Slashdot Mirror
Firefox 's Ping Attribute: Useful or Spyware?
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
This isn't a question, it's obviously a little of both. Sacrifice some information about the sites you visit to allow those who run the servers (anyone, really) some feedback and statistics.
It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.
Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.
My work here is dung.
I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest. Because all of you know that it will be abused and that users will implement it wrong or find new uses for it that the developers didn't intend. Some of them may be good, some bad.
At least for childbirth. Bring in the machine that goes, PING!
If brevity is the soul of wit, then how does one explain Twitter?
One ping-disabling Firefox extension.
kind of abusive, no? I'm just imagining slashdotting more than one server... hum? another issue is the pre fetch directive on firefox... i'm starting to think my bandwidth is out of my control..
This feature is extremely useful for any website that wants to give their users better content by parsing what they're going through. It also lets you figure out who is clicking advertisements (which are usually off site) and even gives you the ability to run a multitude of websites but aggregate all the statistics on one of your machines.
Sure it can be abused -- I don't see why more of these abusive features can't be set up in a whitelist fashion. I'm already shocked that web browsers make it so difficult to white lists sites you feel are safe (or don't mind giving up some information to make your experience better).
That comes to the point of this post -- how about a standard "setup" logo/button committee that helps create a "setup" web profile that sites can use to give the users options on how they want to be configured? We've got some standard buttons already (RSS feed, etc), why not one that users could be familiar with so that they can white list or opt-in to certain additional "anti-privacy" features?
I know many websites (including a few of mine) could use more user information, and I don't see why we can't work to just setting a standard for how to do it.
Does this feature track and retain your surfing habits without your consent? Can you not opt-out of it?
If the answers are yes, I would say it is Spyware.
He who knows best knows how little he knows. - Thomas Jefferson
This is firefox we're talking about. There will be an extension available within the first day to strip out those attributes. Or even more likely a built-in option to not acknowledge them.
Honestly, this comes down to an almost Richard Stallman definition of Freedom. We can not have useful utilities such as this, without ignoring the privacy rights issues involved. And now before you question me, remember Stallman is mainly concerned with Freedom, not privacy. The two do happen to overlap, of course, but there's no reason to insult the man for caring, and for being aware of the issues. That's why most of us are here talking about it. Also, what Stallman seems "paranoid" about generally turns out to be the reality of the situation just a few years down the line. The man is a visionary, not a quack. The success of the Free Software movement, Open Source, and Linux, and the attempted corporate dominance of Internet Explorer, Microsoft, and others are all here as evidence of Stallman's deep understanding. Probably best not to deride the guy who's kept your online world sane, huh? ;)
Setting that aside and addressing the article itself, I would point out that privacy is always a trade-off with ease of use. Regardless of what the ideal level of privacy is, we do need good privacy, which few of us have achieved. Real security and privacy is hard, and you're far more likely to run into usability issues before you run into overkill issues.
So, I think it basically boils down to this: privacy vs. usability
Well, Slashdot is going down hill. PlayfullyClever
How is this different from the web server logging every page and image you load?
Is the concern that the 'ping' comes from your browser and not any proxy server you may be using? In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....
Of course this should be disabled by default, I just don't see this as a huge privacy issue.
v2sw7CUPhw5ln6pr5Pck4ma7u7LFw0m6g/l7Di5e6t5Ab6TH.
Websites can do all that stuff with a redirect script on the server side and the user has no control or knowledge of who is being notified. If site developers start using the ping tag instead we can selectively disable it with an extension. It gives the user control where before there was none.
Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8
Remember when it was first announced that Google and the Mozilla Foundation would be working together? I bet this "feature" has come from that joint work effort. What a great way to increase advertising data!
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
as i read the summary i became overcome with fear when the updates are available dialogue popped up at the bottom of my screen. coincidence....?
The only way to get rid of a temptation is to yield to it.
-Oscar Wilde
This will make it easier for Ramius to declare his intention is to defect.
Are you also recommending that Firefox be distributed with Javascript disabled? Because this ping functionality is easy enough to implement in javascript. If ping is disabled by default, then nobody will have it enabled, which means that web developers will continue to do it the old fashioned way, and the ability to disable ping will be worthless.
Doug Moen.
I have written a truly remarkable program which this sig is too small to contain.
I've used redirects a lot and if properly set up, the transfer time between the redirect and the page the user wants is minimal. If you want a redirect to a lot of complicated things or collect a lot of data, of course it's going to be slow. The idea is to keep it simple. As long as this is something I'm not forced to use, I'm fine with it, though I can see the bitching down the road when someone finds a novel way to abuse it.
GetOuttaMySpace - The Anti-Social Network
compared to before? It's not as if this functionality isn't already employed through other ways (javascript or redirects on the serverside). Now, it's just a little bit easier.
Of course you can disable javascript, but most people don't. People who do so, can also turn off this ping functionality. I'm sure an extension will allow to do this the easy way (NoScript notably).
the pun is mightier than the sword
At least if I'm not telling you to do so ;)
The default for this option must be OFF in any case. Is the firefox team really prepared to be associated with the same business practices Microsoft and -the new kid on the bloack- Apple is showing?`
A lot of websites use redirect pages to get this exact same information, and off the top of my head I imagine it is pretty simple to notify multiple urls of where you are going using some tricky javascript and even cookies and referrers can be used across sites to track visitors. This is just making a very common, and needlessly complex, mechanism infinitely simpler for the web developer.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
I doubt it's usefulness outweighs the huge downside to basicly allow any 6-yr old to track your every move. Just my .02 // And you people say IE has security problems... /// Waits for flame to start
So, I don't mean to go all "Senstionalist Title" on your ass, but the post links to a mozilla blog explaining how they've added this feature to the TRUNK. Announcing a new feature in a blog is not quite a press release, but it's a hell of lot more forthcoming that what "quietly added" implies. Also, it's been added to the Trunk, so it's not likely to actually show up in any Mozilla build for a while, much longer, if ever, in a release. This is really the way to add something like this. Put it in to see where and how it will be used and whether that's good or bad.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
1) Don't use firefox
2) Write an extension. Similar to the one that lets you know if the target is a PDF file or opens a new window or whatever...
