“#Safari occasionally receives a list of hash prefixes of URLs known to be malicious from Google or Tencent, choosing between them based on the device’s region setting (#Tencent for #China, #Google for other countries). Hash prefixes are the same across multiple URLs, which means the hash prefix received by Safari does not uniquely identify a URL.

When the fraudulent website warning feature is toggled on, Safari checks whether a website URL has a hash prefix to match the hash prefixes of malicious sites. If a match is found, Safari sends the hash prefix to its safe browsing provider and then asks for the full list of URLs that have a hash prefix that matches the suspicious one.

When Safari receives the list of URLs, it checks the original suspicious URL against the list, and if there is a match, Safari shows the warning pop up suggesting users stay away from the site. The check happens on the user’s device, and the URL itself is not shared with the safe browsing provider, but because Safari communicates directly with the safe browsing provider, the providers do receive device IP addresses. ”