Firefox enables 'ping' attribute

[Posted January 18, 2006 by corbet]

As seen on Slashdot: the Firefox trunk now includes support for the "ping" attribute on <A> (link) tags. Said attribute can contain a list of servers, each of which will be notified when somebody clicks on the link. It seems they haven't yet gotten around to implementing the control that lets users disable this "feature"; one assumes that will happen before release time. "Ping" doesn't enable anything which couldn't be done in other ways, but it is still hard to see it as a reader-friendly feature.

to post comments

Just does faster what redirects do already

Posted Jan 18, 2006 16:23 UTC (Wed) by stevenj (guest, #421) [Link] (11 responses)

A lot of people seem to be getting prematurely excited about the "privacy implications" of this. Realize that this functionality is available to web sites already, simply by using redirect links that go through their servers, and that such redirects are widely used but have several disadvantages for users (slower page loading, obfuscated URLs, ...).

The ping attribute doesn't provide any new ability to track users. It simply provides a more user-friendly avenue for the inevitable (note that redirects can't be disabled without breaking the web).

And yes, there is a browser.send_pings preference to disable this in about:config. And yes, a UI to inform users of pings is apparently in the works (and will undoubtedly be better than the fraction-of-a-second flash that redirect URLs give).

Just does faster what redirects do already

Posted Jan 18, 2006 17:03 UTC (Wed) by moxfyre (guest, #13847) [Link] (2 responses)

Exactly. I don't see what the fuss is about!

For website operators who'd like to keep track of links being clicked on, this provides a cleaner way to do it that doesn't require multiple page loads for the user.

For users who feel that this feature may affect their privacy, they can turn it off ... UNLIKE redirects, which cannot be turned off. So if websites adopt the "ping" feature on a large scale, this will IMPROVE privacy options for users.

So everyone wins. Website operators have a nifty new feature, users have more options for protecting their privacy. Where's the problem?

Just does faster what redirects do already

Posted Jan 18, 2006 17:09 UTC (Wed) by hppnq (guest, #14462) [Link]

I would be really surprised if websites that use redirection for tracking will rely on an option that can be turned off, so the ping attribute is nothing but bloat in the real world, I'm afraid.

Just does faster what redirects do already

Posted Jan 18, 2006 18:40 UTC (Wed) by marineam (guest, #28387) [Link]

> Exactly. I don't see what the fuss is about!

It's slasdot, what do you expect? :-P

We might as well post an article titled "Are webservers logging your activity a privacy concern?"

Just does faster what redirects do already

Posted Jan 18, 2006 17:19 UTC (Wed) by dwheeler (guest, #1216) [Link] (7 responses)

No, they are NOT the same. You're missing the point. Redirects are by their very nature obvious... you cannot do a redirect without a user noticing. Accesses are recorded by the log files of the webserver, but you have to have access to THAT WEBSERVER's log files to get this.

The "ping" as written allows SILENT announcements to THIRD PARTIES, who may have managed to get the ping information in through cross-site scripting and other attacks.

If there's this much outcry, then it doesn't belong in as a default. Even if you THINK that this is no big deal, it IS to the users; it tells the users "you can't trust this browser".

Just does faster what redirects do already

Posted Jan 18, 2006 17:57 UTC (Wed) by niner (guest, #26151) [Link] (4 responses)

Sorry, but you can't trust a browser as soon as it implements JavaScript. If you can add a ping attribute to a link on a site, you may as well add some onclick="" script that does the redirect by itself. I can't imagine "normal" people turning off JavaScript because many sites they use would just break. But turning of this ping feature would not reduce any experience for the user.

And you can't judge visibility before the user interface for this feature is finished.

Just does faster what redirects do already

Posted Jan 19, 2006 1:10 UTC (Thu) by walken (subscriber, #7089) [Link] (2 responses)

Actually, I turn off JavaScript in my browser.

Sites I use dont break - but then again, this could be because if they did, I'd stop using them.

Guess I'm not "normal".

Just does faster what redirects do already

Posted Jan 19, 2006 8:07 UTC (Thu) by Los__D (guest, #15263) [Link]

Well, then next time, you'll just have one other thing to turn off, no biggie...

Just does faster what redirects do already

Posted Jan 21, 2006 4:23 UTC (Sat) by Baylink (guest, #755) [Link]

Your sarcasm aside, no, you are in fact not normal on this particular topic.

Not that there's anything *wrong* with that. :-)

Just does faster what redirects do already

Posted Jan 19, 2006 3:05 UTC (Thu) by Zarathustra (guest, #26443) [Link]

That is one of the many reasons why I browse with JavaScript disabled, it makes the whole web experience much less painful.

Even gmail is almost useable once you disabled all that AJAX braindamage so links are actually links, the back button works, and you can have more than one email open at the same time. (Not to mention it is much faster)

Now, what the hell is up with Firefox 1.5 taking 200Mb of ram after using it for just a couple of days? It seems that it leaks more than it did back in the Millstone days.

I'm going to end up porting abaco from Plan 9 to p9p so I can browse the web in linux without my box swaping like crazy.

Just does faster what redirects do already

Posted Jan 18, 2006 18:16 UTC (Wed) by gowen (guest, #23914) [Link]

As one of the 'Ping' developers noted, you can implement an invisible redirect by using on OnMouseDown to change the HREF text as soon as the User clicks it.

Just does faster what redirects do already

Posted Jan 18, 2006 19:18 UTC (Wed) by NAR (subscriber, #1313) [Link]

Redirects are by their very nature obvious... you cannot do a redirect without a user noticing.

I'm afraid most users don't even know what's a redirect. I certanly didn't notice that a site I often read uses redirects until I tried to copy&paste a link from the browser into an e-mail and saw that the URL looks strange. It doesn't even need any JavaScript tricks, the redirect is fast enough not to be noticed.

Bye,NAR

Another "browser war" coming?

Posted Jan 18, 2006 17:14 UTC (Wed) by proski (guest, #104) [Link] (3 responses)

I would prefer any non-standard features to be implemented as an extension first. This would allow limited testing. Some sites could use the new feature and ask its users to download that extension. If using an extension is not practical, and the feature should be in the main code, it should be disabled by default.

Once the standard is passed, the feature can go to the mainline. It's possible that the standard would differ from the initial proposal. Exposing end users to pre-standard features is hardly a good idea - it can create compatibility problems for the websites, defeating the main purpose of standards.

If the feature becomes widespread prematurely, it could limit the ability of the standard bodies to refine the proposal standard. The "ping" attribute can have huge privacy and security implications. It's important to get it right.

Firefox 2.0 is to be released in June-July 2006. It's highly unlikely that the "ping" attribute will be a part of any standard by then. I'm disappointed by Mozilla Foundation starting another "browser war" using the same methods that were used by Microsoft and Netscape.

Another "browser war" coming?

Posted Jan 18, 2006 17:33 UTC (Wed) by jwb (guest, #15467) [Link] (2 responses)

See, the WHATWG _thinks_ it is the new W3C, even though it is little more than an invitation-only ad hoc committee of Firefox and Safari developers who have little formality of process and no transparency.

WHATWG is, in essence, Firefox developers shouting "we are the standard!"

Another "browser war" coming?

Posted Jan 18, 2006 21:33 UTC (Wed) by roc (subscriber, #30627) [Link] (1 responses)

You accuse WHATWG of "invitation only"? "no transparency"?

WHATWG: Anyone can read their email lists. Anyone can read the current state of any draft. Anyone can contribute. Lots of people do contribute who aren't Firefox or Safari developers. The creator of WHATWG was at Opera when he created it, and Opera is implementing WHATWG specs.

W3C: Pay up (large) W3C membership fees if you want to be on a working group. Working group discussions happen on private email lists.

Another "browser war" coming?

