19 comments

[ 2.8 ms ] story [ 50.7 ms ] thread
That seems different? Exposing (possibly private) URLs in messages via the API seems like a bug (though int64s aren't really guessable when you have DoS protection).

Just visiting the link shared is completely normal behavior.

> But why?

Go ahead and post a link in a message (I chose this one: http://imgur.com/gallery/wjANVCD). A little visual preview will appear. Where do you think this comes from?

> And classify you as a good citizen for the NSA so that you don’t get killed in a drone attack

Or maybe that.

Why stay for so long though? Fetching an image is fast and using an automated browser is a bit overkill. Maybe they wait for 15 seconds in case the server is slow...
Anti-virus. The post seems to be complaining that Facebook is using a browser, which probably means they're testing for malware.
Or to detect JavaScript triggered malware or other nefarious behavior. Running a full headless browser for link scanning is actually quite doable for Facebook's scale.
There are definitely some sites (particularly news sites) which can take 15 seconds to actually render the main content of the page.
JavaScript, webfonts, XHR... In my experience, if you don't wait most of the times you get a blank page.
Why not both?

Also, they probably need a browser and to wait for a full render to be guaranteed a finalized image for their preview thumbnail.

Occam's Razor strikes again.
I don't think this is a big deal. You're posting a message _on their site_. It's reasonable for them to inspect the url.
Um yeah, the moment you type/paste a link in a post, it loads a preview and tries to pick a good representative picture of the page. As far as I can tell the image is even mirrored on Facebook's CDN for faster loading. It's not like they're subtle about it.
This is the part that happens before you send the message. The post is talking about the automated browser that visits the link after you post it and waits for 15 seconds with socket.io (thus javascript activated).
Oh. Something to do with trackbacks then, maybe?
Facebook probably sends an HTTP request to the link to get an image preview. I doubt that any human or computer is actually "looking" at the link for 15 seconds, more likely they just messed with the concept of time on the preview agent's Javascript interpreter so they can determine the layout of the "final page" with all animations and JS completed.
This is not secret, surprising, or newsworthy, and the implication that it's for the NSA is pure conspiracy theory.
I guess it stays for many seconds because it waits JavaScript to finish executing to get an image preview. It's not uncommon that some sites needs many seconds (or even longer) to load.
also, if you want a URL to stay private, don't email it to anyone using a cloud email service (including yourself)...