Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Chromium Firefox Safari

Several Major Browsers to Prevent Disabling of Click-Tracking 'Hyperlink Auditing' (bleepingcomputer.com) 142

x_t0ken_407 quotes BleepingComputer: A HTML standard called hyperlink auditing that allows sites to track link clicks is enabled by default on Safari, Chrome, Opera, and Microsoft Edge, but will soon have no way to disable it. As it is considered a privacy risk, browsers previously allowed you to disable this feature. Now they are going in the opposite direction.

Hyperlink auditing is an HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.

The article concludes that "Firefox and Brave win the award" for people who want this click-tracking capability disabled -- since "only Brave and Firefox currently disable it by default, and do not appear to have any plans on enabling it in the future."
This discussion has been archived. No new comments can be posted.

Several Major Browsers to Prevent Disabling of Click-Tracking 'Hyperlink Auditing'

Comments Filter:
  • by Anonymous Coward on Sunday April 07, 2019 @07:24PM (#58400638)

    Went looking for how to turn it off, article was kind enough to provide the necessary about:config setting, it's "browser.send_pings".

    Firefox already has it off by default. Nice! for once.

    • Devil's advocate.... ... good.

      This is exactly the motivation people need to move to different F/OSS chromium forks.

    • by Anonymous Coward

      eventually cave in.

      Firefox users used to be able to check a preferences box to enable/disable Javascript. There were some sites I would only visit with JS disabled first, and others where I wanted it enabled. I assumed the Mozilla team would eventually do the user-friendly thing and allow preferences to be set for certain oft-visited websites (perhaps a user-editable file listing special websites and whether to enable audi,video,popups,JavaScript and preserve cookies when otherwise clearing them) but nope -

      • You can still accomplish that with NoScript and uBO in Firefox. Or you can use Brave, which has it all built in.
    • by AmiMoJo ( 196126 ) on Monday April 08, 2019 @03:19AM (#58401984) Homepage Journal

      For Chrome install uBlock Origin and it's an option under "Privacy".

      • So what happens when Chrome when it's not an option to turn off anymore? A little worrying.

      • by Wolfrider ( 856 )

        --Thanks for that! I double checked and hopefully won't have to change browsers since it can be disabled with that extension.

    • by GuB-42 ( 2483988 )

      *Not* nice.

      tl;dr : It means a worse user experience and less privacy for Firefox users.

      Try to think about why that "evil" standard exists in the first place. People don't need hyperlink auditing to track you.
      What they do instead is that they wrap links into redirect URLs. They use JS to hide it in the tooltip. Just make a Google search in Firefox, right click on one of the search results and "copy link location". What you'll get is a Google URL with a redirect target. Google is far from being the only one t

    • by Pieroxy ( 222434 )

      What people that want to track click do today is bring you to their website and issue a 302 to redirect you to the destination website. What this feature allowed was to remove the necessary hop, and thus would make the web faster.

      But since Firefox did not activate it by default, everyone is still redirected through domains everytime they click a link.

      Not sure it's an actual win. Firefox do not remove a feature by disabling this, they forbid an optimization.

  • by phantomfive ( 622387 ) on Sunday April 07, 2019 @07:24PM (#58400640) Journal
    Can't you just encase the link in Javascript and get the clicked link that way? Or do webpages not do that very often?
    • by MrL0G1C ( 867445 ) on Sunday April 07, 2019 @07:37PM (#58400714) Journal

      I loathe links made in that manner because when you right-click them they aren't treated as links so you can't open them in a new tab with a right-click or copy the link etc. That is a mistake IMO, if it's a link when you left-click it then it should also be treated as a link when you right-click it.

      • Plus, they are stealing your bandwidth and likely as not, adding latency.

      • by DontBeAMoran ( 4843879 ) on Sunday April 07, 2019 @09:07PM (#58401064)

        They also break "command+click" which is supposed to open the link in a new tab.

      • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Monday April 08, 2019 @12:04AM (#58401570) Homepage

        You can make the links work properly when right clicked, the problem is whoever coded it didn't care enough to make that happen.

        The proper way to do it is to make it a normal link, but then hook up some JavaScript that stops the default link behavior and/or does something extra in the background.

      • Even better, UX people are trying to bring the "swipe" paradigm to the desktop. Now, just trying to select and copy a block of text doesn't work, because clicking anywhere in the text treats it like a drag-able layer.

        Modern UX is all about breaking everything that made the web work. If browsers even try to stop this BS, designers will hack their way around the fixes.

        • by Kejiro ( 2803123 )

          Modern UX is all about breaking everything that made the web work.

          Correction: Modern UX is all about breaking everything that made UX work

          With the rise of cross-platform tools like Elektron and similar even desktop applications are moving to not being usable. Instead of having an application that works as a desktop application should, you are being met with a website that have 10% of the functionality from previous versions, and with twice the resource consumption.

    • by Anonymous Coward

      Don't even need that - they could be far more honest and simply rewrite it http://clicktrackers.com/logclick&desturl=http://blah.... ; and clicktrackers simply sends a redirect to the real site name.

      The point of this is to hide the fact your clicks are being tracked so you don't see it.

    • They do that entirely too often. Additionally, this is a security risk because you don't know where the link goes until you click it.

    • I guess the point is to just notify the specified website that a certain link was opened, that's it. It's much more complicated and costly to do this with Javascript because browsers block a XMLHttpRequest to other domains (cross origin policy). With just JS it can be done, for example, by creating an iframe of the advertiser website and sending a message to it, or send a request to the same domain and then that domain server will send the message to the advertiser. More complicated and also less acceptable
  • Chrome is open source, so it should be simple to patch Chromium to prevent enabling it instead, maybe even to patch Chrome.

