Firefox 's Ping Attribute: Useful or Spyware? 575
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
Submitter is a melodramatic idiot (Score:5, Informative)
Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8 [mozilla.org]
userContent.css to the rescue (Score:5, Informative)
Re:You can already do this with Javascript (Score:4, Informative)
Use the Firefox NoScript extension and you can be selective about what javascript you run on a per-site basis.
RTA (Score:5, Informative)
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:5, Informative)
Take a look at the HTML source on Fark -- you'll see javascript to overwrite the status line so it doesn't show it's tracking you
If it can't be disabled then I'm off (Score:3, Informative)
Jesus if this was put into MSIE then people would be writing to their MP/senator by now!
I cannot think of any good use for this.
People who run servers do not need that specific kind of stats, their server logs should be good enough. Only marketing (aka spyware) types would want this kind of info.
Use Firefox as a workaround (Score:2, Informative)
Any developer with a small amount of time on their hands can easily develop a firefox extension or greasemonkey script that will take all of the ping tags out of the page that is rendered to the user.
"Problem" solved.
FUD (Score:1, Informative)
Re:RTA (Score:5, Informative)
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:3, Informative)
Sure, but is that a reason to just hand the data to them on a silver platter? I mean, why keep spammers out of your MTA? They'll just resort to various tricks to spam anyway, so why not just give them an account?
Firefox should provide new ways to ensure our privacy, not new ways to violate it. I'm disappointed.
Re:Possible fix (Score:5, Informative)
Did you read the article, or the WHATWG spec?
It specifically mentions:
FWIW, this really seems dead in the water. First, not too many users will have it enabled (or even available, for that matter). Second, this information is already being reliably collected with cookies, mod_usertrack [apache.org], javascript, and page redirect tricks -- mostly with no knowledge of the enduser.
Why go with a little-available, easily disable mechanisim when the tried-and-true method is already available?
Re:userContent.css to the rescue (Score:5, Informative)
Re:Not very useful (Score:5, Informative)
WHATWG != Mozilla
Mozilla is attempting an implementation of a standard set by an independent standards body. No, they're not the W3C, but like you pseudo-quoted out of context, "w3c doesn't have to make all the rules."
Re:RTA (Score:5, Informative)
Sure your one redirect query may not effect you much but tens of thousands of people doing it could slow a server right down.
Re:How is this different from (Score:3, Informative)
That would be incredibly stupid if they did it that way. Every request the browser makes should adhere the proxy settings. Most of the time, a proxy is not optional but mandatory.
In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....
Quite the contrary. Most of the time, if people are to use a proxy, it's because their clients are _not_ allowed direct access via NAT. I think the case that proxy = NAT box is very rare and uncommon.
Re:Will sites really use this? (Score:2, Informative)
Re:Sounds like Microsoft all over (Score:3, Informative)
One of the goals of the WHATWG is to refine proposals through feedback and submit them to the W3C.
http://whatwg.org/specs/web-apps/current-work/#pi
Highlighting links that have a ping attribute (Score:5, Informative)
a[ping] {
color: green !important;
}
You could also do something like this:
a[ping] {
-moz-opacity: 0.5 !important;
}
a[ping]:hover {
-moz-opacity: 1 !important;
}
so that the links would be transparent until you hover over them
you might want to get off the web (Score:3, Informative)
The only thing use of this attribute would do is make transparent what has ALREADY been happening for years.
When I worked at a media company, we had a cluster of servers dedicated to link tracking. All links on the site would send you here, and it would send you a 302 to your destination. Try disabling redirects, and you will see the web stop working.
Whats wrong with the idea of not hiding the tracking that is already happening?
As for stats, people want to know is you clicked on a linked image instead of linked text. They want to know what colors get clicked on more.
Did I mention many, many sites already do this?
the technology to do is is pervasive:
Perl CGI
http://www.google.com/search?q=perl+cgi+link+trac
PHP
http://www.google.com/search?q=php+link+tracking [google.com]
All kinds of stuff
http://www.google.com/search?q=%22link+tracking%2
Re:Consider what may happen (Score:3, Informative)
The BODY tag fails that test.
