• TedvdB
    link
    fedilink
    353 months ago

    Yes, e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.

    Thats why you never take actions on a GET request, but require a form with button for the user to do a POST.

    • TrumpetX
      link
      fedilink
      English
      113 months ago

      It can be worse, we had to add a captcha for those link scanners cause they’d submit the forms and invalidate tokens too:(

      • @jaybone
        link
        43 months ago

        Wow. That sounds terrible. Good to know.

    • @[email protected]
      link
      fedilink
      23 months ago

      e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.

      Proofpoint does this too, but AFAIK they all just change the link rather than go to it. The link is checked when the user actually clicks on it. Makes sense to do it on-demand because the contents of the link can change between when the email is received and when the user actually clicks it.