Advise for making Devise work with Outlook Safelinks

[alexanderholder]

Hey team, looking for help for what we can do with Devise to handle Outlook Safelinks.

From what i understand, Safelinks takes any href out of an email and transforms it into something like https://nam02.safelinks.protection.outlook.com/?url=devise_password_reset_link_here.

This means (for example password resets from devise) when clicked the referrer/origin is the safelinks URL, which currently triggers Rails CSRF and the password reset made by the user is a bad request.

I see two solutions here and trying to understand what is correct - figured other business app users are going to have the same issue.

1. Disable rails CSRF on the password reset controller method - but this seems potentially dangerous?
2. Check the origin and allow it if it is from safelinks?

[alexanderholder]

OK I think skipping CSRF is fine as require_no_authentication doesn't allow a signed in user to reach the passwords controller and therefore there will be no risk of an authenticated session token being used in CSRF.