Posted Jan 18, 2006 22:56 UTC (Wed) by jwb (guest, #15467) [Link]

I'm not accusing anyone. You need only observe how the ping attribute landing has taken people by surprise to see that WHATWG is de facto non-transparent. And you need only to read the WHATWG charter to see that membership is by invitation.

if widely adopted, this is a good

Posted Jan 18, 2006 18:20 UTC (Wed) by b7j0c (guest, #27559) [Link] (2 responses)

assume content publishers actually enable ping everywhere for their tracking. now you can script the removal of these attributes via greasemonkey - you can turn tracking into an elective operation rather than a mandatory one.

in current schemes, tracking is simply embedded in the urls or html beacons (images or js that "call home" when a page is loaded via an http GET).

mind you, this doesn't deal with the cookie tracking issue, another matter entirely.

even easier

Posted Jan 18, 2006 19:09 UTC (Wed) by niner (guest, #26151) [Link] (1 responses)

the pinging is completely optional. Even though there is no UI yet, there's already the preference browser.send_pings (defaults to true)

even easier

Posted Jan 20, 2006 17:29 UTC (Fri) by dmarti (subscriber, #11625) [Link]

Can you allow/disallow ping on a per-site basis as you can for cookies? I allow cookies for LWN, but not most other sites, and if LWN started using "ping" I'd allow it too.

Seems like there's a simple solution to this, to me

Posted Jan 18, 2006 18:38 UTC (Wed) by Baylink (guest, #755) [Link]

And whomever said this would have been easier to work out if it was an extension first was right ;-)

Pop a dialog that soys something like "This author page wants to notify someone that you've clicked this link, using the address $URL: [Allow / Deny] [This website / That target / All] [This time/always]"

Firefox enables 'ping' attribute

Posted Jan 18, 2006 20:03 UTC (Wed) by pstemari (guest, #35299) [Link] (2 responses)

I don't know why anyone thinks they can "see" a redirect. Properly implemented, using a 302, 303, or 307 HTTP status code, there isn't anything to see. The only time you see a redirect is if it's been hacked in via a meta refresh tag.

Firefox enables 'ping' attribute

Posted Jan 18, 2006 20:13 UTC (Wed) by Baylink (guest, #755) [Link] (1 responses)

You can *see* a redirect because the URL on your browser's status line isn't a) where you expect to go / b) where you end up.

Firefox enables 'ping' attribute

Posted Jan 18, 2006 23:53 UTC (Wed) by njhurst (guest, #6022) [Link]

Except that there are lots of tricks to fake the destination url using javascript.

Firefox enables 'ping' attribute

Posted Jan 18, 2006 20:11 UTC (Wed) by ballombe (subscriber, #9523) [Link] (6 responses)

What I miss is the benefit for the users to activate this feature.

Firefox enables 'ping' attribute

Posted Jan 18, 2006 22:13 UTC (Wed) by ikm (subscriber, #493) [Link]

Yes, me too. The majority of 'logging' redirects, if not all, seem to be pretty much useless, if not hostile, for the end-user. There is even a greasemonkey script to squash em (named NoMiddleMan). Personally, I would just turn this new bugger feature off, and I think I won't be alone -- and as such, since it is so easy to circumvent, no sane webdeveloper would trust that attribute too much. So the majority of them would resort to the old-fashioned redirects we all are used to.

Yes, it does speed up the redirect. But the reality is, no end-user needs a redirect in the first place! With the direct knowledge of an URL to go, who needs to waste bandwidth doing some pings?

On the other hand, this might be exactly why this feature could have some merit, after all. Suppose, contrary to the expectations of mine above, this gets widespread. Then the people who know can just turn it off and enjoy the world with less redirects, since some webmasters would have adopted it :)

Redirects can be SLOW

Posted Jan 19, 2006 0:17 UTC (Thu) by xoddam (subscriber, #2322) [Link] (2 responses)

When a redirect is used to track clicks, which is the common case,
there's an extra roundtrip before you see the site you're going to. That
can be negligible, or if there's trouble it can be an extra twenty
seconds or a completely broken link. My webmail server is sometimes
agonisingly slow and all links in emails are redirects; I often *do*
copy, paste and edit the URL to remove the redirect (the target is not
scrambled in any way) -- not for privacy reasons but for speed.

I for one welcome our new <a ping="$URL"> overlords.

