List-Unsubscribe One-Click Webapp

Question

I'm wanting to add One-Click unsubscribe option as per the requirements from Google/Yahoo. I've investigate the webapp provided by Adobe but have a concern. This webapp will unsubscribe a person without any interaction whether you send a POST or GET request. I've seen many recommendations/warnings on the web that you should never allow any form of One-Click unsubscribe via GET even if the url is in the header of the email.

Has anyone else had experience of this? How have they solved it? What can you do to discover if the webapp request came from a POST or GET call.

The Adobe web app can be found in the XML hyperlink on this page

https://experienceleague.adobe.com/docs/deliverability-learn/deliverability-best-practice-guide/additional-resources/campaign/acc-technical-recommendations.html?lang=en

dmoore2607 · Accepted Answer

The List-Unsubscribe-Post: List-Unsubscribe=One-Click does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.

Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.

The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.

The way to protect your webapp is to add a test on the request.method variable. If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient

pavan_nauhwar · Answer

Hi @dmoorethree,Some email protection systems perform analysis of the email source code to identify any malicious links. To do that they'd perform HTTP GET requests to those links to see what happens. This can trigger unwanted unsubscribes. To avoid that the JSSP should only perform actions when called using HTTP POST requests. You can advise email clients to send HTTP POST requests in the background (when the user clicks the button) by setting an additional header:List-Unsubscribe-Post: List-Unsubscribe=One-Click The value in this header must be the fixed string "List-Unsubscribe=One-Click" that is sent in the HTTP request body during the HTTP POST request (compare RFC 8058, https://www.rfc-editor.org/rfc/rfc8058). E.g.:List-Unsubscribe: <https://www.brandname.com/cus/unsubscribe.jssp?messageId=someMessageId>List-Unsubscribe-Post: List-Unsubscribe=One-Click That way, if some analysis software opens any links found in the email source, it will not trigger unwanted unsubscriptions and still the List-Unsubscribe feature is supported. Regards,Pavan Nauhwar

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded