unwanted URL appended to redirection url

Question

We have a asp.net web application will send a confirmation email with redirection url to users email once they confirm the registration. But while sending the url, the url "https://exchcas/owa/redir.aspx?C=cUl43mOPekKnIMaLWRr1yZSp78A6N9EIC9oVlRLrzMFpuM-1UucMKAHOqY5VYM297Nr6m36XwhM.&URL=" will be appended to our url.

for example,

our redirection url is http://localhost:63554/Reg.aspx

the url will be send some thing like below,

https://exchcas/owa/redir.aspx?C=cUl43mOPekKnIMaLWRr1yZSp78A6N9EIC9oVlRLrzMFpuM-1UucMKAHOqY5VYM297Nr6m36XwhM.&URL=http://localhost:63554/Reg.aspx.

Can anyone pls let me know why this append happening? and what is the meaning of this appened url?

Answer 1

This is a standard Exchange behavior for security reasons. Available in Exchange 2003/2010 (not sure about 2013). In OWA email is located at .../username/inbox/message.eml. If user clicks on direct url such as http://localhost:63554/Reg.aspx then on that link you could read HTTP_REFERER value and obtain "/username/inbox/message.eml". So, the purpose of having redir.aspx is to avoid sharing a username and email subject as a part of HTTP_REFERER.

Read more here http://blogs.technet.com/b/exchange/archive/2004/07/26/197289.aspx

You can also take a look here http://blog.leederbyshire.com/2013/03/28/how-to-make-your-outlook-web-app-2010-redir-aspx-a-little-safer/

Answer 2

I wrote a skip-owa-redir userscript that replaces each indirect redir.aspx link with a direct link to the target URL, using rel="noreferrer" to address the privacy concern.