Several Major Browsers to Prevent Disabling of Click-Tracking 'Hyperlink Auditing'

x_t0ken_407 quotes BleepingComputer: A HTML standard called hyperlink auditing that allows sites to track link clicks is enabled by default on Safari, Chrome, Opera, and Microsoft Edge, but will soon have no way to disable it. As it is considered a privacy risk, browsers previously allowed you to disable this feature. Now they are going in the opposite direction.

Hyperlink auditing is an HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.
The article concludes that "Firefox and Brave win the award" for people who want this click-tracking capability disabled -- since "only Brave and Firefox currently disable it by default, and do not appear to have any plans on enabling it in the future."

Turned off by default in firefox

[Anonymous Coward]

Went looking for how to turn it off, article was kind enough to provide the necessary about:config setting, it's "browser.send_pings".

Firefox already has it off by default. Nice! for once.

And by likely future chromium forks

[ron_ivi]

Devil's advocate.... ... good.

This is exactly the motivation people need to move to different F/OSS chromium forks.

Ha, just like Javascript, Mozilla will...

[Anonymous Coward]

eventually cave in.

Firefox users used to be able to check a preferences box to enable/disable Javascript. There were some sites I would only visit with JS disabled first, and others where I wanted it enabled. I assumed the Mozilla team would eventually do the user-friendly thing and allow preferences to be set for certain oft-visited websites (perhaps a user-editable file listing special websites and whether to enable audi,video,popups,JavaScript and preserve cookies when otherwise clearing them) but nope -

Re:

[bhcompy]

You can still accomplish that with NoScript and uBO in Firefox. Or you can use Brave, which has it all built in.

Re:

[bhcompy]

Ah, the old fashioned "I'm just asking questions, here" guy. Why? Because they made a choice. Who gives a shit why? Reality is reality. Live with it, or don't. No one cares about AC opinions

Re:

[Cederic]

Why does a user need to download and install optional stuff to make the basic functionality safe?

Because the browser's role is to use HTTP to access a server, process the the response and render it for the user.

The user needs to understand the range of responses that may be possible and whether to process and render them or not, including potential recommendations from the server to retrieve adverts, executable code or images of kittens playing in snow.

A browser that disables Javascript by default would be rejected by most people as it would fail miserably to correctly display the websites they want to

Re:

[mysidia]

Because security in IT terms is not an absolute. It's a compromise. If you want to be secure switch off your fucking computer.

Based on that argument...... Chrome should eliminate HTTPS certificate verification support, accept any connection presented by default, and make that an optional Add-On that has to be installed; Rejecting old versions of SSL such as SSLv3 would also be an Optional Addon similar to the option to shut off scripting... because Security in IT terms is not an absolute, and verify

Re:

[Cederic]

I know. It's almost as though the browser manufacturers aren't consistent in where they choose the balance between security and providing a user experience.

You should write to them all suggesting they sort it out.

Re:

[xryl]

You want to disable Javascript with no extension? It's easy, start the developer's console, click settings, click disable Javascript.
Now, you won't have javascript enabled. Sure, it's MUCH easier with an extension, since it's one click only. Don't blame the developer for some dream/need (only) you want. The feature is present, so don't be lazy and instead of ranting, use it.

IMHO, most user wants javascript. So any sane developer will try to satisfy the majority of his users.

Re:Turned off by default in firefox

[AmiMoJo]

For Chrome install uBlock Origin and it's an option under "Privacy".

Re:

[omfglearntoplay]

So what happens when Chrome when it's not an option to turn off anymore? A little worrying.

Re:

[Wolfrider]

--Thanks for that! I double checked and hopefully won't have to change browsers since it can be disabled with that extension.

Re:

[GuB-42]

*Not* nice.

tl;dr : It means a worse user experience and less privacy for Firefox users.

