https://www.zdnet.com/article/some-email-clients-are-vulnerable-to-attacks-via-m...
https://security.stackexchange.com/questions/235427/what-are-the-dangers-of-a-ma...
https://adamsilver.io/blog/the-trouble-with-mailto-email-links-and-what-to-do-in...
Back in your court. Do I have to provide 3 more? I can.
Please educate and save you and your customers future issues.
Why do you defend "mailto" to the grave? Does it give you identifying information? What is your benefit?
Your argument that it is "convenient for the customer" is not true. I am already signed into my email, yet your system forces me to re-sign in.
AND, it is a dubious system whether you believe it or not.
yet your system forces me to re-sign in.
A mailto link isn’t a system. If you have multiple e-mail clients, it is your system that is simply poorly configured.
Your first link refers to four vulnerabilities in different software that are now all patched.
The exploit in your second link relies on the attacked actually pressing the Send button, revealing their preferred e-mail address. How do you expect Itch to know to whom they are speaking without knowing your address?
The third link isn’t even a vulnerability.
The first link speaks of some serious stuff, but if some implementations having vulnerabilities is enough to throw away an entire protocol, then we would’ve thrown away HTTP because some servers are prone to path traversal. The article is from 2020, anyway.
Lastly, the mailto link is visible to everyone: mailto:support@itch.io. No attach parameter, no nothing.
