[hedora]

It certainly does not require authentication. Have you used unsubscribe flows? Normally, you click once, it goes to a web page that displays your email address, and has an "I'm sure" button, and maybe some checkboxes to only partially unsubscribe.

If you really care about people being maliciously unsubscribed from marketing materials they forwarded around, then you can be one of the sites that sends a final "you have been unsubscribed" confirmation email.

[EGreg]

The "I'm sure" button is sensible since the session cookie confirms it's you. But that button requires a second click. That would violate the "single-click".

According to the "single click" requirement, merely visiting the page by clicking the link in your email should be enough to unsubscribe you. Meaning, the GET request, which normally shouldn't change server state, should change server state.

The major issue with that is, if you forward the email, you are giving the capability to anyone else to act as you. It's a horribly insecure model, it also breaks HTTP semantics, but at least you can limit it to the "unsubscribe" action, I guess. Could be worse. Google could require other "single click" actions that may modify your profile or withdraw money from your bank account.

The only mitigation I can see is that the "you've been unsubscribed" email is a transactional email, and can inform the user that "if it wasn't you, then click here to restore your subscription to this newsletter, and don't forward your emails anymore, because Google says someone can unsubscribe you anytime and we can't do anything about it."

PS: Ironically, Apple's newest ITP scrubs information from tracking links in emails, so in theory it would make it impossible to even track whose account to unsubscribe from. "It will do this by automatically detecting user-identifiable tracking parameters in URLs and removing them." Apple ITP anti-tracking requires you to explicitly log in before doing stuff as you. Google now requires the opposite. It's impossible to satisfy both. https://www.peelinsights.com/post/ios-17-disrupts-link-track...

[hedora]

They could also add an "oops! I didn't mean to unsubscribe; please resubscribe me" button to the landing page after you click. I've seen that before.

As for the Apple ITP thing, they implemented a thing that looks for known trackers and strips them from emails. You're saying that this thing is incorrectly breaking the URL parameter for the opt out links? Is there an example of them actually doing that? It sounds like it would be a bug if it is happening.

I've also noticed that many places interpret "one click opt out link" to mean you have to click once on the resulting page, technically making it two clicks, but also preserving HTTP get vs post semantics.

I suppose they could also make it two clicks for people that are using text-only mail clients and will therefore send a get, but to use HTML to arrange for it to be a post for everyone else.

[EGreg]

Apple has a history of gradually strengthening ITP until it breaks all the tabbos you'd never expect.

Today it strips ?utm=928931823 from abc.com/foo?utm=928931823 but tomorrow it can strip the 928931823 from abc.com/foo/928931823 leaving abc.com/foo ... after all it can just look at all the links arriving in mail, and use an algorithm to deduce the pattern abc.com/foo/:trackingId and simply mangle the URLs.

Think they'll never do it? They already deleted FIRST-PARTY cookies and much more!