One badly formed loop and a page request with pings could mean one hell of a DoS attack.
Wikileaks, no DNS
Isn't this just like Microsoft back in the days. Making their browser compliant to their own 'standard' HTML specification in stead of the W3C specification?
It's smelly if you ask me. If you have this marvelous new innovation for HTML, why not propose a new specification at W3C?
Good grief, that's the first thing I thought of when I read this article. I guess I've been reading Slashdot for too long.
.. but this is one of the cases where the Open Source model works well. Any truly paranoid geek out there can pull down the source tree and watch all of the changes to any of the crap the FF developers decide to throw in. They can then apply their own patches-of-paranoia and remove untrusted suspect code, build it and run it behind however many firewalls and proxies they have set up.
1. Javascript does it already
... if Microsoft said that /. would be up in arms)
2. Now you alienate any user using another browser
3. Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules"
I'm going to implement this on some pages. It would be dead interesting just to see who's got this enabled...
My first thought was "How can you track clicks with a ping?". After RTFA, it's not literally a ping to some server, it's a request to a URI, most probably an HTTP request that will contain request parameters indicating what link was clicked.
Second of all, this is not any more of a privacy intrusion than previously existed. It was always possible to track clicks within a single website via cookies, and clicks on external links (i.e. banner ads) by using a redirect first. If the author of the website wants to track what you're doing, he's already got the means, and he's had them for years.
There are 2 kinds of people in this world. Those that can keep their train of thought,
ummmmm, since it's open source, can't you just take that part out and recompile it? granted you have the expertise, anyway....
We should try and do an experimental implementation of , to see if there are any unexpected real-world problems.
That's what nightlies are for! We now see that it's a controversial tag (and they're probably already well-aware), so they're giving it a shot. Would you rather them just say "no, we don't like that potential standard, so we're not going to try implementing it"?Firefox? Spyware? If it'd be true, it'd show that even open source can be pleagued with spyware and privacy concern.
I hope this is not a true story.
It could enable a user comments vs people who actuall RTFA statistic. Knowing slashdot it would crash on a divide by zero error offcourse.
But wait a minute, a infinite number of pings? So the story submitter himself can also add his pings? Knowing the quality of slashdot editors (HA!) any story submitter would know who read what links in his article. Do I want him to know?
Imagine that someone puts a goatse.cx link on a forum. You don't of course admit that you been tricked but the next post is a record of all the pings the link submitter received proving that all of slashdot wanks to the goatse man.
The abuse of this feature is clear and the benefits? If slashdot really cared to know wich external links are followed or not then that is their business isn't it?
Do I really want websites to know wich external links I follow? I think this is a solution looking for a problem and in the few cases where a website needs to know the users need for privacy is superior.
Bad mozilla. This is something I would have expected of MS or the old Netscape. Now go sit in a corner and don't come out until you stop adding crap features that tattle on me without informing me.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
If this can't be disabled (in preferences, about:config, or easily in the source, or via some extension/Greasemonkey script) then I'm sticking with the current 1.5 build, or possibly off to Opera or Epiphany.
Jesus if this was put into MSIE then people would be writing to their MP/senator by now!
I cannot think of any good use for this.
People who run servers do not need that specific kind of stats, their server logs should be good enough. Only marketing (aka spyware) types would want this kind of info.
#include <sig.h>
This single attribute will notify "a list of servers to notify when you click on a link".
Is this the one rule to ping them all?
We pray for the end of ignorance and superstition
One, this is in the trunk builds - NOT the released versions.
From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."
I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.
But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.
On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.
But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.
Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"
Just me $0.02
I said no... but I missed and it came out yes.
This article will probably illuminate some of the hypocrisy we see daily on Slashdot (and of course this will get suppressed by the censors).
When Microsoft adds a "feature" it is termed "proprietary", "violating".
When those features are privacy or security risks, the abuse is not fit to display where young eyes may see it.
When a favored non-Microsoft projecr adds a "feature" it is praised as
"innovation".
When those features are privacy or security risks, we see "you can always change it yourself, it's open source".
Come on. Who asked for this 'feature'? I don't see the purpose of it. THe article states that is is for "enable link tracking mechanisms commonly employed on the web". That sounds to me that a marketing lobbying firm has leverage its influence somewho.
It will be abused really soon in my opinion. Right now the site you're browsing can track you. Tomorrow, your clicks will be broadcasted (clickcasted) to all ads firms live. Gr8t!
Assuming that IE implements the same feature, will sites use this? If clients can turn it off, I suspect that web sites won't trust it. This is something that is most accurately done on the server, and I think that's where it will stay.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
The whatwg page says that "When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs."
To me this means that the status bar or some other indicator should show the fact of the ping when you hover over the link. Does Forefox do this? I'm not running a "trunk" build.
