[mhowland]

No need to do in transit. I mean iMessage could simply proxy all http/https requests post decryption in iMessage, pre-request.

At the end of the day this privacy trade off (apple gets your browsing info) is probably more secure than an embedded webview that could potentially be exploited and is auto-loaded. Similar to how Chrome alerts of malicious sites...I see this as a long term larger attack vector than privacy leakage.

[pfg]

The URL being disclosed to Apple was what I was getting at, which would happen with any approach that involves Apple performing the request on behalf of the user. I don't think the trade-off you're describing is necessary given that the sender could prepare the preview.