Firefox 's Ping Attribute: Useful or Spyware? 575
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
Out of control (Score:2, Interesting)
Very useful (Score:5, Interesting)
Sure it can be abused -- I don't see why more of these abusive features can't be set up in a whitelist fashion. I'm already shocked that web browsers make it so difficult to white lists sites you feel are safe (or don't mind giving up some information to make your experience better).
That comes to the point of this post -- how about a standard "setup" logo/button committee that helps create a "setup" web profile that sites can use to give the users options on how they want to be configured? We've got some standard buttons already (RSS feed, etc), why not one that users could be familiar with so that they can white list or opt-in to certain additional "anti-privacy" features?
I know many websites (including a few of mine) could use more user information, and I don't see why we can't work to just setting a standard for how to do it.
Extension (Score:5, Interesting)
You can already do this with Javascript (Score:5, Interesting)
Are you also recommending that Firefox be distributed with Javascript disabled? Because this ping functionality is easy enough to implement in javascript. If ping is disabled by default, then nobody will have it enabled, which means that web developers will continue to do it the old fashioned way, and the ability to disable ping will be worthless.
Doug Moen.
Re:With or without your consent? (Score:5, Interesting)
No.
Can you not opt-out of it?
Disable the feature. Easy.
It's not spyware by your definition. It has the added benefit of giving the user some control instead of being secretly tracked by the server side.
Re:Consider what may happen (Score:3, Interesting)
Re:Out of control (Score:3, Interesting)
Create a link with an image to a story site. Embed that link with this. You could slashdot The big sites with this. Go Open Source innovation.
Don't worry yet (Score:5, Interesting)
We should try and do an experimental implementation of , to see if there are any unexpected real-world problems.
That's what nightlies are for! We now see that it's a controversial tag (and they're probably already well-aware), so they're giving it a shot. Would you rather them just say "no, we don't like that potential standard [whatwg.org], so we're not going to try implementing it"?Mmm, okay, is this bad? (Score:3, Interesting)
It could enable a user comments vs people who actuall RTFA statistic. Knowing slashdot it would crash on a divide by zero error offcourse.
But wait a minute, a infinite number of pings? So the story submitter himself can also add his pings? Knowing the quality of slashdot editors (HA!) any story submitter would know who read what links in his article. Do I want him to know?
Imagine that someone puts a goatse.cx link on a forum. You don't of course admit that you been tricked but the next post is a record of all the pings the link submitter received proving that all of slashdot wanks to the goatse man.
The abuse of this feature is clear and the benefits? If slashdot really cared to know wich external links are followed or not then that is their business isn't it?
Do I really want websites to know wich external links I follow? I think this is a solution looking for a problem and in the few cases where a website needs to know the users need for privacy is superior.
Bad mozilla. This is something I would have expected of MS or the old Netscape. Now go sit in a corner and don't come out until you stop adding crap features that tattle on me without informing me.
Re:You can already do this with Javascript (Score:4, Interesting)
I know that I HAVE JavaScript disabled (using the NoScript extension) for this and other reasons, and I don't want to have that functionality back whithout me noticing.
Hurga
Re:You can already do this with Javascript (Score:5, Interesting)
Possible fix (Score:5, Interesting)
Re:How is this different from (Score:1, Interesting)
From the WHATWG spec [whatwg.org]:
It's a literal replacement for the current habit of links passing through a traffic stats site before redirecting you to where you actually wanted to go. It won't waste any more bandwidth, since browsers - according to the spec - MUST ignore any entity that is returned. The only productive thing you can do is log the fact that the ping URL was visited, and drop a cookie on the client - just as with an HTTP redirect.
Re:This stinks, Why? (Score:3, Interesting)
Re:How is this different from (Score:5, Interesting)
It's different because web server logs only record what you ask that server for. Web server logs don't record what you ask other servers for.
This is essentially what the Referer header does, except in reverse. Instead of telling a new server where you have come from, it tells the old server where you are going.
This is already possible with Javascript, and it was possible with CSS too - I'm not sure if it still is, but the technique was basically to suggest a local background image to style :active links - so when the link becomes :active (when it gets clicked on), the browser downloads the background image and you know the link was clicked.
Not quite the same as Javascript (Score:3, Interesting)
Look at it this way: I'm lazy. I don't want to be a security/privacy Nazi about any/every script on webpages I view. However, if there's an "easy" way to block something I view as potentially abusive, this ping attribute could easily be disabled.
Which makes me think that if other users are lazy like me and just want to disable "ping", this feature would likely be dead-in-the-water, and designers who want to track users would continue to use Javascript.
Re:Don't like Firefox spyware? Use Konqueror (Score:2, Interesting)
Trust Firefox? (Score:2, Interesting)
It also appears to be impossible to install it without the "report to your master" feature (which is supposed to report crashes). It can be disabled (supposedly) later, but in the install you used to be able to uncheck it, now it's grayed out and gets installed by default every time.
Then there's the whole automatically prefetching links that you MAY click on in order to "speed up" the browsing. There's no way to tell if it's even doing this unless you are watching your network connection carefully, but it's ridiculous and it's hard to make it stop.
No application should be using the network connection without my explicit permission on each and every action. Typing a URL or clicking a link is permission, I'm TELLING it to go fetch that data. But doing crap in the background without asking me is just dishonest.
Revenge of the Web Sith? (Score:3, Interesting)
But it's a lousy scenario. There shouldn't *be* expensive, hidden redirects, and we're just encouraging what I consider (at best) stupid. even (worse) anti-social, possibly evil behavior.