Try to think about why that "evil" standard exists in the first place. People don't need hyperlink auditing to track you.
What they do instead is that they wrap links into redirect URLs. They use JS to hide it in the tooltip. Just make a Google search in Firefox, right click on one of the search results and "copy link location". What you'll get is a Google URL with a redirect target. Google is far from being the only one t

Re:

[Pieroxy]

What people that want to track click do today is bring you to their website and issue a 302 to redirect you to the destination website. What this feature allowed was to remove the necessary hop, and thus would make the web faster.

But since Firefox did not activate it by default, everyone is still redirected through domains everytime they click a link.

Not sure it's an actual win. Firefox do not remove a feature by disabling this, they forbid an optimization.

For WHAT?

[Anonymous Coward]

You deranged idiots are incredible. You clearly want a police state where any person can be locked up on a whim if the "right people" disagree with them, and you think of yourselves as the "right people".

History is littered with the corpses of the victims of tyranny who themselves enabled that tyranny in the dreams of using it to oppress their political opponents.

At least the Trumpsters chanting "Lock her up!" had a list of actual violations of actual laws for which they wanter her locked up. The FBI even admitted to that list when James Comey infamously stated that "no reasonable" prosecutor would prosecuter her for her crimes, and then moments later announced that if anybody else did the same thing, that person WOULD be prosecuted. You people who've been snorting some sort of drug from Rachel Maddow or Chris Hayes or Chris Cuomo, or Don Lemon, etc have no flipping idea of what laws you imagine Trump has violated.

Morons.

Re: World History 101

[Aristos Mazer]

No. In a republic, a large group of people pick a small group of people and tell the small group to tell the large group what to do. The difference is significant.

Re:

[quicks0rt]

Sure, Hillary should be in jail, but she's not the one in power now is she? Trump while denouncing Hillary, committed and is committing all the same as Hillary had done. Obstruction of justice, violation of emolument clause, willfully ignoring border laws to further political goals, violating Campaign rules, using private emails (surprise, surprise), the list goes on and on.

The fact that this got voted insightful means there are a lot of morons who drunk the trump-aide and refuses to see for what he is. But

Can't this just be done with Javascript?

[phantomfive]

Can't you just encase the link in Javascript and get the clicked link that way? Or do webpages not do that very often?

Re:Can't this just be done with Javascript?

[MrL0G1C]

I loathe links made in that manner because when you right-click them they aren't treated as links so you can't open them in a new tab with a right-click or copy the link etc. That is a mistake IMO, if it's a link when you left-click it then it should also be treated as a link when you right-click it.

Re:

[Tough Love]

Plus, they are stealing your bandwidth and likely as not, adding latency.

Re:

[Galactic Dominator]

When my facet drips, it steals my water.

Re:

[Tough Love]

That is you, pissing your water away as if it were not valuable. Fix your fucking faucet.

Re:

[Cederic]

Actually no, I spend more on water than on my mobile phone.

I have 'unlimited data' on my phone.

Re:Can't this just be done with Javascript?

[DontBeAMoran]

They also break "command+click" which is supposed to open the link in a new tab.

Re:Can't this just be done with Javascript?

[The MAZZTer]

You can make the links work properly when right clicked, the problem is whoever coded it didn't care enough to make that happen.

The proper way to do it is to make it a normal link, but then hook up some JavaScript that stops the default link behavior and/or does something extra in the background.

Re:

[Waccoon]

Even better, UX people are trying to bring the "swipe" paradigm to the desktop. Now, just trying to select and copy a block of text doesn't work, because clicking anywhere in the text treats it like a drag-able layer.

Modern UX is all about breaking everything that made the web work. If browsers even try to stop this BS, designers will hack their way around the fixes.

Re:

[Kejiro]

Modern UX is all about breaking everything that made the web work.

Correction: Modern UX is all about breaking everything that made UX work

With the rise of cross-platform tools like Elektron and similar even desktop applications are moving to not being usable. Instead of having an application that works as a desktop application should, you are being met with a website that have 10% of the functionality from previous versions, and with twice the resource consumption.

