I also didn't notice this until today, but this is a great feature to prevent spam and malware. Usually I feel like my Twitter feed is filled with people and links that are moderately trustworthy, but that leaves everyone vulnerable to someone hijacking a twitter account using firesheep or something else.
similarly, search.twitter.com has had this using "(expand)" on the end of links for some time. i'm not sure if this was part of the original acquisition for that service or if they added it in after.
"In speaking with a few colleagues, it appears Twitter is using the 301 redirect on the short URL to provide the mouseover with the full URL."
Is this just a non-technical person attempting to inject a little detail into the article? My first thought was, "How would I do this in JS?" and it took me a second to decipher that sentence.
kind of. it's not done on the front end (js) but rather using some service on the backend.
the phrasing of that is a bit weird, but they probably test until they no longer get a 301 or 302 redirect and save the result. they print this result on the front end as a title for the link and as an HTML5 data attribute "expanded-url" on the link.
I looked at doing this using Javascript in a browser extension a while ago, and it's actually not possible to do for a couple of reasons:
1) XHR cross domain policy prohibits requests to domains other than the domain the page loaded from
2) the XHR GET method always follows a 301 redirect and returns the content at the URL. The full URL is not made available.
I am not HTTP expert, but my understanding is that a 301 is a RESPONSE not a REQUEST.
What is most certainly happening is that Twitter is making a HEAD request to URLs to see if a redirect is happening. The http redirect is a RESPONSE of type 301 (permanent) or 302 (temporary).
And yes, I suspect this is happening somewhere that can be cached. It would be easy to tell by setting up a 301 redirect, posting it to twitter, and watching the server logs.
it prevents me from ever clicking on a short link that will take me to somewhere evil
There are plenty of ways to trick people with links. For example, you can register a domain called not-hardcore-porn.com, and then put porn there. Or you can just poison some upstream DNS cache, and then facebook.com goes to phishing-site.com.
The Internet is very insecure. Short links are the least of our worries.
13 comments
[ 3.4 ms ] story [ 37.9 ms ] threadIs this just a non-technical person attempting to inject a little detail into the article? My first thought was, "How would I do this in JS?" and it took me a second to decipher that sentence.
the phrasing of that is a bit weird, but they probably test until they no longer get a 301 or 302 redirect and save the result. they print this result on the front end as a title for the link and as an HTML5 data attribute "expanded-url" on the link.
I am not HTTP expert, but my understanding is that a 301 is a RESPONSE not a REQUEST.
What is most certainly happening is that Twitter is making a HEAD request to URLs to see if a redirect is happening. The http redirect is a RESPONSE of type 301 (permanent) or 302 (temporary).
And yes, I suspect this is happening somewhere that can be cached. It would be easy to tell by setting up a 301 redirect, posting it to twitter, and watching the server logs.
There are plenty of ways to trick people with links. For example, you can register a domain called not-hardcore-porn.com, and then put porn there. Or you can just poison some upstream DNS cache, and then facebook.com goes to phishing-site.com.
The Internet is very insecure. Short links are the least of our worries.