Can we please, please, keep politics out of this? I would rather discuss the FF issue, than listen to a flame war about politics.
It would be just as easy to defeat this technology (if you did not want it), by using it against itself.
Any developer with a small amount of time on their hands can easily develop a firefox extension or greasemonkey script that will take all of the ping tags out of the page that is rendered to the user.
"Problem" solved.
If you don't like Firefox's attempt to give away your privacy, there is a perfectly good FOSS browser you can use:
Konqueror
In some instances, it may render web pages even better than Firefox, since Konqueror passed the Acid2 test.
Why not limit the ping to the server that made the current page? This should prevent people from embedding pings into blogs, and still allow the replacement of redirects for tracking where you go. I would think unless this is done, too many people will disable it for any real sites to use it, and it will *only* be used for nefarious purposes.
When you contact a server, it can do whatever it wants with the details of the transaction, including sending information about it to any number of 3rd party servers. All this ping tag does is offload some of that to the client. I could see how this could be used to set up a DDOS, but implying that it's a privacy risk sounds like BS/FUD to me. Kind of like cookies: They don't track anything that the server couldn't track server side if it wanted to, in which case you wouldn't be able to erase the records, which puts cookies one up imo.
Just add that code to the default and I'd consider the issue resolved.
Unless the web designer can override the setting...
"Live Free or Die." Don't like it? Then keep out of the USA
Until somebody writes a plugin to Mozilla to disable this "feature"?
No! Not the Pages Who Say 'Ping!'
The same!
...
Ping! Ping! Ping! Ping! Ping!
Ow! Ow! Ow! Oww!
We shall say 'ping' again to you if you do not appease us.
Well, what is it you want?
We want... a shrubbery!
http://outcampaign.org/
Get a grip, people; are you going to loby to have HTTP REFERER [sic] removed from the HTTP spec?
I find this so odd. What is wrong if I want to see how many people click a link on my website? I can think of a lot of none evil uses for it. Think of it like P2P why should you eliminate a perfectly useful technology just because it can be abused?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
There will probably be a shit-storm over this. It sounds usful, though. Too bad it will be abused.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Sure, the basic functionality can be duplicated with javascript. However, tying this behavior explicitly to a "ping" attribute makes it much easier to identify and block/disable the behavior. If someone doesn't want to mess around with a NoScript extension, script whitelists, etc... then this makes life easier.
Look at it this way: I'm lazy. I don't want to be a security/privacy Nazi about any/every script on webpages I view. However, if there's an "easy" way to block something I view as potentially abusive, this ping attribute could easily be disabled.
Which makes me think that if other users are lazy like me and just want to disable "ping", this feature would likely be dead-in-the-water, and designers who want to track users would continue to use Javascript.
I only post comments when someone on the internet is wrong.
Yes, it's possible to do everything the ping tag does by using javascript or redirects. Let sites that want to engage in such practices pay the penalty. Display of such sites should be slower.
The benefits to the site developers who want to track clicks are clear, the benefits to the person looking at the page is less so.
No, it's not really that simple. This is much like the difference between first-party cookies and third-party cookies. In fact, I'd be happy if they decided to limit them at that level of granularity. I honestly wouldn't mind first-party pings. This provides--as you correctly note--nothing more than they can already collect now. It does, however, significantly enhance the developers' ability to directly collect stateful click-through information.
On the other hand, I'd say third-party pings are no less (and no more) evil than third-party cookies in terms of privacy. It seems to be a fairly common practice to disable third-party cookies while leaving first-party cookies enabled. I would certainly like the option to specify my preferences at that level.
So now a website might know if I visted another website sometime wow gee this is evil. It's like that time I bought a bag of cheetos and used a savings card and now there's some supermarket database that has a record of me buying cheetos oh god what will i ever do.
Good day, sir!
Do the Firefox developers really think, that web designers develop sophisticated CSS layouts, test them on all kind of browsers, come up with ingenious hacks to make them work even on IE, just to have a standards compliant and validating HTML site, and then use this ping attribute to destroy all this work?
And I thought Firefox was pushing standards compliance. It seems that as soon as they gain serious market share, developers think they can "improve" things on their own, and repeat the mistakes of Netscape Navigator and MSIE by "enhancing" HTML with their own badly designed elements and attributes.
But we already know that hubris is one of the chief virtues of a programmer.
The ping attribute allows Web pages to track which off-site links are most popular, as well as allowing advertisers to track click-through rates without obscuring the final target URI. It is possible to track users without this feature, but authors are encouraged to use the ping attribute so that the user agent can improve the user experience.
Encouraging good behaviour is great, but it doesn't fix the problem of bad guys obscuring the target URI. It will be up to the content publishers of the world to create ad policy that discourage bad behaviour...but that means they may have to turn away a few dollars here and there to be taken seriously and keep users safe.
If this were IE doing this, we'd be up in arms. But instead, it's Firefox and people are bending over backwards to justify and condone this.
Personally, I don't trust Firefox anymore. No matter how many times I disable "check for updates" it keeps checking for updates. No matter how many times I tell it to stop checking automatically for updates or upgrades for my extensions, it refuses to stop. Yes, I have used the preferences. I have tried manually setting them with about:config. Nothing will make it stop checking. This has been happening since the 1.5 beta and is persistent in 1.5 final.
It also appears to be impossible to install it without the "report to your master" feature (which is supposed to report crashes). It can be disabled (supposedly) later, but in the install you used to be able to uncheck it, now it's grayed out and gets installed by default every time.
