way to enable/disable the behavior). We could instead encourage people to use on any links (from the password rest page) to untrusted urls. On Friday, February 22, 2019 at 5:03:01 AM UTC-5, Henrik Ossipoff

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Just wanted to chime in and say we also experienced this issue. We ended up having to revert the security fix that was added to the view in Django just to avoid the flood of customers reporting they couldn't reset their passwords on our apps anymore - so I'm assuming this affects a lot of users

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

You can see this in action yourself using Chrome's Dev Tools. Open Dev Tools, then their Settings, and turn on "Auto-open DevTools for popups". Then, click any link in the Gmail web app. You'll see you go via google.com/url?q=original_url_here. Since they're doing this with JavaScript, the links

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Exactly that, yes. We've disabled all click tracking that we can, but Gmail has its own redirect which causes Safari's privacy features to kick in. (Some?) Gmail users are unable to use the password reset emails. On Thursday, 21 February 2019 01:03:54 UTC, Philip James wrote: > > Mat, are you

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Mat, are you saying you're seeing Safari still blocking, even with click tracking turned off, because GMail itself is inserting a redirect? PJJ http://philipjohnjames.com On Wed, Feb 20, 2019 at 4:46 AM Mat Gadd wrote: > We're also now seeing Gmail users complain that the password reset links

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

We're also now seeing Gmail users complain that the password reset links don't work, even after we disabled click tracking. It seems that Google are inserting their own click tracking into users' emails, which is… weird? The markup of links is transformed to the following (where … is our

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

It would appear that this affects a large number of users. We're also experiencing this in the following configurations. - Mailgun click tracking enabled + Safari 12.0 on MacOS or any browser in iOS 12 - Clicking the link in the Gmail app or web app (Mailgun click tracking disabled) + Safari

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Hey, I ran into this today. I am reusing the password reset views for user signup, so it affects me quite heavily :) No idea if it is going to be of any use, but I sent a report on https://www.apple.com/feedback/safari.html with links to your ticket and this discussion. I will try to get my

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Ah, I forgot to include it here, sorry – it's on the ticket linked in my original message: […] "Protection Against First Party Bounce Trackers" feature of Safari on macOS and iOS, as ​described on the WebKit blog . On Monday,

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

On Monday, November 26, 2018 at 10:28:07 AM UTC+1, Mat Gadd wrote: > > Florian, it's not strictly an "internal redirect on a page", but the > combination of being bounced from a different domain to our site, and their > our site immediately performing its own redirect. If the links were >

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Hi both, Adam, you're right that the email provider is rewriting the URLs to point to their server which then redirects to our site. The contrib.auth module then performs *another* redirect which appears to cause the privacy feature to kick in. If Django didn't perform a redirect then it would

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

I guess it would help to know how Safari's tracking protection does work (I do not own a Mac) -- it seems hard to imagine that an internal redirect on a page triggers the protection. In that sense it seems more like a ISP-problem like Adam pointed out. On Sunday, November 25, 2018 at 9:39:28

Re: Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

It sounds to me that this your email provider rewriting the link to go through their tracking site, and Safari now blocks the tracking site. I don't see how Django can do anything around this - the "internal token redirect" (which I guess means a Django generated redirect from one page to another

Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Hi all, I raised a ticket regarding this and was directed here to discuss the topic. The summary is that the combination of using click-tracking redirects (which are popular with a variety of email providers) with the Django contrib.auth password