Expand my Community achievements bar.

SOLVED

List-Unsubscribe One-Click Webapp

Avatar

Level 1

I'm wanting to add One-Click unsubscribe option as per the requirements from Google/Yahoo. I've investigate the webapp provided by Adobe but have a concern. This webapp  will unsubscribe a person without any interaction whether you send  a POST or GET request. I've seen many recommendations/warnings on the web that you should never allow any form of One-Click unsubscribe via GET even if the url is in the header of the email.

 

Has anyone else had experience of this? How have they solved it? What can you do to discover if the webapp request came from a POST or GET call. 

 

The Adobe web app can be found in the XML hyperlink on this page 

 https://experienceleague.adobe.com/docs/deliverability-learn/deliverability-best-practice-guide/addi...

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Level 1

The List-Unsubscribe-Post: List-Unsubscribe=One-Click  does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.

Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.

The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.

The way to protect your webapp is to add a test on the request.method variable.  If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient

View solution in original post

4 Replies

Avatar

Employee

Hi @dmoorethree,

Some email protection systems perform analysis of the email source code to identify any malicious links. To do that they'd perform HTTP GET requests to those links to see what happens. This can trigger unwanted unsubscribes. To avoid that the JSSP should only perform actions when called using HTTP POST requests. You can advise email clients to send HTTP POST requests in the background (when the user clicks the button) by setting an additional header:

List-Unsubscribe-Post: List-Unsubscribe=One-Click

 

The value in this header must be the fixed string "List-Unsubscribe=One-Click" that is sent in the HTTP request body during the HTTP POST request (compare RFC 8058, https://www.rfc-editor.org/rfc/rfc8058). E.g.:

List-Unsubscribe-Post: List-Unsubscribe=One-Click

 

That way, if some analysis software opens any links found in the email source, it will not trigger unwanted unsubscriptions and still the List-Unsubscribe feature is supported.

 

Regards,
Pavan Nauhwar

Avatar

Correct answer by
Level 1

The List-Unsubscribe-Post: List-Unsubscribe=One-Click  does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.

Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.

The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.

The way to protect your webapp is to add a test on the request.method variable.  If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient

Avatar

Community Advisor

Hello @dmoorethree 

 

Within in the same JSSP, You can add one condition to check if the response was GET or POST.

 

Code to allow POST request Only

 if( request.method !== "POST" ) {
document.write("METHOD NOT ALLOWED");
}

 


     Manoj
     Find me on LinkedIn

Avatar

Level 1

Hi Dmoore,

Have you tested this personally?

I've tested all combinations but stand alone post never works - I do not see unsub link in gmail - header, to.
If i add mail to then its visible.
Other forums are saying 

  1. Use JSSP
  2. Don't use JSSP
  3. Use only web app
  4. move web app code to typology

Nothing works.

If it works for you by using jssp in post then can you please post your jssp code and SMTP header as well

IMHO i think no one has cracked the post method, everyone is saying what adobe is suggesting and no one has the success

Best

Vedant