Then there's the whole automatically prefetching links that you MAY click on in order to "speed up" the browsing. There's no way to tell if it's even doing this unless you are watching your network connection carefully, but it's ridiculous and it's hard to make it stop.
No application should be using the network connection without my explicit permission on each and every action. Typing a URL or clicking a link is permission, I'm TELLING it to go fetch that data. But doing crap in the background without asking me is just dishonest.
From the article:
"Websites even employ "onmousedown" event handlers that change the href attribute at the very last second before a click occurs. This makes it so that hovering over the link displays the location that you want to go to, but it still ends up taking you someplace else."
Gee, thanks for handing the spyware creators, spammers, and phishers even MORE ammunition. Let's trick the user into thinking he's clicking on one thing, and at the last minute send data to another URL. YES! Let's make it MORE difficult for users to trust their online banking applications (etc.)!!!
Comment removed based on user account deletion
I see it mentioned in a working group, but I see no confirmation this is part of any final adopted spec.
That's my only concern... that Mozilla is once again off on a path of implementing stuff before the spec is adopted, and we're going to have "Best if using Mozilla" icons showing up on websites.
A request for what? Just a simple GET request? Would it just be http://foo.com/ping_tracker.html?%5Bclicked_ur%5D
Software Wars
Comment removed based on user account deletion
I am sick and tired of waiting for a single webpage to resolve and load/submit content to/from different domains. If I visit a slashdot.org webpage, I do not want my browser to load banner adds from remote advertisers or send cookies/pings to them. I have no problem with slashdot and other websites deploying their own banner ads, as long as there come from the same servers as the webpages. There is nothing wrong with websites can submiting their server logs to advertisers, as proof of traffic revenue.
Google proved that local (non-remote) text banner ads can be profitable.
A domain lockdown security feature would insure that all content (images, cookies, pings, plugins, javascript, java, etc.) on a webpage could only access the same server that webpage is hosted on. It would help with privacy concerns, reduce bandwidth, and speed-up web browsing.
Network admins may have already blocked it. All pings to the outside world get blocked from my network at uni. I can't see web administrators wanting to rely on this for their stats.
I worked out a way to do this recently using Javascript, without changing the href attribute or adding any other attributes to the link. All that is needed is to add two Javascript references in the page head.
The script adds a click event handler to each link found on the page. When the link is clicked, an AJAX-style request is sent to the server, with the URL and link text. Meanwhile the user goes on to the link destination. You can also limit the event handlers to a particular HTML element by class or ID attribute.
Yes, it could be used for nefarious purposes... but from a site administration standpoint, it is useful to see which links are being clicked. It goes beyond just server logs... you can see which areas of your page are most visible or draw the user's attention, for instance.
I posted some of my code for this last month. (This is a link to my site, which has no commercial purpose and does not employ tracking of any kind, including the technique described above.)
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
If you don't like the ping attribute, look through the code and disable it in your copy.
I guess it is time to dump Firefox.
Hello Opera?
Can't use IE because of all the exploits - even when fully patched.
I agree that would be the reason to enable it.
But it's a lousy scenario. There shouldn't *be* expensive, hidden redirects, and we're just encouraging what I consider (at best) stupid. even (worse) anti-social, possibly evil behavior.
I'm completely in favor of progress, but it seems the net is always taking at least one step back (in some cases a few dozen) for every step forward.
We should be encouraging content providers to produce clean web page sthat do what we expect them to do, simply, instead of to be ever more complex, sneaky, tricky marketing tools. or worse.
I never realized before why URLs wouldn't show up in the status bar on fark. After reading your comment, though, I allowed javascript to change the status bar and the issue was fixed. I think in the case of fark they aren't trying to be sneaky so much as user-friendly. The redirect URLs are unreadable because of the URL-encoding of the link destination. I don't particularly care that fark knows when I click an external link from their site, but I do enjoy the ability to see a readable URL by hovering over links with the mouse.
Take a look at the HTML source on Fark -- you'll see javascript to overwrite the status line so it doesn't show it's tracking you...
Everybody's here - Google - used to do this as well.
Why would a web developer use the ping attribute now?
I think the main developer who would want to use it is Google with their adwords program. They're probably trying to minimize the bandwidth those redirects consume for all the clicking that happens on their ads. This is on top of the bandwidth of every page view requesting the ads to be embedded in the first place, which can't be avoided...
Even if Google can shave off 6% of unneccessary redirects (all Firefox users), that's a big bandwidth savings.
Seth
$5 / month hosted VPS on linux = awesome!
So you are either only surfing websites made by 6 year olds or sites that want to send tracking information to sites run by 6 year old.
(As many other posts have already stated) Most commercial sites you visit are already doing a variation of this. They either contian tracking information as query string parameters, or in the URL and redirect (302) you to your final page. In the case of a redirect, your browser sends two http requests before getting you to your destination.
In the current state of affairs, you have to wait for this processing to happen before getting to your final destination. Adding the attribute will allow it to happen asynchronously and get you to your final destination quicker.
Other differences of using this vs. the current state of affairs:
-You can turn it off
-You can know that a link has tracking
Link tracking is happening now, and has been happening for a long time.
What's wrong with making the process transparent and provinding a better user experience in the process?
As for security, this is a privacy issue, not a security issue. Currently you have no control of the privacy of your link clicking. This could actually give you some control, if used.
