Expand my Community achievements bar.

Announcing the launch of new sub-community for Campaign Web UI to cater specifically to the needs of Campaign Web UI users!
Read more
SOLVED

List-Unsubscribe One-Click Webapp

Avatar

Level 1
Level 1
2/27/24 4:50:16 AM

I'm wanting to add One-Click unsubscribe option as per the requirements from Google/Yahoo. I've investigate the webapp provided by Adobe but have a concern. This webapp  will unsubscribe a person without any interaction whether you send  a POST or GET request. I've seen many recommendations/warnings on the web that you should never allow any form of One-Click unsubscribe via GET even if the url is in the header of the email.

 

Has anyone else had experience of this? How have they solved it? What can you do to discover if the webapp request came from a POST or GET call. 

 

The Adobe web app can be found in the XML hyperlink on this page 

 https://experienceleague.adobe.com/docs/deliverability-learn/deliverability-best-practice-guide/addi...

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Campaign Classic v7

Views

844

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 1
Level 1
2/27/24 9:14:55 AM
In response to pavan_nauhwar

The List-Unsubscribe-Post: List-Unsubscribe=One-Click  does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.

Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.

The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.

The way to protect your webapp is to add a test on the request.method variable.  If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient

View solution in original post

Views

802

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Employee
Employee
2/27/24 6:50:38 AM

Hi @dmoorethree,

Some email protection systems perform analysis of the email source code to identify any malicious links. To do that they'd perform HTTP GET requests to those links to see what happens. This can trigger unwanted unsubscribes. To avoid that the JSSP should only perform actions when called using HTTP POST requests. You can advise email clients to send HTTP POST requests in the background (when the user clicks the button) by setting an additional header:

List-Unsubscribe-Post: List-Unsubscribe=One-Click

 

The value in this header must be the fixed string "List-Unsubscribe=One-Click" that is sent in the HTTP request body during the HTTP POST request (compare RFC 8058, https://www.rfc-editor.org/rfc/rfc8058). E.g.:

List-Unsubscribe-Post: List-Unsubscribe=One-Click

 

That way, if some analysis software opens any links found in the email source, it will not trigger unwanted unsubscriptions and still the List-Unsubscribe feature is supported.

 

Regards,
Pavan Nauhwar

Views

823

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 1
Level 1
2/27/24 9:14:55 AM
In response to pavan_nauhwar

The List-Unsubscribe-Post: List-Unsubscribe=One-Click  does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.

Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.

The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.

The way to protect your webapp is to add a test on the request.method variable.  If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient

Views

803

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
2/27/24 6:21:10 PM
In response to dmoore2607

Hello @dmoorethree 

 

Within in the same JSSP, You can add one condition to check if the response was GET or POST.

 

Code to allow POST request Only

 if( request.method !== "POST" ) {
document.write("METHOD NOT ALLOWED");
}

 


     Manoj
     Find me on LinkedIn

Views

785

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
"Email_Client_Unsubscribe" "List-Unsubscribe-Post" Solved

Views

185

Likes

0

Replies

6
Implementing one-click list unsubscribe without sending subscribers to the denylist Solved

Views

407

Likes

0

Replies

6
Change pressure rule based on delivery's label? Solved

Views

139

Likes

0

Replies

1
Can we use on a workflow variables used on a previous email ? Solved

Views

188

Like

1

Replies

2
One Click - List unsubscribe

Views

81

Likes

0

Replies

2