• TedvdB@feddit.nl
      link
      fedilink
      arrow-up
      35
      ·
      5 months ago

      Yes, e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.

      Thats why you never take actions on a GET request, but require a form with button for the user to do a POST.

      • TrumpetX@programming.dev
        link
        fedilink
        English
        arrow-up
        11
        ·
        5 months ago

        It can be worse, we had to add a captcha for those link scanners cause they’d submit the forms and invalidate tokens too:(

      • dan@upvote.au
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.

        Proofpoint does this too, but AFAIK they all just change the link rather than go to it. The link is checked when the user actually clicks on it. Makes sense to do it on-demand because the contents of the link can change between when the email is received and when the user actually clicks it.

    • Malix@sopuli.xyz
      link
      fedilink
      arrow-up
      19
      ·
      edit-2
      5 months ago

      Yep. Apparently outlook does this and afaik because some kind of link sniffing/scam detection/whatever, but it does it by changing the first characters of each query argument around.

      We spent amazingly long time figuring that one out. “Who the hell has gotten Microsoft service querying our app with malformed query args and why”