Microsoft should implement it as well.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Hi! Firefox Rocks and everybody's know that! If they decide to implement this feature, I trust them because they code excellent products. Anyway even if they are some spam, it will be a millions times better that Internet Explorer that is a really crap product. Even if Firefox corrupt my entire hard disk, I will choose this one because I hate the microsoft products that are too expensive for the poor quality that it represents! Trust Firefox, they know waht they does and more than we thought!!! Thanks, Sebastinator! Thank you for visiting my web site and posting your comments on the forum!
Thanks for visiting my Web site! Post your comments on my forum!
These two have equivalent functionality:
" >...</a>
<a href="http://example.com/redirect?http://foo.com/
and
<a ping="http://example.com/ping?http://foo.com/" href="http://foo.com/">...</a>
The former is in wide use everywhere on the web. Both report the EXACT same data about the user to the server. The difference is that the latter is faster for the end user. Both can be blocked by Firefox prefs or extensions.
This is universally a good thing!
or if you're using a nightly trunk, file a bug report on that...
From a site design perspective it shouldn't be hard to do both. When the user first hits the site then give them a javascript link tracker as well as the ping one, then once you receive a ping from them then you can disable the javascript for the rest of their session and keep the experience snappy.
Notifying/blocking redirects and disabling pings are both worthwhile for many (possibly most) of us! This pinging might even work in the favour of ping-blockers, as it's easy to block unredirected traffic. Maybe unpinged traffic will also be blocked.
Personally, I liked toad3k's idea.
Wikileaks, no DNS
Is this a surprising development? With Google employing so many of the key Firefox developers, and the Firefox 2 plans having to get Google exec's approval, it was obvious that features that serve their interest would get priority.
While I agree that the Mozilla Foundation folks can be employed wherever they want to, it's still disconcerting that one company now has so much control on the direction of the project.
Mind you, no different from when AOL owned the project - but at least they were only influencing the bookmark list...
Anyone else care to remember the <BLINK> fiasco?
It is obvious that a "middleman" like Google is the one who will benefit the most from this. But one has to wonder: how much influence does Google have on Firefox development these days? And has Firefox become the de-facto "Google browser", catering to Google's needs only?
If you add this to your userContent.css, links that have a ping attribute will be green:
a[ping] {
color: green !important;
}
You could also do something like this:
a[ping] {
-moz-opacity: 0.5 !important;
}
a[ping]:hover {
-moz-opacity: 1 !important;
}
so that the links would be transparent until you hover over them
My server
OK, I've been avoiding it, but I think the time has come to do as some friends have, and run privoxy (www.privoxy.org).
The real questionhere is - how can we disable this "feature" if we don't want all that it offers?
that's how I see it anyway . . .
This is already happening. Most comercial sites ALREADY track all of the link clicks on their sites. The majority of them use 302 redirects so, you can't turn them off.
k ing2 +service
The only thing use of this attribute would do is make transparent what has ALREADY been happening for years.
When I worked at a media company, we had a cluster of servers dedicated to link tracking. All links on the site would send you here, and it would send you a 302 to your destination. Try disabling redirects, and you will see the web stop working.
Whats wrong with the idea of not hiding the tracking that is already happening?
As for stats, people want to know is you clicked on a linked image instead of linked text. They want to know what colors get clicked on more.
Did I mention many, many sites already do this?
the technology to do is is pervasive:
Perl CGI
http://www.google.com/search?q=perl+cgi+link+trac
PHP
http://www.google.com/search?q=php+link+tracking
All kinds of stuff
http://www.google.com/search?q=%22link+tracking%2
----- If communism is a system where the government owns business, what do you call a system where business owns govern
myself I'd add a bit of extra script to make sure that the ping came back first but still not much harder
<script language="javascript">
function ping(urls) {
var html_doc = document.getElementsByTagName('head').item(0);
var js;
var u;
for (u in urls) {
js = document.createElement('script');
js.setAttribute('language', 'javascript');
js.setAttribute('type', 'text/javascript');
js.setAttribute('src', urls[u] + '?userinfo=DrSkwid&sid=174300');
html_doc.appendChild(js);
}
return true;
}
</script>
<a href="http://offsite/link.html" onlclick="return ping(['http://slashdot.org/logping.pl', 'http://digg.com/logping.php']);">visit offsite link</a>
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
There is no ping tag.
FTA, it is an attribute to the anchor "a" tag. Globally removing attribute values is trivially easy to do in javascript.
Curiously, I don't see anyone trying to figure out how to defeat the redirect link tracking that happens today in every browser.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
My question is where did this idea come from? Is it in an HTML standard somewhere? If not, they shouldn't have bothered putting it in IMHO. How can I tell my friends that Firefox aims to be more standards compliant if the Mozilla team is putting in proprietary HTML features?
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
We use Websidestory's HBX product where I work. It's quite nice from a marketing standpoint. Technically, it's just javascript and cookies. Sure -- it doesn't work for people who turn off cookies or JavaScript, but those people are rarer than you think. One plus is it doesn't impact the click stream. An other upside to the HBX method is you get less false positives from robots and other machine visitors.
We also use redirects (CGIs,various J2EE dealies) -- that method is very labor intensive and it trashes SEO. It destroys SEO. And you have to dedicate many hours to weeding out the "clicks" from robots and machines.
This ping method might be used if IE adopted it, but it sounds like a pain in the neck -- we'd have to build a new app and tool for marketing to monitor the clicks.
Ok, everyone change your links to ping="http://www.microsoft.com". How long will they keep up with this additional traffic? How long will it take for microsoft to sue somebody? Not long.
Since web developers already have a way to do it, but using PING would provide a better experience... I would think they would detect the MOZILLA browser (or support of PING) and then use PING if they can, otherwise enable the javascript or otherwise redirecting soltion.
