[wp-trac] [WordPress Trac] #50141: Data erasure/export links should notify the user that the action has already been confirmed

WordPress Trac noreply at wordpress.org
Tue May 12 05:36:39 UTC 2020 

#50141: Data erasure/export links should notify the user that the action has
already been confirmed
--------------------------+------------------------------
 Reporter:  dd32          |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Privacy       |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:  administration
--------------------------+------------------------------

Comment (by dd32):

 Replying to [comment:5 garrett-eclipse]:
 > one question I have is would these scanners unintentionally confirm
 requests triggering export/erasure without the user making any action?

 That's my understanding, although I'm yet to actually test such a scanner.
 It's been a long time since I've dealt with those systems, but I know they
 still exist within modern scanners.
 Here's an example thread where users were seeing Gmail doing something
 similar: https://support.google.com/mail/thread/16878288

 > I ask as I wonder if the confirmation screen then rather than auto-
 confirming on load should instead provide a button to trigger confirmation
 to ensure we're actually getting the user consent before the request is
 considered confirmed.

 I've seen some forms where Javascript automatically submits the form on
 the users behalf when loading the page, which would work around most
 automated scanners.

 However, There's also a reasonable case to be made, that a user who
 '''doesn't''' want to erase their account may accidentally click a link
 (for example, copying it to ask "What?") or who are trying to figure out
 what the email is about. Requiring a final action from the user (such as
 clicking a confirm button on the followed link) would solve all of the
 above.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50141#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list