Hacker News new | past | comments | ask | show | jobs | submit login

You just scanned an unreadable symbol. It could already send you anywhere. Vetting URLs by whether they look like they point at a redirect script seems like overkill.



Oh, actually I've never used a QR code reader that didn't show me the URL before letting me decide whether to go there.


Even that's not an absolute assurance, as millions of people who have failed to renew expired domains can attest. And the HTTP status codes have a whole block of redirect codes while just about every web server permits backend proxies. When you visit http://viral.example/ it can already send you anywhere; seeing the URL http://viral.example/qr only tells you that you're getting QR-specific content, and still does not tell you what that content is.


I guess the only problem is people can't recognize familiar URLS if you use a redirect page. If you link to a Facebook event for a concert, for example, people could see the trusted domain before visiting.


Consider what can be done with a punycode'd URL here, too.

Mix a QR with a little punycode and you easily can end up anywhere, even if you do (quickly) review the URL before the jump.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: