I’ve definitely seen that if it’s a url, my preview will tell me the title of the webpage on the other end. That might only scan the basics, but I don’t think it’s implausible that preview code could have vulnerabilities.
No, if they’re security conscious, then it may mean they only did a request that scanned the HTML for a <title> tag. That means one WGET call, but a far cry from a standard definition of “visiting” in which your device’s JS parser starts running their unknown code and page instructions.
Sure, we can split hairs about the definition of “visiting” a site. But like your wget example, at the very least the server gets your ip address. Then possibly a user agent string. Maybe follows a redirect. Maybe cookies. A lot of that depends on how secure and privacy oriented the http client is. And all that can happen without rendering a full html DOM, or executing js code.
I’ve definitely seen that if it’s a url, my preview will tell me the title of the webpage on the other end. That might only scan the basics, but I don’t think it’s implausible that preview code could have vulnerabilities.
If it’s showing you the title, then it visited the page already.
No, if they’re security conscious, then it may mean they only did a request that scanned the HTML for a <title> tag. That means one WGET call, but a far cry from a standard definition of “visiting” in which your device’s JS parser starts running their unknown code and page instructions.
Sure, we can split hairs about the definition of “visiting” a site. But like your wget example, at the very least the server gets your ip address. Then possibly a user agent string. Maybe follows a redirect. Maybe cookies. A lot of that depends on how secure and privacy oriented the http client is. And all that can happen without rendering a full html DOM, or executing js code.
So put the injection into the title? Got it
deleted by creator