Re:

[Anonymous Coward]

Don't even need that - they could be far more honest and simply rewrite it http://clicktrackers.com/logclick&desturl=http://blah.... ; and clicktrackers simply sends a redirect to the real site name.

The point of this is to hide the fact your clicks are being tracked so you don't see it.

Re:Can't this just be done with Javascript?

[viperidaenz]

The point is to also speed the request up. The ping can be done in parallel, you don't need to wait for your click-tracker to redirect you.
ad-blockers can also easily block the ping request.

Re:

[Tough Love]

Right, so expect Google to step up its campaign to block the adblockers.

Firefox Focus

[emil]

Does Firefox Focus normally stop a majority of these? The Android version is based on webview/blink, but it has an integrated adblocker.

Re:

[shadow_slicer]

They do that entirely too often. Additionally, this is a security risk because you don't know where the link goes until you click it.

Re:

[Suren Enfiajyan]

I guess the point is to just notify the specified website that a certain link was opened, that's it. It's much more complicated and costly to do this with Javascript because browsers block a XMLHttpRequest to other domains (cross origin policy). With just JS it can be done, for example, by creating an iframe of the advertiser website and sending a message to it, or send a request to the same domain and then that domain server will send the message to the advertiser. More complicated and also less acceptable

"One of these things is not like the others"

[Anonymous Coward]

Chrome is open source, so it should be simple to patch Chromium to prevent enabling it instead, maybe even to patch Chrome.

Re:"One of these things is not like the others"

[ChoGGi]

There's always tampermonkey

let links = document.getElementsByTagName("a");
for (let i = 0; i < links.length; i++) {
    let link = links[i];
    if (link.hasAttribute("ping")) {
        link.removeAttribute("ping");
    }
}

Assuming it works... anyone got a site with these ping links?

Re:"One of these things is not like the others"

[grep -v '.*' *]

I read about this yesterday, and immediately thought about tampermonkey. Thanks for the script.

On page link [bleepingcomputer.com] they talk about this, with

To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable.

<a href="https://www.google.com/"
ping="https://www.bleepingcomputer.com/pong.php"> Ping Me</a>

To wit: Ping Me [google.com]

This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL [bleepingcomputer.com] , so users will not even realize this is happening unless they examine the sites source code. Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to.

The headers associated with the information sent in the ping request are shown below.

[HTTP_PING_FROM] => https:/ [https] www.bleepingcomputer.com/ping.html
[HTTP_PING_TO] => https:/ [https] www.google.com/
[CONTENT_TYPE] => text/ping

Re:"One of these things is not like the others"

[Z00L00K]

Or go around the other way - use this to generate faked pingbacks in large volume rendering the data collected useless.

Re: "One of these things is not like the others"

[JoeyRox]

That's what Brave is doing essentially - it's based off the Chromium code. It also provides some other nice features, such as a built-in Ad blocker and support for background playing of YouTube/video for their Android build.

Re:

[AHuxley]

AC, ads, always the ads.

"Safari, Chrome, Opera, and Microsoft Edge"?

[Anonymous Coward]

"Safari, Chrome, Opera, and Microsoft Edge"?

So in other words: Safari, Chrome, Chrome and Chrome.

Re:

[Gherald]

More like Practically Chrome, Chrome, Chrome, and Chrome

Re:

[DontBeAMoran]

Not really, since Chrome is based on Safari, not the other way around.

Re:

[Cmdln Daco]

Chrome and Safari are based on Konqueror, which is a KDE project. Apple always copies somebody else's code, but retains many lawyers to keep others from copying theirs.

Re:

[DontBeAMoran]

That still doesn't invalidate the fact that Chrome is based on Safari (Webkit), not the other way around.

KHTML (Konqueror), Webkit (Safari), Blink (Chrome, Opera, Edge).

