fix(dav): Prevent email link scanners from triggering invitation accept/decline#58746
fix(dav): Prevent email link scanners from triggering invitation accept/decline#58746Sam428-png wants to merge 1 commit intonextcloud:masterfrom
Conversation
Sam428-png
requested review from
Altahrim,
come-nc,
leftybournes and
salmart-dev
and removed request for
a team
Sam428-png
force-pushed
the
fix/safe-links-invitation-response
branch
from
21d5308 to
aecaf5f
Compare
come-nc
left a comment
come-nc
left a comment
There was a problem hiding this comment.
Sounds crazy to me to have an email client click all the links in all emails.
It feels a bit sad to worsen the experience of everyone because of this.
But I do not know enough about the industry standards spoken about to judge. I will let colleagues more familiar with email and calendar give their opinions.
Regarding the content of the PR, the block of styling in the template should be removed, the page should just use the same styling as similar pages.
…pt/decline Email security tools (Exchange Safe Links, ATP, Barracuda, etc.) follow all links in emails, which triggers the accept/decline GET endpoints and processes the invitation response without user intent. This changes accept/decline to show a confirmation page instead of immediately processing. The actual response is only sent via POST when the user clicks Save. The options page reuses the existing schedule-response CSS and HTML structure. Signed-off-by: Sam Ditmeijer <sam.ditmeijer@surf.nl>
Sam428-png
force-pushed
the
fix/safe-links-invitation-response
branch
from
aecaf5f to
4928f6e
Compare
|
Thanks for the review! Inline styles are removed, it now reuses the existing About the Safe Links issue — yeah it's a frustrating situation. But it's pretty standard across enterprise mail environments (Exchange ATP, Barracuda, Mimecast etc.) to follow all links on delivery. That means any GET endpoint with side effects gets triggered before the user even opens the email. Google Calendar and Outlook deal with this the same way — require a POST for the actual action. Happy to hear what the email/calendar colleagues think! |
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
3 participants
Summary
Email security scanners (e.g. Microsoft Exchange Safe Links / ATP) crawl all URLs in emails via GET requests. This inadvertently triggers both the
acceptanddeclineendpoints for calendar invitations simultaneously, causing meetings to be accepted or declined before the user can respond.accept()anddecline()no longer process the iTip response directly — they now show a confirmation page with the appropriate option preselectedprocessMoreOptionsResult(), which scanners never trigger (they only issue GET/HEAD requests)This follows the industry-standard approach (RFC 8058, Microsoft Actionable Messages): GET requests should never perform state-changing actions. Google Calendar, Zimbra, SOGo, and Baikal all avoid GET-based accept/decline — they use
.icsattachments and iMIP instead.Test plan