Excel: Click on hyperlink calls URL three times

1

When clicking on a hyperlink in Excel, the ressource will be called three times (or two times, if the URL was visited before). First and second time hidden, third time as expected in a browser.

Details

I am using the HYPERLINK-formular in Excel 2016 like the following one, but the problem also occurs when working without a formular and just the hyperlink-feature:

=HYPERLINK(CONFIRM_NO_DATA_URL&B3)

Anyway, it's supposed to call an URL like this

http://example.org/index.php?action=replyToEmailId&emailId=123123123

When I click the cell, a new tab is opened with the correct URL.

But: The URL actually is being called three times (I noticed it in the first place because three emails were send with a short delay).

I tried to figure out where this came from by putting the Http-Headers to a file. It turned out, excel calls the hyperlink internally moments before it openes the link in a browser. Also the provided Http-Headers differ to the final request.

First hidden request

This is the first request using the HEAD Http-Request-Method:

{
    "HTTP_USER_AGENT": "Microsoft Office Excel 2014 (16.0.10730) Windows NT 10.0",
    "HTTP_X_OFFICE_MAJOR_VERSION": "16",
    "HTTP_X_MS_COOKIEURI_REQUESTED": "t",
    "HTTP_X_FEATUREVERSION": "1",
    "HTTP_ACCEPT_AUTH": "badger,Wlid1.1,Bearer",
    "REMOTE_PORT": "50216",
    "REQUEST_METHOD": "HEAD",
    "REQUEST_TIME_FLOAT": 1537284526.406,
    "REQUEST_TIME": 1537284526
}

The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. source: [w3.org][1]

Second hidden request

The second request is kind of hard to identify, looks like Excel mocks several user agents:

{
    "HTTP_ACCEPT": "*\/*",
    "HTTP_USER_AGENT": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office)",
    "HTTP_ACCEPT_ENCODING": "gzip, deflate",
    "REMOTE_PORT": "50221",
    "REQUEST_METHOD": "GET",
    "REQUEST_TIME_FLOAT": 1537284527.807,
    "REQUEST_TIME": 1537284527
}

Question

How to prevent this behaviour on Excel-side?

(Sure I can prevent it in my PHP-script by blocking the HTTP_USER_AGENT containing "ms-office" or the REQUEST_METHOD "HEAD", but I prefer a clean solution).

Side notes

UPDATE #1

I just found this SO-question, which kinda describes the same behaviour: https://stackoverflow.com/questions/24993813/link-in-excel-cause-duplicate-invocation

UPDATE #2 While digging deeper into this I find more and more kind-of-connected SO-threads, like this, which gives a nice description of this "feature": https://webmasters.stackexchange.com/a/71151

Though, there is a slight difference. The REQUEST METHOD of the first request in my case is HEAD, not OPTION as in the above mentioned answer. Anyway, this still does not help me solving the problem.

UPDATE #3 While trying to reproduce this I found out there are not two but three requests made.

n.r.

Posted 2018-09-18T09:28:38.197

Reputation: 111

Answers

0

i am not sure but as i was testing i have noticed that excel is opening links in the "internet explorer" to check for security or for excistence.

for example if you type in wrong url Excel displays unable to open, security problem has occurred, not a brawser.

i have tested on 

=HYPERLINK("https://test.test")

and received this message error message

so i dont think that it is possible to "Fix" this kind of an issue from excel

Bes Gh

Posted 2018-09-18T09:28:38.197

Reputation: 56

Yes, I also noticed that. It seems to be kind of a feature, but it would be great to prevent Excel from doing it. For me, as a user, it is also totally okay and also no difference, when I receive a 404 in my actual browser. – n.r. – 2018-09-18T13:47:09.690

0

This behaviour (at least the first HEAD-request) is caused by the so called Microsoft Office Protocol Discovery introduced with Office 2007 see blogs.msdn.microsoft.com:

The purpose of the HEAD request is to check that the content exists at the URL location as a document, and not simply as a tempoary resource streamed down for a read-only session

The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. source: w3.org

According to this technet-thread there is no way to disable this feature.

Workaround

As there exists no way to actually disable this feature, you only may block the request on the server side (or use a client-side firewall ...):

PHP-whise it would be possible to deny a request like that with this couple of lines. This simply catches the REQUEST_METHOD for the first hidden request and checks again the weird user agent from the second hidden request:

    if ($_SERVER['REQUEST_METHOD'] == 'HEAD' OR 
        strpos($_SERVER['USER_AGENT'], 'ms-office') != NULL) {

        throw new Exception('This script may only be called directly');
        die();

    }

Heads up: This works in the above described scenario, feel free to adapt it to avoid blocking traffic, that is actually "wanted".

Further reading

n.r.

Posted 2018-09-18T09:28:38.197

Reputation: 111

Asked: 2018-09-18T09:28:38.197

Viewed: 1 384 times

Active: 2018-09-20T15:43:21.307