On 2/23/19 7:35 AM, Collin Anderson wrote:
> I wouldn't mind just rolling back the security fix (or maybe making a
> straightforward way to enable/disable the behavior). We could instead
> encourage people to use <a rel="noreferrer"> on any links (from the
> password rest page) to untrusted urls.
I don't think it would be controversial to add the rel="noreferrer" part
to the docs no matter what choice we make about the other functionality.
--
Curtis
> On Friday, February 22, 2019 at 5:03:01 AM UTC-5, Henrik Ossipoff Hansen
> wrote:
>
> Just wanted to chime in and say we also experienced this issue. We
> ended up having to revert the security fix that was added to the
> view in Django just to avoid the flood of customers reporting they
> couldn't reset their passwords on our apps anymore - so I'm assuming
> this affects a lot of users out there.
>
> torsdag den 21. februar 2019 kl. 14.48.45 UTC+1 skrev Mat Gadd:
>
> You can see this in action yourself using Chrome's Dev Tools.
> Open Dev Tools, then their Settings, and turn on "Auto-open
> DevTools for popups". Then, click any link in the Gmail web app.
> You'll see you go via
google.com/url?q=original_url_here
> <
http://google.com/url?q=original_url_here>. Since they're doing
> this with JavaScript, the links look like they're going to open
> the real URL, but they /don't./
> <
https://code.djangoproject.com/ticket/29975> regarding
> <
https://groups.google.com/group/django-developers>.
> <
https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com?utm_medium=email&utm_source=footer>.
> <
https://groups.google.com/d/optout>.
> <
https://groups.google.com/group/django-developers>.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/django-developers/2830288b-6890-4c2f-ac4c-b07a82196619%40googlegroups.com
> <
https://groups.google.com/d/msgid/django-developers/2830288b-6890-4c2f-ac4c-b07a82196619%40googlegroups.com?utm_medium=email&utm_source=footer>.
> <
https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
django-develop...@googlegroups.com
> <mailto:
django-develop...@googlegroups.com>.
> <mailto:
django-d...@googlegroups.com>.
>
https://groups.google.com/d/msgid/django-developers/0abe13ed-f95f-4f87-ba5c-9079f5ad17bf%40googlegroups.com
> <
https://groups.google.com/d/msgid/django-developers/0abe13ed-f95f-4f87-ba5c-9079f5ad17bf%40googlegroups.com?utm_medium=email&utm_source=footer>.