Then users who are smart enough to use PING will get the better experience while being tracked just the same on the redirecting sites. (Everyones being tracked regardless.)
Although what I don't understand, is why the heck don't providers that want to "track" you just look at log files? - it's all there.
So everyone wins. Website operators have a nifty new feature, users have more options for protecting their privacy. Where's the problem?
My bicyles
Do not confuse this feature with spyware. Tracking cookies have always been used by advertising companies, yet they can be disabled. But I'd rather stick with tracking cookies than having to navigate through sites with embedded flash because the sponsors require them to. This "cookies = spyware" is just paranoia to me.
Anyway, if a website gives you a "ping" attribute, what prevents the same site from obfuscating the link and doing some redirections? It's EXACTLY THE SAME! If there can be any abuse, it's because the attribute is provided BY THE WEBSITE'S CONTENT. And who controls the website content?
One major abuse I could see are phishing sites, but if you already entered a phishing site it's your own fault, and I *REALLY* doubt a bank site would add ping attributes to their website.
In comparison, SPYWARE steals resources, bandwith, CPU and Memory, and makes your system unstable, stealing also YOUR VALUABLE TIME.
So, no, the ping attribute is NOT SPYWARE. I think the article submitter was too sensationalist by putting this in the headline.
There are two things that are clear if you bother to read the article. (Of course, this is /. so I'm sure no one has read the article.) One, the loss of privacy that everyone is concerned about with regards to this feature is already occuring through the use of redirects. Two, if web users actually care about getting to a links destination quicker, rather than waiting until they bounce through all the redirects, the developers can't allow users to turn the ping attribute off. Otherwise, no one would ever turn it on and website developers would never transition from using redirects to the ping attribute.
As with most things, the devil is in the details and the developers need to make sure that users are made aware of all the URL's that are being pinged. Maybe add a drop down box in the status bar, like the one used to list a page's RSS feeds, that lists the full URL for all pings. It's only right that web users have the ability to be aware of the places their pinging.
The real question is whether the ping attribute might lead to a growth in the number of connections each link makes. Because of the time redirects take, web developers are somehwat aware that they have to keep the path relatively lean. Using the ping attribute removes the delay from the web users experience so website developers might be inclined to try to sneak ever increasing numbers of sites to be pinged into a URL. In the worst case scenario, I wonder if this could be used to create some kind of a DDOS attack.
Our web/internet technologies seem to spawn problems for each solution coded. For example, a regular TCP/IP ping could be used in a ping of death attack. I undertand this reference ping might cut down bandwith for doing referrals. What stops web sites from using this method to greatly expand the number or referrals? Or make all the referrals to the same site? Could we see future attacks/harrassment of sites by creating a page full of this referrals and that page getting posted on a very popular site, such as slasdot?
> You would think so. Starting with cookies, though, there's
> always been a major component of web design and development
> which hinges on deliberately obfuscating important events
> from the user.
Still using cookies as an example, progress has been towards better "cookie privacy". Items like blocking 3rd party cookies by default, a clear "clear all information" button, limits which override cookie expiries, etc. all give the user more control over his/her privacy.
To add this "ping" feature w/o also providing control over its use to users is rather surprising since, otherwise, Firefox has been moving in the right direction.
This is not just surprising, but incredibly disappointing.
Say this becomes commonplace in all browsers so that its an issue, many sites use javascript or images to do similar things in order to generate better web stats. Unless you turn off javascript and images, or edit the site's code you already have this sort of thing going on.
This method is more upfront, and will allow stats to be done without javascript---and it will make it easier for an extension to track and disable it. Right now, its nearly impossible to block them from doing it short of turning off javascript and images.
Democracy Now! - uncensored, anti-establishment news
Why should anyone blame Firefox? They simply created a fully compatible browser. The blame should be on the sites that use this tag for bad reasons. This tag used properly could be used within companies to make more usable sites among other personalized things. It all comes down to how it is implemented.
Saying that you'd stop using Firefox if this is deployed is like saying you'd stop going to Wal-Mart if they have cameras watching you ... but wait ... they do. Face it. You're on the web. You're being tracked. OMG! Slashdot is tracking me now!!1!!1
... as a tool to improve user experience, this is a GREAT idea. decouple the link tracking from the target page loading. however, until it's adopted in a standard way by all browsers, it's useless. this can already be done in numerous ways thru javascript, proxy pages, inventive link creation, mod-rewrite ... there are as many ways to track user clicks as there are competent developers.
but seriously
sure, make it disableable. additionally, make it configurable to set the maximum number of PINGs per click. and lastly, limit the URLs to the originating site only.
"Glory is fleeting, but obscurity is forever." - Napoleon Bonaparte
After reading the included link *and* reading the comments of the implementors they don't get it. They don't want to disable it by default or Just No Do It.
They don't want to inform the user of it. They don't care if it violates security concerns or privacy concerns. And they come across a condesending and holier than thou.
I will no longer support that or any future version of Firefox unless this is removed completely and a privacy statement is issued where they pledge to protect the users security and privacy. I will not allow my systems to be upgraded and will not recommend my company consider it. I will actively work against them.
