justin․searls․co

What is organicfruitapps.com?

I was fighting with a home automation this morning and it required me to ping a few high-traffic websites and I got curious looking at the headers that Apple returns:

$ curl -I https://www.apple.com/
HTTP/2 200
server: Apple
content-type: text/html; charset=utf-8
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubdomains; preload
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'self' blob: data: *.akamaized.net *.apple.com *.apple-mapkit.com *.cdn-apple.com *.organicfruitapps.com; child-src blob: embed.music.apple.com embed.podcasts.apple.com https://recyclingprogram.apple.com swdlp.apple.com www.apple.com www.instagram.com platform.twitter.com www.youtube-nocookie.com; img-src 'unsafe-inline' blob: data: *.apple.com *.apple-mapkit.com *.cdn-apple.com *.mzstatic.com; script-src 'unsafe-inline' 'unsafe-eval' blob: *.apple.com *.apple-mapkit.com www.instagram.com platform.twitter.com; style-src 'unsafe-inline' *.apple.com
cache-control: max-age=582
expires: Sat, 23 Dec 2023 12:49:53 GMT
date: Sat, 23 Dec 2023 12:40:11 GMT
x-cache: TCP_MEM_HIT from a23-218-251-35.deploy.akamaitechnologies.com (AkamaiGHost/11.3.3-52660090) (-)
set-cookie: geo=US; path=/; domain=.apple.com

Look at that Content Security Policy. What the hell is organicfruitapps.com and why does it get top billing in the policy?

I remember seeing this domain in the past (maybe it was some Xcode documentation or example code years ago?), but I chuckled seeing it here. I'm always fascinated by the silly text strings that, due to an accident of Internet infrastructure, get sent back and forth trillions of times a day invisibly between our devices.

So what is it? If I had to guess, internally on Apple's network, they use the organicfruitapps.com domain for pre-production development and staging of services that shouldn't be served over apple.com. It's unlikely any of those pre-production services should ever be loaded by actual customers of Apple, but a CSP header like this would probably be necessary for organicfruitapps.com services under development to communicate with live production services at apple.com without being blocked as a potential cross-site script.

To wit, if I'm right, users around the world load this goofy *.organicfruitapps.com string countless times every day in order to facilitate internal development and testing by Apple's engineers. Neat.

Got a taste for fresh, hot takes?

Then you're in luck, because you can subscribe to this site via RSS or Mastodon! And if that ain't enough, then sign up for my newsletter and I'll send you a usually-pretty-good essay once a month. I also have a solo podcast, because of course I do.