The mailing list for listmasters using Sympa

["Roger B.A. Klorese" <address@concealed>]

On 3/8/14, 10:08 PM, Steve Shipway wrote:
> We have a Webdropoff system here that uses one-time tickets under certain 
> circumstances; we have also seen this sort of behaviour from some 
> anti-malware plugins, and also from GMail in a lot of cases (it seems to have 
> a some sort of pre-download code on embedded links).  It took a long time to 
> track down the root cause as our users have such a diverse variety of mail 
> clients.
>
> This is an issue, and the only way I can see around it is to make the 
> one-time tickets a two-step process --
> 1. click on the one-time link
> 2. Presented with a single page with two buttons -- 'really approve it' or 
> 'cancel'
> 3. If you click a button, the ticket is removed
>
> This would work with the anti-malware products without too much issue, though 
> it means a bit more hassle on the Sympa front.

It's also a far safer behavior for the ticket -- people can misread 
links in a message, especially when there are more than one, so having a 
confirmation step only after which the token is invalidated is a better 
idea even without "ill-behaved" pre-fetches.