I would like to properly understand how DC invite links work.
Without understanding how it works, it might appear that the delta.chat server acts as a middle man and can see the email address and profile name of the person you want to contact, and maybe also the SecureJoin data like PGP fingerprint and challenge numbers. However, I doubt that it actually works like this, because this would be a major security concern.
So how does it actually work? And what information, if any, is transmitted to the delta.chat server when you tap on a i.delta.chat link?
No information is transmitted to i.delta.chat other than the fact of visiting the website and browser info like User-Agent. But if you have Delta Chat installed, i.delta.chat is not contacted at all.
i.delta.chat links start with https://i.delta.chat/#, everything after # is not transmitted to the server but rendered with JavaScript locally in the browser.
If you scan https://i.delta.chat link in Delta Chat, e.g. from a QR code, i.delta.chat server is not contacted at all. Same if you open the link directly with Delta Chat on mobile, application handles the link. Web page at https://i.delta.chat is for users who don’t have Delta Chat yet.
Yes, the hash does not get sent by the browser to the server when it opens the page (e.g. see this StackOverflow question), but if i.delta.chat were to go malicious, its JavaScript would have access to the hash, and it could send it to the server.