Last year I wrote about why the macOS Ventura share menu is bad, but that was from a user interface perspective. It turns out that the share menu in Ventura—and now Sonoma—is also bad from a privacy perspective. Here's an example, using http://example.org. In the web inspector, I changed the More information link from https to http so that I could take a full packet trace.
I open the contextual menu on the the More information link and select the Share… item.
But now my old friend Little Snitch complains! The share menu is trying to contact www.iana.org.
If I deny the connection to port 80 (http), it falls back to port 443 (https).
Now let's see what happens if I allow rather than deny the connections.
There's the share menu, oddly disconnected from the More information link, showing the site icon of iana.org (the Internet Assigned Numbers Authority).
Looking at the packet trace, the share menu attempts to fetch the icon files favicon.ico, apple-touch-icon.png, and apple-touch-icon-precomposed.png from the site. The network requests look like this:
GET /favicon.ico HTTP/1.1
Host: www.iana.org
Accept: */*
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: com.apple.WebKit.Networking/18615.3.12.11.2 CFNetwork/1410.0.3 Darwin/22.6.0And of course your IP address is leaked.
My belief is that a website should not be notified and given your IP address and other information such as hardware device type and web browser version when you share the URL of the website.
This privacy violation (and the user interface violations) did not occur with the old share menu, before Ventura.
I've done some further testing and made a couple of additional discoveries. I created a test HTML page that contains the following link to my business site http://underpassapp.com:
<a href="http://underpassapp.com" title="Anchor Title">Anchor Text</a>1. When the site icon request is successful, Safari also requests the web page itself, apparently to get the page title. Here's the HTTP request, with a rather bizarre User-Agent header, spoofing several bots:
GET / HTTP/1.1
Host: underpassapp.com
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Connection: keep-alive2. The only purpose of the HTTP requests in Safari's share menu appears to be to display the link's icon and title in the share menu. Crucially, that information is not passed along to the other apps!
When I share with Messages, I just get the URL http://underpassapp.com/. When I share with Mail or Mona, I get the URL along with the anchor text (literally "Anchor Text" in my example), even though the share menu has the actual page title from the HTML.
In other words, the privacy violation of Safari's share menu is 100% needless!