Monday, May 18, 2020

Security Theatre in Safari Download Permissions

Nick Heer:

Twitter’s URL shortener works by creating 301 redirects, but Safari apparently doesn’t follow those to their destination URL. In some cases, that probably makes sense — large file downloads are often hosted on CDNs with inscrutable addresses. It does, however, mean that however this is supposed to benefit security or privacy is easily defeated if downloads are redirected through common URL shorteners.

Update (2020-07-30): jleedev:

It probably doesn’t change Safari’s behavior at all, but Twitter’s URL shortener uses a meta refresh & location.replace call, not a 301 redirect.

Looks like it sniffs the user agent[…]

Comments RSS · Twitter

Leave a Comment