> Wouldn't that be incredibly insecure?

If done naively with a simple magic link, yes.

> and if the user happens to click the link they've just given the attacker access to their account

Worse: if the user's UA “clicks the link” by making the GET request to generate a preview. The user might not even have opened the message for this to happen.

> Wouldn't that be incredibly insecure?

It can be mitigated somewhat by making the magic link go to a page that invites the user to click something that sends a post request. In theory the preview loophole might come into play here if the UA tries to be really clever, but I doubt this will happen.

Another option is to give the user the option to transfer the session to the originating UA, or stay where they are, if you detect that a different UA is used to open the magic link, but you'd have to be carful wording this so as to not confuse many users.

▲

Hackbraten 9 days ago | parent [-]

> Worse: if the user's UA “clicks the link” by making the GET request to generate a preview.

You mean something like a popover preview that appears when the user hovers over a link?

Isn’t there a way to configure the `a` element so the UA knows that it shouldn’t do that?

	▲	dspillett 9 days ago \| parent [-]
		> You mean something like a popover preview That, or a background process that visits links to check for malware before the user even sees the message. > Isn’t there a way to configure the `a` element so the UA knows that it shouldn’t do that? If sending just HTML you could include rel="nofollow" in the a tag to discourage such things, bit there is no way of enforcing that and no way of including it at all if you are sending plain text messages. This has been a problem for single-use links of various types also. So yes, but not reliably so effectively no.