I’m using the API to create PMs. The content can contain HTML and with links as well. Among those links, some of them as one-click action link. Basic link example: <a href="https://" target="_blank">..</a>
The issue is discourse visits any links and triggers those one-click actions.
How do you prevent that? I’m not sure what feature is responsible for that.
Is there some allowed hint we can insert in the HTML to tell Discourse to ignore a link?
Or is there an option I missed?
Note: currently I added a check in the backend to ignore Discourse visit but if possible, would like to avoid relying on this.
You are not supposed to code a link that takes an action by simply visiting the link. That is widely considered exploitable in various ways. The user needs to explicitly confirm the action.
The context is basically users subscribe to notifications and for legal reason, you are required to append links to allow them to unsubscribe the current notification or all notifications. Those specific links must be one-click action without having the extra steps (login, confirmation, etc). Those links uses a generated token and you can’t exploit them. Users will see the message with those links in their private inbox (discourse, or others such as gmail), confirmation is unwanted for that and not going to help.
My question still stands up, is there a way to tell Discourse to not visit a link? Either through HTML or options?
Regardless of the context, it’s actually interesting to know. If it doesn’t exist, having an option to blacklist domain/urls to avoid unnecessary requests would be quite welcomed.
Again: you cannot do that. There are also browser(extension)s and virus scanners that previsit / preload links they encounter on a page.
Any request that causes an actual change on a server must be a POST request per the HTTP specification. So if you have a link, you must lead it to a web page containing a button that performs a POST request. Any other way will lead to obscure issues.
Who says they must be? It is pretty normal for unsubscribe links to lead to a confirmation webpage - for the exact reason I stated above.
