Outlook Web Access (OWA) previews expire one-time links
Closed this issue · 4 comments
Outlook Web Access uses a Bing crawler to perform some kind of preview of links for users. Unfortunately, this process also expires the django-sesame link before a user clicks on it. The crawling seems to take a few seconds, so sometimes a user can successfully use the link if they act quickly, but usually not.
I'm exploring ways to block the crawler from the site, but I thought I'd add this issue here for others experiencing reports of invalid one-time links.
:-(
Perhaps it would be best to blacklist the OWA preview User-Agent i.e. reject the login and not expire the token.
I'm wary of accepting the login and not expiring the token. I think this could open a hole in the security model.
A quick Google search doesn't turn up the User-Agent that Office 365 uses. But this is reasonably easy to determine through testing.
Apparently email link scanning by, e.g., spam filters, is pretty common:
It might be worth noting this in the docs.
When I send an email containing a link to a website that I control to my corporate Outlook mailbox, I see requests from IP addresses belonging to Microsoft before I even receive the email.
The crawler masquerades as Chrome on Windows 10.
Since it's for security purposes, it has to be indistinguishable from a regular user. Else, an attacker could send innocuous content to the crawler and nefarious content to regular users.
So I'm just going to document the pitfall.
Thanks for reporting this issue, and sorry I can't do better.