    • There's always tampermonkey

      let links = document.getElementsByTagName("a");
      for (let i = 0; i < links.length; i++) {
          let link = links[i];
          if (link.hasAttribute("ping")) {
              link.removeAttribute("ping");
          }
      }

      Assuming it works... anyone got a site with these ping links?

      • by grep -v '.*' * ( 780312 ) on Sunday April 07, 2019 @11:04PM (#58401414)
        I read about this yesterday, and immediately thought about tampermonkey. Thanks for the script.

        On page link [bleepingcomputer.com] they talk about this, with

        To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable.

        <a href="https://www.google.com/"
        ping="https://www.bleepingcomputer.com/pong.php"> Ping Me</a>


        To wit: Ping Me [google.com]

        This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL [bleepingcomputer.com] , so users will not even realize this is happening unless they examine the sites source code. Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to.

        The headers associated with the information sent in the ping request are shown below.

        [HTTP_PING_FROM] => https:/ [https] www.bleepingcomputer.com/ping.html
        [HTTP_PING_TO] => https:/ [https] www.google.com/
        [CONTENT_TYPE] => text/ping

      • by Z00L00K ( 682162 ) on Sunday April 07, 2019 @11:08PM (#58401426) Homepage Journal

        Or go around the other way - use this to generate faked pingbacks in large volume rendering the data collected useless.

    • That's what Brave is doing essentially - it's based off the Chromium code. It also provides some other nice features, such as a built-in Ad blocker and support for background playing of YouTube/video for their Android build.
  • "Safari, Chrome, Opera, and Microsoft Edge"?

    So in other words: Safari, Chrome, Chrome and Chrome.

  • by Anonymous Coward on Sunday April 07, 2019 @07:40PM (#58400738)

    Chrome devs have removed the hidden setting while they debate promoting it into the regular settings UI. If you want this, star the bug (but don't flood the comments too much):
    Issue 935978 [chromium.org]

  • by Anonymous Coward on Sunday April 07, 2019 @07:41PM (#58400744)

    Turned off by default in Pale Moon too.

    (I checked...)

    AC

  • by Tough Love ( 215404 ) on Sunday April 07, 2019 @08:32PM (#58400918)

    Look folks, as long as Google has control of the browser engine source code, Google has you by the short hairs. Worse, control of the binaries as in Android. Open source or not. Not only is Firefox just an all round nicer browser to use (my opinion, if you disagree then please direct your fan mail to Larry Page) it is the only browser that gives a toss about your privacy.

  • by kiviQr ( 3443687 ) on Sunday April 07, 2019 @10:48PM (#58401376)
    At least you can see where you are going. Plus you can block ping with browser extensions. Redirects not so much.
  • Firefox is Doomed (Score:5, Interesting)

    by jaa101 ( 627731 ) on Sunday April 07, 2019 @10:52PM (#58401384)

    This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party. The surprise here is that Safari has recently disabled this feature since Apple is much less beholden to advertising interests. There's a chance that the Safari change was inadvertent, or at least wan't considered very high up the corporate ladder. With luck Apple will put the feature back.

    • by AmiMoJo ( 196126 ) on Monday April 08, 2019 @03:27AM (#58402006) Homepage Journal

      Apple probably did it for the same reason everyone else did - it actually enhances privacy.

      There are two ways you can audit clicks on links. You can use the proper HTML hyperlink auditing system, or you can write some horrible Javascript. The HTML hyperlink auditing system can be optimized by the browser for performance, and blocked by extensions, and means you get a real link instead of some Javascript that can't be copy/pasted or opened in a new tab.

      By encouraging everyone to use HTML hyperlink auditing it actually improves privacy by making it easier to block and making links work like they are supposed to.

      The next step will be to disable the Javascript option. Don't allow OnClick() to rewrite the page URL.

      • by Luckyo ( 1726890 )

        "Surrender peasants, because otherwise we'll slaughter you in an even more painful way".

        How about no slaughter at all?

    • by Anonymous Coward

      This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party.

      What makes open-source so cool, is that money is not a concern. They can have all the ad-money there is - and still not be able to prevent a browser that 'doesn't go with their program'. Sure, they can buy+close companies. Open-source browsers are still there, can still be worked on by the interested, and can still be used by anyone who care.

    • by Tom ( 822 )

      Money from the internet comes from advertising

      True, but a bit like saying that money in the movie industry comes from renting DVDs.

      There are other business models. And advertisement is slowly but surely moving the way it should, to the trashbin of history. I've been on the charge in this one, I admit, I've had adblockers running since the very first alpha versions appeared, and I despite ads in the real world as well. But every year I hear more people complaining about ads and more people that I help in installing adblockers.

      Sites are already reacting

  • The reason they're doing this is not to track people more. They're doing this so more developers use the ping attribute for this functionality instead of hacky JavaScript or redirects (which prevent the user from seeing what URL the link goes to, increase navigation latency since everything ends up serialized, make it hard to copy the real URL or open the URL in a new window, etc.).

    If things go as they typically do, browsers will start blocking the old behavior from working or otherwise disincentivising tha

  • by sad_ ( 7868 )

    why is this an HTML standard?
    the standard mentions that it will increase transparancy for the user, but sure looks like a heavy price to pay.

    • by Ksevio ( 865461 )
      Because the alternative is the page uses links to itself to a page that tracks the click and then uses a redirect header to send the user to the new page (or some javascript equivalent). In doing so, the actual destination is hidden from the user.

      This is sort of a compromise, the link goes to the actual page, but it pings the site to let it know for link tracking purposes.

      Basically, the sites are going to track the user clicking the link either way, it's just more transparent this way
  • Maybe this is a reaction to the GDPR's proposed Link Tax? Did that even make it into the GDPR?
    • Interesting point of view. Maybe you're right. Laying technical foundations to enforce the absurd law.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...