

Facebook creates preview photos that are just 200 Bytes for fast mobile loading - slyall
https://code.facebook.com/posts/991252547593574/the-technology-behind-preview-photos/

======
mtmail
duplicate of
[https://news.ycombinator.com/item?id=10020840](https://news.ycombinator.com/item?id=10020840)

~~~
slyall
Weird. the URLs seems to be exactly the same. Wonder why the dup detector
didn't complain

------
applecore
GraphQL doesn't transfer raw bytes, so they would save the 33% overhead if
they weren't using Base64 binary-to-text encoding.

~~~
laurencerowe
Gzip content encoding recovers most of the overhead.

~~~
imrehg
Except they shouldn't really use Gzip if they are also using HTTPS.... See
[http://stackoverflow.com/a/4063496/171237](http://stackoverflow.com/a/4063496/171237)
or look up BREACH and CRIME.

~~~
duskwuff
BREACH/CRIME aren't a huge concern here. Unlike in a web browser, an attacker
can't cause a user's browser to fire off crafted requests (because they're
only occurring in the Facebook app, which doesn't let third-party scripts
run), and they can't easily observe the size of requests and responses
(because they're all happening over a cellular network, which is difficult to
sniff).

~~~
imrehg
Running inside the app is probably the strongest argument here, though I think
that's also kinda assuming that people cannot subvert the app in unexpected
ways. The size of requests can still be observed e.g. being on Wifi - people
don't just use their Smartphone from the cellular network.

My thinking is that while in this case it's "probably safe" to use Gzip +
HTTPS, but that's not a good practice to build secure systems. If e.g. here
these requests are exempted and run to Gzip, the reasons and circumstances for
doing it here will be forgotten, and can end up with other stuff exempted
later which shouldn't. Just from experience how things work in large orgs.

------
caseyf7
Do they do this on the web too or just the native app?

~~~
nitrogen
I suppose it _could_ be done on the web by sending the fixed JPEG header in a
JS file that would be cached, then crafting _data:_ URLs on the fly.

