I'm wanting to add One-Click unsubscribe option as per the requirements from Google/Yahoo. I've investigate the webapp provided by Adobe but have a concern. This webapp will unsubscribe a person without any interaction whether you send a POST or GET request. I've seen many recommendations/warnings on the web that you should never allow any form of One-Click unsubscribe via GET even if the url is in the header of the email.
Has anyone else had experience of this? How have they solved it? What can you do to discover if the webapp request came from a POST or GET call.
The Adobe web app can be found in the XML hyperlink on this page
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
The List-Unsubscribe-Post: List-Unsubscribe=One-Click does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.
Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.
The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.
The way to protect your webapp is to add a test on the request.method variable. If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient
Views
Replies
Total Likes
Hi @dmoorethree,
Some email protection systems perform analysis of the email source code to identify any malicious links. To do that they'd perform HTTP GET requests to those links to see what happens. This can trigger unwanted unsubscribes. To avoid that the JSSP should only perform actions when called using HTTP POST requests. You can advise email clients to send HTTP POST requests in the background (when the user clicks the button) by setting an additional header:
List-Unsubscribe-Post: List-Unsubscribe=One-Click |
The value in this header must be the fixed string "List-Unsubscribe=One-Click" that is sent in the HTTP request body during the HTTP POST request (compare RFC 8058, https://www.rfc-editor.org/rfc/rfc8058). E.g.:
List-Unsubscribe: <https://www.brandname.com/cus/unsubscribe.jssp?messageId=someMessageId> List-Unsubscribe-Post: List-Unsubscribe=One-Click |
That way, if some analysis software opens any links found in the email source, it will not trigger unwanted unsubscriptions and still the List-Unsubscribe feature is supported.
Regards,
Pavan Nauhwar
Views
Replies
Total Likes
The List-Unsubscribe-Post: List-Unsubscribe=One-Click does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.
Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.
The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.
The way to protect your webapp is to add a test on the request.method variable. If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient
Views
Replies
Total Likes
Hello @dmoorethree
Within in the same JSSP, You can add one condition to check if the response was GET or POST.
Code to allow POST request Only
if( request.method !== "POST" ) {
document.write("METHOD NOT ALLOWED");
}
Views
Replies
Total Likes
Hi Dmoore,
Have you tested this personally?
I've tested all combinations but stand alone post never works - I do not see unsub link in gmail - header, to.
If i add mail to then its visible.
Other forums are saying
Nothing works.
If it works for you by using jssp in post then can you please post your jssp code and SMTP header as well
IMHO i think no one has cracked the post method, everyone is saying what adobe is suggesting and no one has the success
Best
Vedant
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies