193502 – ITP 2.0 breaks legitimate use-case: Django password reset

Bug 193502 - ITP 2.0 breaks legitimate use-case: Django password reset

Summary: ITP 2.0 breaks legitimate use-case: Django password reset

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-01-16 11:59 PST by René Fleschenberg
Modified:	2019-02-26 14:32 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description René Fleschenberg 2019-01-16 11:59:06 PST

Hi all.

On its password reset page, Django (https://www.djangoproject.com/) does an
internal redirect to avoid leaking the password reset token via the referer
header. This does not seem to work with recent Safari versions if there is an
additional prior redirect by a third party.

In my case, users who use Safari in combination with Gmail are unable to use
the password reset feature. The password reset links I send to my users do not
point at any kind of tracker / redirect, but I suspect that Gmail replaces
those links with links to some kind of redirect service. But still, if I
understand https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
correctly, in this situation ITP should not kick in? But it seems to do so 
nonetheless.

Ticket on the Django bugtracker: https://code.djangoproject.com/ticket/29975

Discussion on the django-developers ML:
https://groups.google.com/forum/#!topic/django-developers/RyDdt1TcH0c

Comment 1 Radar WebKit Bug Importer 2019-01-16 23:37:28 PST

<rdar://problem/47342711>