justin․searls․co

What is organicfruitapps.com?

I was fighting with a home automation this morning and it required me to ping a few high-traffic websites and I got curious looking at the headers that Apple returns:

$ curl -I https://www.apple.com/
HTTP/2 200
server: Apple
content-type: text/html; charset=utf-8
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubdomains; preload
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'self' blob: data: *.akamaized.net *.apple.com *.apple-mapkit.com *.cdn-apple.com *.organicfruitapps.com; child-src blob: embed.music.apple.com embed.podcasts.apple.com https://recyclingprogram.apple.com swdlp.apple.com www.apple.com www.instagram.com platform.twitter.com www.youtube-nocookie.com; img-src 'unsafe-inline' blob: data: *.apple.com *.apple-mapkit.com *.cdn-apple.com *.mzstatic.com; script-src 'unsafe-inline' 'unsafe-eval' blob: *.apple.com *.apple-mapkit.com www.instagram.com platform.twitter.com; style-src 'unsafe-inline' *.apple.com
cache-control: max-age=582
expires: Sat, 23 Dec 2023 12:49:53 GMT
date: Sat, 23 Dec 2023 12:40:11 GMT
x-cache: TCP_MEM_HIT from a23-218-251-35.deploy.akamaitechnologies.com (AkamaiGHost/11.3.3-52660090) (-)
set-cookie: geo=US; path=/; domain=.apple.com

Look at that Content Security Policy. What the hell is organicfruitapps.com and why does it get top billing in the policy?

I remember seeing this domain in the past (maybe it was some Xcode documentation or example code years ago?), but I chuckled seeing it here. I'm always fascinated by the silly text strings that, due to an accident of Internet infrastructure, get sent back and forth trillions of times a day invisibly between our devices.

So what is it? If I had to guess, internally on Apple's network, they use the organicfruitapps.com domain for pre-production development and staging of services that shouldn't be served over apple.com. It's unlikely any of those pre-production services should ever be loaded by actual customers of Apple, but a CSP header like this would probably be necessary for organicfruitapps.com services under development to communicate with live production services at apple.com without being blocked as a potential cross-site script.

To wit, if I'm right, users around the world load this goofy *.organicfruitapps.com string countless times every day in order to facilitate internal development and testing by Apple's engineers. Neat.

Got a taste for hot, fresh takes?

Then you're in luck, because you'll pay $0 for my 2¢ when you subscribe to my work, whether via RSS or your favorite social network.

I also have a monthly newsletter where I write high-tempo, thought-provoking essays about life, in case that's more your speed:

And if you'd rather give your eyes a rest and your ears a workout, might I suggest my long-form solo podcast, Breaking Change? Odd are, you haven't heard anything quite like it.