Re:"Safari, Chrome, Opera, and Microsoft Edge"?

[anegg]

More like Practically Chrome, Chrome, Chrome, and Chrome

Can I get spam with that?

Chromium Issue 935978

[Anonymous Coward]

Chrome devs have removed the hidden setting while they debate promoting it into the regular settings UI. If you want this, star the bug (but don't flood the comments too much):
Issue 935978 [chromium.org]

Pale Moon - OFF by default

[Anonymous Coward]

Turned off by default in Pale Moon too.

(I checked...)

AC

Yet another reason to use Firefox

[Tough Love]

Look folks, as long as Google has control of the browser engine source code, Google has you by the short hairs. Worse, control of the binaries as in Android. Open source or not. Not only is Firefox just an all round nicer browser to use (my opinion, if you disagree then please direct your fan mail to Larry Page) it is the only browser that gives a toss about your privacy.

Re:Yet another reason to use Firefox

[Tough Love]

Right, ask selfless Eric Schmidt, he'll tell you. [gawker.com]

Re:

[dargaud]

...posted as an anonymous coward... how fitting !

Yet another reason to use Tor Browser

[emil]

Tor Browser will present you with many more warnings and generally provide far more security information than Firefox. The most common are: don't maximize the browser window on a desktop, and beware of fingerprinting with the canvas element, and noscript redirect warnings.

Re:

[Tough Love]

What happens when you maximize the browser window?

ping is better than redirect

[kiviQr]

At least you can see where you are going. Plus you can block ping with browser extensions. Redirects not so much.

Re:

[devslash0]

Correct. I even started working such an extension this morning. I'm sure I'm not alone.

Firefox is Doomed

[jaa101]

This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party. The surprise here is that Safari has recently disabled this feature since Apple is much less beholden to advertising interests. There's a chance that the Safari change was inadvertent, or at least wan't considered very high up the corporate ladder. With luck Apple will put the feature back.

Re:Firefox is Doomed

[AmiMoJo]

Apple probably did it for the same reason everyone else did - it actually enhances privacy.

There are two ways you can audit clicks on links. You can use the proper HTML hyperlink auditing system, or you can write some horrible Javascript. The HTML hyperlink auditing system can be optimized by the browser for performance, and blocked by extensions, and means you get a real link instead of some Javascript that can't be copy/pasted or opened in a new tab.

By encouraging everyone to use HTML hyperlink auditing it actually improves privacy by making it easier to block and making links work like they are supposed to.

The next step will be to disable the Javascript option. Don't allow OnClick() to rewrite the page URL.

Re:

[Luckyo]

"Surrender peasants, because otherwise we'll slaughter you in an even more painful way".

How about no slaughter at all?

Re:

[Anonymous Coward]

This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party.

What makes open-source so cool, is that money is not a concern. They can have all the ad-money there is - and still not be able to prevent a browser that 'doesn't go with their program'. Sure, they can buy+close companies. Open-source browsers are still there, can still be worked on by the interested, and can still be used by anyone who care.

Re:

[Tom]

Money from the internet comes from advertising

True, but a bit like saying that money in the movie industry comes from renting DVDs.

There are other business models. And advertisement is slowly but surely moving the way it should, to the trashbin of history. I've been on the charge in this one, I admit, I've had adblockers running since the very first alpha versions appeared, and I despite ads in the real world as well. But every year I hear more people complaining about ads and more people that I help in installing adblockers.

Sites are already reacting

Trying to get rid of nasty redirects

[shadow_slicer]

The reason they're doing this is not to track people more. They're doing this so more developers use the ping attribute for this functionality instead of hacky JavaScript or redirects (which prevent the user from seeing what URL the link goes to, increase navigation latency since everything ends up serialized, make it hard to copy the real URL or open the URL in a new window, etc.).

If things go as they typically do, browsers will start blocking the old behavior from working or otherwise disincentivising tha

why?