I'm completely in favor of progress, but it seems the net is always taking at least one step back (in some cases a few dozen) for every step forward.
We should be encouraging content providers to produce clean web page sthat do what we expect them to do, simply, instead of to be ever more complex, sneaky, tricky marketing tools. or worse.
Thanks! (Score:2, Interesting)
it's all about Google adwords (Score:5, Interesting)
I think the main developer who would want to use it is Google with their adwords program. They're probably trying to minimize the bandwidth those redirects consume for all the clicking that happens on their ads. This is on top of the bandwidth of every page view requesting the ads to be embedded in the first place, which can't be avoided...
Even if Google can shave off 6% of unneccessary redirects (all Firefox users), that's a big bandwidth savings.
Seth
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:3, Interesting)
Once again, Firefox/Mozilla folks are showing their arrogance (anyone else remember "blink"?). When their marketshare was down, they would never have done such a thing; but now that their marketshare is noticeable, they are back to their old ways.
If Microsoft had done this, everyone would be up in arms about their "embrace and extend". Why isn't there a hue-and-cry about Firefox "extending" things unilaterally? Oh, I know why: because the almighty Google backs FF now.
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Interesting)
I don't want to get too heavy into tin-foilery over this. It would be difficult to support a claim that these pings and cookies are used for anything but the most innocuous of data mining and profiling pursuits. Here is where a natural danger sense comes into play, though: if people are being so careful not to draw attention to the extra activities of the software then just what are they hiding?
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Interesting)
The most obvious problem is that, unlike the old
XUL file browser, they don't use the current Firefox
theme. This makes them look completely out of place
on screen.
More importantly, the design of the new file browser
is fundamentally broken; it's been dumbed down to the
point of unusability. There's no obvious place to type
filenames rather than using the mouse, the display of
the directory tree is non-standard, clicking on
"Browse for other folders" in the save dialog triples
the size of the window and often moves the cancel/save
buttons off the bottom of the screen, etc.
The disaster that is the new GTK file browser is the
main reason that I'm still using GTK1 versions of
Mozilla etc.
Re:it's all about Google adwords (Score:4, Interesting)
Google gets paid for those clicks on their ads. They don't need to be altering my browser to help their business anyway. As bender would say, Google can bite my shiney metal 4$$. Hopefully distros will patch firefox, so their users won't need to fret about this. Just those windows users who get it straight from the firefox site.
I've been thinking it's time for a firefox fork that drops the MPL. The dual licensing is preventing integration of other GPLed work - like a built in PDF viewer so we can avoid Adobe. A GPL only fork would help prevent folks like Google from creating their own branded browser with stupid features no user would ever want.
Re:Don't like Firefox spyware? Use Konqueror (Score:5, Interesting)
Think of it this way - if you had a popup every time a local application wanted to communicate with the hard disk, how quickly would you become angry?
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:2, Interesting)
Nobody would ever go out of their way to enable it. I don't know of anyone ever requesting this "feature." And it's not in any HTML, XHTML, Javascript, or CSS standards. So why the hell did they add it? I would expect this from Microsoft, but I'm a little surprised that Firefox is doing it.
Re:You can already do this with Javascript (Score:2, Interesting)
Re:Don't like Firefox spyware? Use Konqueror (Score:2, Interesting)
Your point is valid that AJAX functionality poses many of the same issues as this Firefox "feature", but I politely refute your hypothetical example.
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Interesting)
Use your imagination and come up with something which doesn't involve HTTP and port 80. I know, it's tough because there's so little out there. Looking at the internet today one would think that HTTP and port 80 were the whole reason behind designing desktop computers.
And, again... what functionality does this new ping give to _ME_, the user who bought this hardware and is paying the electric bill to run this browser? If I were to talk with the author of the code for this little snippet what explanation would he be able to give to justify that _I_, the user, want this?
Re:Don't like Firefox spyware? Use Konqueror (Score:1, Interesting)
> AJAX is faster because there are fewer page loads.
>
You do know about browser cache, don't you?
For the page in itself, if most webpages weren't composed half of useless JavaScript (be it advertising or not), HTML tables used for design and deprecated tags/attributes, I guess we would not need to limit page loads.
>
> The ping will help reduce page loads as well. Only headers need be exchanged when you use the ping,
> instead of loading some shim graphic to handle hit tracking, which people will do with or without ping.
>
Better yet: do not track users and care for your content instead. Web server logs are way enough for the only legitimate purposes there are to keep stats: manage your server bandwidth and maybe check if what you are writing/serving, has been read/saw/heard by many or few. You should not care about anything else.
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Interesting)
The alternative is the same stuff happening on the client side, as it is right now, but through more user-hostile means. Think hidden frames and DIVs, transparent GIFs, JavaScript being used to make arbitrary requests, and all that junk.
ping gives a less user-hostile alternative to all of that miscellany -- and one that the users can actually easily turn off. It's a Good Thing. Embrace it.
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:3, Interesting)
Sure, but XMLHttpRequest is actually helpful and useful, as GMail shows. If XMLHttpRequest was turned off, most people would turn it on. I can't think of any use for this "pinging" other than to track internet usage. If it were turned off, I think most people would keep it that way.
My point is, the Firefox dev team is adding useless features that nobody really wants (except maybe DoubleClick), when there are other more important things they could be working on. How about passing the Acid2 test? Or how about optimizing the download size? Or decreasing start up times? None of these things are really important, but I think for most people they'd have higher priority than this "pinging."