[BiteCode_dev]

Well, if you receive the url using gmail, google will visit the link, and execute the JS code. If you don't have a grace period, your secret will be unreadable before the human as a chance to get to it.

Just saying that because, while at 0bin we have a 1 day default expiration delay, users can chose burn after reading. But we had to add a small grace period to allow for user to check the URL, reload by listake, send vua gmail, etc.

I thin ots burn after reading by default so it could affect you.

[cuu508]

I have run into this problem as well, my webapp sends one-time login/unsubscribe/etc links via email and bots like Office365 click on them, and, yes, they execute JS as well.

A standard workaround is to serve a page with a submit button on HTTP GET, and actually perform the login/unsubscribe/whatever on HTTP POST.

In case of emails, one can also observe the email scanner bots run almost immediately after the email goes out. We can use this as a bot detection heuristic, and make life a little easier for human users:

* if the login link is clicked within 5 minutes of email being sent, treat it as a possible bot activity and require the extra button press

* otherwise, assume the visitor is human, and auto-click the button via JS on page load

More context in this StackOverflow question: https://stackoverflow.com/questions/59281750/strategies-to-p...

[barbarbar]

Ouch. Google will visit the url and exec the js code. I did not know it sounds insane.