[Webkit-unassigned] [Bug 193502] New: ITP 2.0 breaks legitimate use-case: Django password reset

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=193502

            Bug ID: 193502
           Summary: ITP 2.0 breaks legitimate use-case: Django password
                    reset
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rene at fleschenberg.net

Hi all.

On its password reset page, Django (https://www.djangoproject.com/) does an
internal redirect to avoid leaking the password reset token via the referer
header. This does not seem to work with recent Safari versions if there is an
additional prior redirect by a third party.

In my case, users who use Safari in combination with Gmail are unable to use
the password reset feature. The password reset links I send to my users do not
point at any kind of tracker / redirect, but I suspect that Gmail replaces
those links with links to some kind of redirect service. But still, if I
understand https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
correctly, in this situation ITP should not kick in? But it seems to do so 
nonetheless.

Ticket on the Django bugtracker: https://code.djangoproject.com/ticket/29975

Discussion on the django-developers ML:
https://groups.google.com/forum/#!topic/django-developers/RyDdt1TcH0c

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190116/5a32b682/attachment.html>