Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/bert_hubert/statuses/113877518487834032">bert hubert 🇺🇦🇪🇺 (bert_hubert@fosstodon.org)'s status on Friday, 24-Jan-2025 02:23:19 JST</a><a href="https://fosstodon.org/@bert_hubert" title="bert_hubert@fosstodon.org"><img src="https://gnusocial.jp/avatar/91208-48-20230123121904.webp" width="48" height="48" alt="bert hubert 🇺🇦🇪🇺" style="position: absolute; left: 0; top: 0;">bert hubert 🇺🇦🇪🇺</a></section><article><p>Yesterday a user told me they couldn't log in to my parliamentary monitoring site. On investigating, I found that Microsoft email security was logging in on behalf of my user by executing a POST. This broke the single-use sign-on link. Executing POSTs is usually considered unacceptable, and in this way Microsoft again transgresses an important norm. Here's how to deal with the specific POST problem &amp; what might be done about these transgressions in general: <br><a href="https://berthub.eu/articles/posts/shifting-cyber-norms-microsoft-post/" rel="nofollow noreferrer">https://berthub.eu/articles/posts/shifting-cyber-norms-microsoft-post/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4433841#notice-8674758">In conversation</a><time datetime="2025-01-24T02:23:19+09:00" title="Friday, 24-Jan-2025 02:23:19 JST">about a month ago</time> <span>from <span><a href="https://fosstodon.org/@bert_hubert/113877518487834032" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@bert_hubert/113877518487834032">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: berthub.eu</div><h5><a href="https://berthub.eu/articles/posts/shifting-cyber-norms-microsoft-post/">Shifting Cyber Norms: Microsoft security POST-ing to you - Bert Hubert's writings</a></h5><div></div></header><div>tl;dr: Microsoft and other email security scanners will visit the links in email you transmit, and run the JavaScript in those links, including calls that lead to POSTs going out. This used to be unacceptable, since POSTs have side effects. Yet here we are. This breaks even somewhat sophisticated single-use sign-on / email confirmation messages. Read on for how to deal with this, and some thoughts on how we should treat gatekeepers like Microsoft that can randomly break things &amp; get away with it.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
bert hubert 🇺🇦🇪🇺 (bert_hubert@fosstodon.org)'s status on Friday, 24-Jan-2025 02:23:19 JST bert hubert 🇺🇦🇪🇺
Yesterday a user told me they couldn't log in to my parliamentary monitoring site. On investigating, I found that Microsoft email security was logging in on behalf of my user by executing a POST. This broke the single-use sign-on link. Executing POSTs is usually considered unacceptable, and in this way Microsoft again transgresses an important norm. Here's how to deal with the specific POST problem & what might be done about these transgressions in general:
https://berthub.eu/articles/posts/shifting-cyber-norms-microsoft-post/
In conversationabout a month ago from fosstodon.orgpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: berthub.eu
  Shifting Cyber Norms: Microsoft security POST-ing to you - Bert Hubert's writings
  tl;dr: Microsoft and other email security scanners will visit the links in email you transmit, and run the JavaScript in those links, including calls that lead to POSTs going out. This used to be unacceptable, since POSTs have side effects. Yet here we are. This breaks even somewhat sophisticated single-use sign-on / email confirmation messages. Read on for how to deal with this, and some thoughts on how we should treat gatekeepers like Microsoft that can randomly break things & get away with it.

Public

Embed Notice

HTML Code

Corresponding Notice