[sad_]

why is this an HTML standard?
the standard mentions that it will increase transparancy for the user, but sure looks like a heavy price to pay.

Re:

[Ksevio]

Because the alternative is the page uses links to itself to a page that tracks the click and then uses a redirect header to send the user to the new page (or some javascript equivalent). In doing so, the actual destination is hidden from the user.

This is sort of a compromise, the link goes to the actual page, but it pings the site to let it know for link tracking purposes.

Basically, the sites are going to track the user clicking the link either way, it's just more transparent this way

GDPR Link Tax

[cordovaCon83]

Maybe this is a reaction to the GDPR's proposed Link Tax? Did that even make it into the GDPR?

Re:

[devslash0]

Interesting point of view. Maybe you're right. Laying technical foundations to enforce the absurd law.

Re:

[fustakrakich]

Fucking hypocrite.

Oh please! He's a businessman. What's the big deal?

Re:

[Cmdln Daco]

How long has it been since he was a CERN employee? Long enough ago that CERN is safe from his influence?

Re:

[fahrbot-bot]

How long has it been since he was a CERN employee? Long enough ago that CERN is safe from his influence?

So... no longer a conCERN.

Re:Tim Berners-Lee, the hypocrite

[diamondmagic]

No, "ping" isn't in the official HTML specification [w3.org]. What /. linked to is the Google's unofficial fork of HTML.

Re:

[Dracos]

Drafts of HTLM5 included a ping attribute on the a element for doing exactly this. Anyone with a brain could see it would be an order of magnitude more exploitable and abusable than cookies. At some point it was removed from HTML5 officially, but the W3C has gotten into a habit of modularizing things.

Re:

[shadow_slicer]

How is the w3c version "official" if no one is following it anymore? After the XHTML debacle the WHATWG created HTML5. The w3c tries to remain relevant by taking occasional snapshots of the WHATWG standard, but they have no real authority anymore. Calling it "Google's" unofficial fork is incorrect - it was created and is maintained by a consortium of browser developers and is the authoritative reference for HTML5.

Re:

[diamondmagic]

Every website and their mother was moving to XHTML, the XHTML debacle is that Internet Explorer wouldn't support the application/xhtml+xml media type. That's it. It's perfectly fine to use XHTML now that IE6 is no longer a thing.

And no, their fork is not authoritative, it's only defined for Web browsers, it lacks features required for Internet media types in general, the IETF assigned authority for HTML to the W3C in RFC2854, and the IANA still registers text/html as maintained by the W3C. https://www.iana. [iana.org]

Re:

[Hodr]

I would argue that any software standard not tied to actual routing of packets has no authoritative source. God didn't dictate ownership of "HTML", and whoever can convince the most people to use their standard wins by default. Crying about it won't help, they can and will say "Nanny nanny boo boo, stick your head in doo-doo".

Re:

[diamondmagic]

OK, but then we're back at the IE6 philosophy of Embrace, Extend, Extinguish. That set back progress in the Web by a decade.

Recommendations

[d3bruts1d]

w3c publishes recommendations not specifications.

"And thirdly, it is more what you'd call guidelines than actual rules." — Captain Hector Barbossa

Re:

[diamondmagic]

If you want to be that pedantic about it, the W3C publishes specifications endorsed by their member bodies called W3C Recommendations, among other forms technical reports (TRs).

They are specifications because they are the documents authoritative for defining (i.e. specifying) how to interpret an Internet media type.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[diamondmagic]

The HTTP Referer header (i.e. short for "referrer") is defined in HTTP (RFC7231 is the latest release). It's optional but widely-deployed, and mostly intended for intra-site diagnostics, e.g. determining which pages have bad links.

There's a few other headers with similar purposes, like User-Agent (which is also widely deployed) and From (the same header as in email can also be used in HTTP, but use in HTTP is very small, usually only seen in crawlers/robots, where the user would want to be contacted by the