[chimeracoder]

> Yes, preview is generated by the sender to avoid receiver's address leak to a sender-controlled host, but what I'm saying is that WA should enforce on the receiver side that both point to the same URL.

How do you do that without having the receiver make an HTTP request to that address, in order to follow all redirects?

[o11c]

The receiver can do the verification while clicking (which would make the request anyway).

[darkwater]

Exactly, that's why I say that they chose the trade-off of easy-to-send shortener over more complicated/manually crafted attacks like the one in the article.