These magic URLs that can log you in automatically, generally ought to necessitate a very high degree of paranoia from whoever is implementing them. In this case the single point of failure seems like the leaky referrer, which ought to have been noticed as part of the aforementioned paranoia.
I guess the problem here is that from an overall experience POV you want users to be able to get to their booking from their email without having to go back and forth to figure out their booking reference number and type it in.
Even as an advanced user sometimes there is very little you can do to protect against this. In a lot of cases, blocking trackers is also a flaky solution because sometimes custom event tracking takes place as part of a JS event, and the event fails horribly due to the library not being loaded thanks to your blocker, and as a result the event doesn't do what it's supposed to, and you can't use the interface.
For mobile users, blockers are either not easy to install, or exist on some fringe browser that is untested, and breaks the UI.
I wonder if it is possible to measure or guess how many humans have access to your booking in such cases. Some part of the sysadmin team at each of those tracking companies, maybe product leads, customer support?
You will still hit the same problems they described for some sites. Because some JS has been blocked by your blocker, certain websites will have buttons that just don't work. This is frustrating when those buttons are key things like 'buy' or 'confirm'.
I agree with the sentiment but it's not always possible.
In the case of airlines, sometimes you have no choice but to go with a particular carrier because there is no other carrier who will take you to your destination with seats available that meet your schedule.
You also wouldn't know of these practices until much after you have already paid for your ticket, by which time your booking is already in the hands of a few hundred other "trusted third party" employees.
I guess the problem here is that from an overall experience POV you want users to be able to get to their booking from their email without having to go back and forth to figure out their booking reference number and type it in.
Even as an advanced user sometimes there is very little you can do to protect against this. In a lot of cases, blocking trackers is also a flaky solution because sometimes custom event tracking takes place as part of a JS event, and the event fails horribly due to the library not being loaded thanks to your blocker, and as a result the event doesn't do what it's supposed to, and you can't use the interface.
For mobile users, blockers are either not easy to install, or exist on some fringe browser that is untested, and breaks the UI.
I wonder if it is possible to measure or guess how many humans have access to your booking in such cases. Some part of the sysadmin team at each of those tracking companies, maybe product leads, customer support?