The firefox crew are more vile than M$ for you've violated my trust.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
I'm no expert, but don't routers already do this? I figure there must be a reason that there are occasionally multiple IP addresses for a single DNS entry.
user@host ~ $ host www.microsoft.com
www.microsoft.com is an alias for toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net is an alias for g.www.ms.akadns.net.
g.www.ms.akadns.net is an alias for lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net has address 207.46.225.60
lb1.www.ms.akadns.net has address 207.46.18.30
lb1.www.ms.akadns.net has address 207.46.19.60
lb1.www.ms.akadns.net has address 207.46.20.30
lb1.www.ms.akadns.net has address 207.46.20.60
lb1.www.ms.akadns.net has address 207.46.198.30
lb1.www.ms.akadns.net has address 207.46.198.60
lb1.www.ms.akadns.net has address 207.46.199.30
user@host ~ $
My lame blog.
I'm already testing and I'm about to release a NoScript version (1.1.3.6) which neutralizes this lovely ping attribute on untrusted sites, and offers also an user-accessible option, not implemented by Firefox (yet?), to disable it globally. I hope this will calm down the tinfoil hats ;)
There's a browser safer than Firefox, it is Firefox, with NoScript
Think this through. No site is going to totally drop outbound click tracking via the old redirect-chaining in favor of this.
It only works in firefox, and only when turned on.
If I were to support it, as a developer, I would set up a 'ping sniffer' on the home page, with a 'ping' attribute to all links. It would track to a page on the site who's only purpose is to add a 'visitorSupportsPing' attribute to the visitor's session cookie. Note that this is only done on the home page, and only when the attribute does not already exist.
From then on, I can dynamically emit either redirect-chained links, or ping-tracked links based on what the client supports.
From that point on, EVERY visitor will still be tracked, it's just their choice to enable ping-tracking and save themselves the redirect. If cookies are disabled, they just get the old redirect-chained method.
One last note. No high-volume site is going to bother to do this, unless it's with a high-performance isapi/nsapi/httphandler filter. The performance hit otherwise would just be too high.
Adding a ping attribute to links isn't anything resembling spyware, and it doesn't, as a lot of people seem to think, make the web a worse place to be. It adds a polite way for websites to ask for click information. They don't intrude any more than redirects do, but instead of seeing:
e xample.com/nextpage
http://www.example.com/tracker.cgi?go=http://www.
or the more obnoxious:
http://www.example.com/go?id=fluffernutter
in the status bar, users will see:
http://www.example.com/nextpage
and in addition, they will have the ability to easily turn off the pinging. There are javascript bookmarklets that get around the first style, but nothing that gets around the second style. The third style will make it a browser preference. Anyone who thinks that most users spend a whole lot of time thinking about the urls of links that they are clicking on probably isn't thinking right.
max
Nerd rage is the funniest rage.
The Firefox 'ping feature' is a good example of why we need a choice of more than one browser to use. The ping tracking is great for website owners but not great for the unwashed masses of users who might not want to wear radio tracking collars and have RFIDs implanted in their left cheek. If there is only one viable choice in web browsers, that browser will be under enormous pressure and temptation to implement features of dubious value to users. With a choice of two or more, users can amble over and give the competition a shot when their primary browser does something user-unfriendly. Even better would be wide support for open standards and a choice of 3, 4, or 5 browsers that all support the standards. Hey, what's wrong with dreaming?
I can just imagine creating ping links to thousands of non existant sites in order to dos the client, who clicked on a link and activated a completely unuseful feature provided by default by IE^H^H Firefox
Couldn't a crafty webmaster load up a javascript on an adwords page to add all the adwords links as ping fields to all the links on the page via the DOM? Then all the links on the page would generate adwords clicks right?
Does this protocol check for duplicate links in the ping? What happens if I put like 10 or 100 of the same link in the ping. With a popular enough website I could innundate other websites with garbage ping requests.
---k--
</stupid>
One of the big lessons we learned from REFERER and Cookies is that it's easy to think about the privacy implications of a feature in isolation, but when you combine it with other features it's a lot more complex - e.g. DoubleClick works because you can combine the two features, so even though Website A's cookies don't get shared with Website B, DoubleClick can track cookies across sessions and use REFERER to track the sites that include its ad banners.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Now I can set up a website so that it has 100's of one pixel images. I line of code will have Firefox reload the page after a certain interval of time. Since the page is most likely cached, files will not be loaded from my website while Firefox may very well dutifully ping the site of my choosing. I am an open source fan of the biggest sort, however I am not too fond of Forefox 1.5 and above. Firefox is becoming more and more like its rival. :-(
:-)
But hey, at least I can change it to do what I want and get rid of the undesirable "features" that were added.
Give me a ping, Vasili. One ping only, please.
An extension probably won't be necessary by the time 2.0 is released. Either Firefox will abandon the feature, or they'll have written the UI to disable it.
It's technically not necessary right now for people who are willing to deal with about:config and toggle the preference there -- which is the only people who should be using the trunk builds anyway.
Firefox 's Ping Attribute: Useful or Spyware?
Yes.
m0nstr42.blogspot.com
I left this comment at the mozilla blogpost:
You can argue all day that users are tracked already. But from the comments here, it's clear that this would be a public relations disaster for Firefox. If you implement this feature, don't be surprised when the marketshare drops, alarmist news articles crop up all over, and people start talking about a fork.
It's not just about what makes sense technically. It's also about people asking whose side you're on. Firefox right now has a reputation of being on the side of the users and doing the best it can to protect their privacy. That's part of its brand. Screw with it at your peril.
1. It can already be turned off via about:config (RTFA), and if it actually makes it into Firefox 2.0 there will probably be a checkbox in Preferences.
