[plz-remove-card]

> > Microsoft clicks all links in emails for "security" purposes.

> SOP. many email providers do this

Heh, are they inadvertently unsubscribing folks from newsletters by making requests to the "Unsubscribe" links too?

Most Unsubscribe pages I've seen recently appear to be a two or more step process but I'm sure there's some folks out there making unsubscribe pages that do the thing on the initial GET request alone... (not justifying making a GET perform a side effect, just saying it's interesting.)

[nkmnz]

How would making a POST or PUT request to the endpoint logging the user in / unsubscribing from the newsletter change the problem at hand?

[plz-remove-card]

GET requests are supposed to be safe[0], if you have a unsubscribe link, you click that link, it makes a GET request, then unsubscribes the user, that GET request is no longer safe.

How I've seen developers approach this, is the initial GET request loads a form, and requires that the user clicks something once more, to then submit a POST request and confirm the unsubscribe action.

[0] https://developer.mozilla.org/en-US/docs/Glossary/Safe/HTTP

[jiveturkey]

unsubscribe links are supposed to always be accompanied by a header with the same URL. X-Unsubscribe or smth like that. I guess a sneaky malware could make unsubscribe link a bad link, using the header to prevent clicking by the receiving server.

You're right, this is interesting, something I have wondered about before.