Redirects can be SLOW

Posted Jan 19, 2006 10:37 UTC (Thu) by ballombe (subscriber, #9523) [Link] (1 responses)

This does not answer the question: why should I choose to turn it on rather than off ? For all I see the benefit of this feature is the same for a user if it is turned off and turning it off avoid useless connection, so can only be faster.

Redirects can be SLOW

Posted Jan 19, 2006 22:36 UTC (Thu) by nan (guest, #710) [Link]

You don't have to turn it on. You will have to turn it off, though.

For this 'ping' to work, browsers in general, or at least Firefox, will have to come with the feature turned on by default. Otherwise websites will never stop using the redirects and the benefit of the ping, even though it is there will be null. If the idea catches on with other web browsers, smart sites might remove redirects and use only 'ping'. Yes, people like you will turn it off and be happy with it, mostly everyone else (outside the lwn.net readership) will leave it on and also enjoy the benefits. For those people there won't be more/less tracking than there is now. They will simply enjoy a faster web.

Having said all this, the only thing I see the Mozilla people doing is trying to improve the web for everyone. The 'ping' is just one of many things to come. Fantastic work if you ask me.

Benefit to users

Posted Jan 19, 2006 16:12 UTC (Thu) by Baylink (guest, #755) [Link] (1 responses)

You know, everyone says this.

Are y'all that stupid?

Free stuff. That's the benefit. Large corporations, with the resources to provide lots of the stuff websurfers want for free, are only going to do it if they get *something* out of it.

Knowing which of the outlinks they provide are useful and interesting to people, while not really much in most businesses, *is* *something*.

That's clear because they already go so far out of their way to collect this information.

So, in the long run, if you want the free flow to dry up, sure; make it impossible for them to make any money off giving you stuff for free. You'll get what you ask for... it just won't be what you *want*.

And if anyone needs any more on this point

Posted Jan 19, 2006 23:18 UTC (Thu) by Baylink (guest, #755) [Link]

Check out this Doc Searls column on a tangentially related issue:

http://lists.ssc.com/pipermail/suitwatch/2005-December.txt

A further observation

Posted Jan 18, 2006 20:35 UTC (Wed) by Baylink (guest, #755) [Link] (7 responses)

after reading a bunch of the commentary at the target site.

"Users do not like to be tracked."

Ok, let's call a spade a spade here, folks: *we* do not like users to be tracked, and that's how we configure *our* browsers, and those of people whom we geek for.

"Users" -- the general websurfing public -- very likely don't care, much less know.

As long as this feature isn't a) default-on, b) silent, and c) can't be turned off (all three of those), then it's probably not the Godwin's Law inspiring thing everyone seems to be wanting to cast is as.

But hell, maybe it's just me.

So many things are just me.

A further observation

Posted Jan 18, 2006 21:51 UTC (Wed) by allesfresser (guest, #216) [Link] (5 responses)

How about "Any given user, if presented the relevant facts, would prefer not to be tracked"? I don't think anybody *likes* the fact that they're being tracked, if they know about it. People like to keep their browsing habits private, and for good reason.

A further observation

Posted Jan 18, 2006 22:06 UTC (Wed) by Baylink (guest, #755) [Link] (4 responses)

Really, honestly, no. I think if they're presented the facts -- by which I mean to imply "without the negative bias we place on the whole issue" -- the results would tend towards 50/50 amongst the non-geek public.

Shall we commission Gallup to poll Americans? Pew Internet may have done it already, for all I know.

A further observation

Posted Jan 18, 2006 23:25 UTC (Wed) by allesfresser (guest, #216) [Link] (3 responses)

On the contrary, if you presented a non-geek with the statement, "Would you mind if companies tracked wherever you surfed on the internet, tabulating which kind of sites you visit and when you visit them, and then sell this information to any John Doe with enough cash?", I'm pretty sure a large majority would say, "yes, I do mind." And even if they don't realize how they're putting their privacy in danger, it doesn't mean that we who do realize it need to make it easier for the marketroids.

A further observation

Posted Jan 19, 2006 0:30 UTC (Thu) by Baylink (guest, #755) [Link]

Yup, indeed. If you phrased it that baldly one-sidedly, as I implied earlier, then of course you'd get the answer you want to assert everyone will have.

