[EGreg]

Unsubscribe HAS to require an authenticated session. What do they mean by “single click”?

Otherwise anyone who receives a forwarded email can unsubscribe you! Right?

At least we can email the peson to say they’ve been unsubscribed, as a transactional email? And give them a chance to resubscribe and prevent such unsubscriptions — or what?

Enable easy unsubscription: Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.

[hedora]

It certainly does not require authentication. Have you used unsubscribe flows? Normally, you click once, it goes to a web page that displays your email address, and has an "I'm sure" button, and maybe some checkboxes to only partially unsubscribe.

If you really care about people being maliciously unsubscribed from marketing materials they forwarded around, then you can be one of the sites that sends a final "you have been unsubscribed" confirmation email.

[EGreg]

The "I'm sure" button is sensible since the session cookie confirms it's you. But that button requires a second click. That would violate the "single-click".

According to the "single click" requirement, merely visiting the page by clicking the link in your email should be enough to unsubscribe you. Meaning, the GET request, which normally shouldn't change server state, should change server state.

The major issue with that is, if you forward the email, you are giving the capability to anyone else to act as you. It's a horribly insecure model, it also breaks HTTP semantics, but at least you can limit it to the "unsubscribe" action, I guess. Could be worse. Google could require other "single click" actions that may modify your profile or withdraw money from your bank account.

The only mitigation I can see is that the "you've been unsubscribed" email is a transactional email, and can inform the user that "if it wasn't you, then click here to restore your subscription to this newsletter, and don't forward your emails anymore, because Google says someone can unsubscribe you anytime and we can't do anything about it."

PS: Ironically, Apple's newest ITP scrubs information from tracking links in emails, so in theory it would make it impossible to even track whose account to unsubscribe from. "It will do this by automatically detecting user-identifiable tracking parameters in URLs and removing them." Apple ITP anti-tracking requires you to explicitly log in before doing stuff as you. Google now requires the opposite. It's impossible to satisfy both. https://www.peelinsights.com/post/ios-17-disrupts-link-track...

[hedora]

They could also add an "oops! I didn't mean to unsubscribe; please resubscribe me" button to the landing page after you click. I've seen that before.

As for the Apple ITP thing, they implemented a thing that looks for known trackers and strips them from emails. You're saying that this thing is incorrectly breaking the URL parameter for the opt out links? Is there an example of them actually doing that? It sounds like it would be a bug if it is happening.

I've also noticed that many places interpret "one click opt out link" to mean you have to click once on the resulting page, technically making it two clicks, but also preserving HTTP get vs post semantics.

I suppose they could also make it two clicks for people that are using text-only mail clients and will therefore send a get, but to use HTML to arrange for it to be a post for everyone else.

[EGreg]

Apple has a history of gradually strengthening ITP until it breaks all the tabbos you'd never expect.

Today it strips ?utm=928931823 from abc.com/foo?utm=928931823 but tomorrow it can strip the 928931823 from abc.com/foo/928931823 leaving abc.com/foo ... after all it can just look at all the links arriving in mail, and use an algorithm to deduce the pattern abc.com/foo/:trackingId and simply mangle the URLs.

Think they'll never do it? They already deleted FIRST-PARTY cookies and much more!

[nottorp]

> Otherwise anyone who receives a forwarded email can unsubscribe you! Right?

Yes, I have nightmares where I dream that someone else unsubscribes me from all those informative mailing lists that I NEVER OPTED IN TO.

[EGreg]

Straw man much?

I subscribe to receive emails or newsletters. I forward them to someone. They unsubscribe me. I stop getting them. I wonder what happens and blame the site. They couldn't even inform me what happened.

Developers are supposed to make the correct security architecture for things. Letting anyone who gets your forwarded email take actions as you on the site without any further authentication, is not the right security model.