Setting to automatically confirm subscriptions

Automattic / jetpack

Security, performance, marketing, and design tools — Jetpack is made by WordPress experts to make WP sites safer and faster, and help you grow your traffic.

https://jetpack.com/

Other

1.59k stars 799 forks source link

Setting to automatically confirm subscriptions #16639

Open CdrMarks opened 4 years ago

CdrMarks commented 4 years ago

Is your feature request related to a problem? Please describe.

When I'm replying to a blog post on a site with Jetpack Subscriptions enabled, I dislike that I need to confirm my subscription when I'm already logged in as a commenter.

Describe the solution you'd like

Create a setting at https://subscribe.wordpress.com/?option=settings that allows the confirmation step to be bypassed.

Describe alternatives you've considered

Additional context

I'm unsure if this can be abused. Not sure how often someone is spoofing another person's email address with subscription spam.

jeherve commented 4 years ago

I'm unsure if this can be abused. Not sure how often someone is spoofing another person's email address with subscription spam.

That would indeed be one of my concerns with this. That would mean that one could add you as comment subscriber to all their posts once you've enabled that option.

Another concern I'd have would be the legality of such an option. This is basically bypassing double opt-in, and I'm not sure that's something that's allowed.

CdrMarks commented 4 years ago

In case it's useful, my use case is for this features is the make.wordpress.org P2s.

Maybe it is possible instead to turn on this bypass on a per URL basis? The user would specify each site's URL that should be allowed to bypass the confirmation.

The site allow list could support a few formats (to support multisite URLs): example.com subdomain.example.com *. example.com example.com/subdirectory

The user would still need to turn on this bypass feature in their settings and specify one or more URLs. The confirmation requests email would be changed to a confirmation notification. If there were abuse in some way, on the user could disable the feature or entirely or remove one of the offending URLs.

How are confirmation requests handled today for blogs on wordpress.com?

jeherve commented 4 years ago

How are confirmation requests handled today for blogs on wordpress.com?

They pretty much work the same way as for Jetpack sites as long as you are logged out. You see a subscription form where you can enter an email address.

We do, however, handle things differently when you subscribe to a site while being logged in to your WordPress.com account; in this case we do not show you an email field because we know your email address, and know that you are the owner of that email address. No one can subscribe you and abuse this, since they'd need to be able to log in to your WordPress.com account. We consequently do not need an extra confirmation in this case.

It may make more sense if we were able to do something like this on Jetpack sites as well; if you are logged in to WordPress.com, we know the email address you want to subscribe with and we skip the extra confirmation.

This would most likely be implemented as part of #758.