Oh, excuse me.

"Objection! Leading the witness." :-)

A further observation

Posted Jan 19, 2006 0:49 UTC (Thu) by xoddam (subscriber, #2322) [Link] (1 responses)

Except that this isn't exactly what is going on -- Baylink is right, you
are putting a very negative spin on it. Users remain anonymous with this
kind of tracking unless they have authenticated themselves to a site, and
they are not uniquely identifiable across unrelated sites. Each website
implements its own link tracking (if any) and there is no one company
which is collating all the tracking data. The data is primarily useful
for statistical purposes; it doesn't generally target individuals. Some
ecommerce sites *do* track authenticated users as far as they are able,
but it's there in the fine print you agree to when you register.

The kind of tracking which goes on with loyalty cards when shopping is
*far* more invasive, but users happily go to the effort of carrying and
presenting the cards for a tiny reward at the end of the rainbow. And
they have all signed that they've read the fine print. Anyone with half
a clue is aware their purchases are being recorded, it's the only
business case for offering the card to consumers in the first place. Many
of those clueful people just don't mind the data being collected --
perhaps they think they have nothing to hide :-)

To reiterate -- the PING attribute provides nothing new, it merely offers
a slightly more efficient (and flexible, as it may be more readily
disabled or screened) implementation of what is already done on a massive
scale.

And yet another corollary

Posted Jan 19, 2006 0:55 UTC (Thu) by Baylink (guest, #755) [Link]

is semi-inadvertantly made by Xoddam in his reply -- and this would hold even more true *if* the Firefox team take one of the suggestions I've seen which I *do* like: only permit PINGs to the refering or target sites -- and that corollary is:

If we make it trivially easy for people to track their own outlink uptake by this sort of method, then we make it commercially impractical for people like DoubleClick to make money at it.

As for affinity cards, I've seen the nasty signs they put up at point of sale reminding the cashiers not to use a generic card for shoppers who don't have one, and none of the cashiers are ever surprised when I reply "no, my privacy is worth more to me than a couple bucks a week". They all just smile and nod.

Not caring

Posted Jan 19, 2006 19:30 UTC (Thu) by Max.Hyre (subscriber, #1054) [Link]

"Users" -- the general websurfing public -- very likely don't care, much less know.

Does this remind anyone else of Sony BMG's President, Thomas ``Problem, what problem?'' Hesse:

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

The real trouble is the same as trying to stop all those folks who're so avid to sell your personal data. They ``allow'' you to opt-out---individually, so you need to spot it hundreds of times each week.

As it is, this is yet another instance of how we're being ``pecked to death by ducks''.

Firefox enables 'ping' attribute

Posted Jan 19, 2006 8:00 UTC (Thu) by job (guest, #670) [Link] (2 responses)

I think what bugs most people here may not be the http ping function itself, but the feature as an example of how non-transparent Mozilla development has become. This is just the next in line of weird Google features (as least earlier people also complained when Firefox didn't allow users to choose which search engine should be behind the url bar) that's normally associated with non-free software.

If it would have been Linux, this flame war would already been had on the development mailing list where people interested hang out. Now it's dropped from above by some blessed developers.

That said, I also feel a bit uneasy with this sort of features. I seldom click on long redirect links unless I understand the reason. This obfuscates that practice even further, now that turning off javascript won't even do.

Firefox enables 'ping' attribute

Posted Jan 19, 2006 16:44 UTC (Thu) by roc (subscriber, #30627) [Link]

A flamefest was already had on the (public) WHATWG list.

The flamefest happening now shows that Mozilla development is transparent. It will be months before this feature is in the hands of any actual users, if it's not removed or disabled by then.

No flames without a fire

Posted Jan 20, 2006 8:29 UTC (Fri) by xoddam (subscriber, #2322) [Link]

While I wouldn't disagree with the poster who says Mozilla is trying to
'monetize their IP', I think every sentence but one of this post claims
something which is blatantly false.

At least fire your flames with some real fuel.