Someone recently asked why OWA rewrites external links in messages to go through redir.asp. For example, if you receive an HTML message with an embedded link to http://www.microsoft.com, OWA will actually rewrite the link to point to http://exchangeserver/exchweb/bin/redir.asp?URL=http://www.microsoft.com. But why does it do it?
It turns out that to not do that entails a bit of privacy risk. The DAV URL namespace makes use of both username and PIM item name. OWA is built on these URLs, so every time a user views some message, their web browser is making a request to a URL like http://exchangeserver/exchange/username/Inbox/Message.EML to retrieve it. Now, if that user were to follow a link embedded within the retrieved message, their web browser would happily send the origin page URL as a part of HTTP-REFERRER header. Most web sites log this header, so anyone looking at HTTP access log can infer the user's mailbox name (which in many companies maps trivially to user's actual name) and the subject line of that email message. But links redirected via redir.asp will show redir.asp in the HTTP-REFERRER, scrubbing both the username and subject line in process. Much better! Additionally, we make use of script within redir.asp to change document.location to the requested URL. This has the effect of certain versions of IE and Netscape sending no HTTP-REFERRER at all. Browsers which do not exhibit this behavior will continue sending redir.asp in the referrer field, which is still good as explained above.
- Alex Ingerman
