Bugzilla

(In reply to Jorg K (GMT+1) (PTO to 5th Jan 2020, sporadically reading bugmail) from comment #131)
> (In reply to Magnus Melin [:mkmelin] from comment #124)
> > That password is *already* sent to get the autodiscover.xml (now, even since exchange support landed). You're grasping at straws that don't exist.
> 
> Let me just say that your patch opens more opens more vulnerabilities. Please think to which servers you may send the password in the future and how attackers could fake those servers. Now that I've said this, the bug needs to be security restricted.

You realize that "fixing" that would require gutting out the exchange detection entirely, right? It can't detect a thing without sending credentials.
But it's not a security issue, you're just being purposely misled. We're sending credentials,  over a secure connection, to the domain you want to set up an account for. If the server is compromised, you're out of luck, but there's no way to prevent that.

Re policy question: Owl (when already installed) can perfectly well enable showing the exchange option, don't you think?