Re:Not very useful (Score:3, Informative)
Did you read that page you just linked to? If you keep reading further down, you'll find that this is not an exclusive list; you can put whatever you want in there. From the specification:
It's true that Google don't force you to use a profile, but there's nothing stopping you from using an appropriate profile [microformats.org] anyway. Google aren't doing anything that isn't explicitly permitted by the HTML 4.01 specification.
Re:Consider what may happen (Score:3, Informative)
Personally, I think that should be second.
The first thing they should consider is "where in the W3C specs is the behavior of this element specified"? If it ain't in any of 'em, it don't belong in the browser engine.
For every IMG tag or XmlHttpRequest a browser dev team has decided to extend the W3C specs with, there's been a dozen BLINK and MARQUEE tags.
Re:userContent.css to the rescue (Score:3, Informative)
a:hover[ping] { -moz-outline: 1px solid green !important; }
in order to keep the web site from overriding your setting.
User style sheets are always to supercede site style sheets, according to the CSS specification. The "!important" modifier shouldn't be necessary.
I don't know if Mozilla implements that aspect of CSS correctly though, so it couldn't hurt to put it in there anyway.
Re:Thanks! (Score:1, Informative)
Re:Deeper problem (Score:3, Informative)
IMHO this isn't a fault of WhatWG, but of the FF developers thinking they should run ahead and implement any draft before it has been considered carefully.
NoScript will take care of this baby ;) (Score:3, Informative)
Re:You can already do this with Javascript (Score:3, Informative)
Webmasters already have the ability to have a page load cause a HTTP request to some other server -- at minimum, they can just have a . This doesn't impact rendering time (as that single-pixel image does), and has the same effect -- plus you can turn it off, while you can't turn off all the single-pixel images without turning off other images as well.
It's a Good Thing, and I can't help but imagine that most of the people who are so severely against it are just doing so because that's what the almighty slashdot article inferred they should think. Baaaa!
Re:userContent.css to the rescue (Score:3, Informative)
This is not true, and isn't true in two different ways, depending on which specification you count as "the" CSS specification (there's more than one).
According to the CSS 1 specification [w3.org], the author stylesheet will override the user stylesheet in most cases, and even if the user has !important rules, the author stylesheet can override them with !important. Quote:
According to the CSS 2 specification [w3.org], the author stylesheet will override the user stylesheet in most cases, but the user can override author rules, even !important ones, by using !important themself. Quote:
CSS 2.1 and 3.0 drafts work in the same way as CSS 2, giving the author stylesheet precendence unless the user uses !important.
booch was correct in saying that !important is necessary in a user stylesheet if you want to be sure that the author stylesheets can't override them.
It can be disabled (Score:3, Informative)
2. As a guy with a website, I'm actually curious as to which links people click on to leave. Server logs will tell me which pages on my site are most popular and where visitors are coming from, but they won't tell me where they're going unless I go to the effort of creating a redirect script and linking through that -- and while I'm curious, I don't care enough to go to that effort. (Though advertisers and sites with marketroids do care, and have gone to the effort -- often sneakily.)
Re:Facts of the matter (Score:3, Informative)
You probably haven't heard of them before because this is the first WHATWG extension that's generated this level of controversy. (The most well-known one is probably <canvas>, which is already in Safari and Firefox and will also be in Opera 9.)
Windows users can wait for Konqueror. (Score:2, Informative)
The Konqueror codebase is far cleaner than that of Gecko and Firefox. Not only that, but QT may prove to be superior for writing efficient crossplatform applications.
Did you read the article yourself? (Score:3, Informative)
Out of interest, how did you implement the 'informed user' requirement? ("When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs.")
Posted by: Malcolm at January 17, 2006 12:14 PM
The UI component of this feature is currently unimplemented. We did not see that as a blocker to enabling this on the trunk (development) builds of Firefox. I hope to test out Ian's suggestion of adding the pings to the status bar shortly.
The feature is currently enabled by default in Firefox, but disabled for Thunderbird.
Posted by: Darin at January 17, 2006 12:33 PM
Re:Very useful (Score:3, Informative)
I haven't seen this extension, but I'm 100% sure that it can easily be fooled. It probably just detects the more common ways of doing a redirect.