2. As a guy with a website, I'm actually curious as to which links people click on to leave. Server logs will tell me which pages on my site are most popular and where visitors are coming from, but they won't tell me where they're going unless I go to the effort of creating a redirect script and linking through that -- and while I'm curious, I don't care enough to go to that effort. (Though advertisers and sites with marketroids do care, and have gone to the effort -- often sneakily.)
darnit... I already modded a post in this thread, but I really do have to clear this up.
"Also, it doesn't work with gmail's standard mode. Which isn't really Konqueror's fault."
As of KDE 3.5.x, Konqueror can do gmail's standard mode, but you first have to set the user agent string to Firefox. iirc, this also tells Konqueror to emulate a couple of Firefox's quirks, which is what makes it work.
Tools > Change Browser Identification > Other > Firefox 1.0
If you don't have that submenu, you can enable it by going to Settings > Configure Extensions... > Tools and make sure "UserAgent Changer" is selected.
Windows users should just wait a short while, until KDE 4 is release. Due to the recent QT 4 changes, it has been anticipated that Konqueror will run natively on Windows.
The Konqueror codebase is far cleaner than that of Gecko and Firefox. Not only that, but QT may prove to be superior for writing efficient crossplatform applications.
Cyric Zndovzny at your service.
Is there NoHTTP extension for Firefox? Tracking can be implemented even using obfuscated URLs and HTTP redirects. Server can share its logs with 3rd party as well, so ping attribute doesn't allow any more spying that is already possible...
From the standard definition:
When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URI.
From the Article blurb:
this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
It seems the implementation is not done properly.
Go to about:config and look for browser.send_pings, set it to false. This is defaulting to true in the overnight trunk builds, although you won't have it yet if you just run the official releases. But next time you get an update, check for it and you can disable it.
Double the ./ effect with ping...
as I want to abuse this one I have to post as AC.
You already are paying the bandwidth costs of tracking.
If tracking is done via big $%& query strings, your pages are bigger. If its done (more commonly) by redirects, you pay it even more.
If you have the option to turn it off, you might actually save some bandwidth.
Also, consider there are better uses than simple advertising. Your favorite sights, by knows what you click on and look at, can offer you more of what you want. You can be presented with more relevant information.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
What's so quiet about a public blog post by a developer on weblogs.mozillazine.org that goes into detail about how it works and why?
I don't understand how visitors could have any problems with such an attribute, it could save alot of resources both browser & serverwise.
The people that would use it are going to find a way to track visitors one way or the other.
In all actuality, by the time anyone even gets the option to click such a link, they've likely been tracked 6 ways from Sunday already anyways.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
JavaScript. Invisible frames which load arbitrary pages. All-transparent GIFs. There are tons and tons of tactics which *are already used* to give webmasters the same abilities. PING is just a less-evil way of doing them.
It's a Good Thing, damnit!
Lots of comments already, so I'll be surprised if anybody sees this one, but here goes, because I have a solution. I'll ignore the fact that integrating non-standards into the browser at an HTML level fragments the web and assume that FF is going to do this no matter what, so at least they should do it properly.
5 94.html .
Mistake 1: Calling this a "ping" is the first big mistake here. It obfuscates the purpose and gets everybody reaching for their tinfoil hats and disablement extensions.
*** Solution 1: This feature should be called (to the user) "Click-Track Accelerator" and CLEARLY and openly explain that you are being click-tracked anyway, but by using this feature (enabled by default, but see #2), your browsing experience will be faster. This is a fact.
Mistake 2: Allowing any site to do this is asking for abuse including DDOS attacks on competitors and any number of other things that were possible before but even easier now (and all look bad for Firefox).
*** Solution 2: Include in the preferences a "Click-Track Accelerator Whitelist" which by default contains "adwords.google.com" (or whoever else donates to the Mozilla foundation [just kidding]). When a new click-track ping is attempted, prompt the user to allow, deny, or add to whitelist. Also have a checkbox for "Always allow for same server" (which is on by default and lets servers do what they can do anyway, but quicker).
Mistake 3: There is no facility defined for servers to identify this capability in the client so no servers will even use this! (Mozilla -- you're not Microsoft, so get over yourselves)
*** Solution 3: Some kind of HTTP header to identify this feature should be used. See GrangerX's post on http://weblogs.mozillazine.org/darin/archives/009
And allow websites to download the entire contents of the history folder. Why have cookie controls at all if the devs are just going to shoe-in another workaround? We should allow every website to read every other website's cookies. Why are we beating around the bush?
fast as fast can be. you'll never catch me.
that Firefox includes an option to disable this feature.
- Let us fight together for a patent-free EU.
...or more specifically the comments below:
Out of interest, how did you implement the 'informed user' requirement? ("When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs.")
Posted by: Malcolm at January 17, 2006 12:14 PM
The UI component of this feature is currently unimplemented. We did not see that as a blocker to enabling this on the trunk (development) builds of Firefox. I hope to test out Ian's suggestion of adding the pings to the status bar shortly.
The feature is currently enabled by default in Firefox, but disabled for Thunderbird.
Posted by: Darin at January 17, 2006 12:33 PM
As a TOR user, that's ANOTHER thing to block off, only this time it is a critical IP protocol component: ping (aka ICMP Echo/Echo-Reply). Correct purpose of TOR end-user is not to have 'spurious emission' of javascript, UDP, ICMP and...AND Domain Name Service, DNS) during a typical TCP session (i.e., web browsing) which may reveal its own IP address.
Wait until the next revision of this Firefox feature to embed HTTP cookies (or *shudder* user, account, password, hostname ) into the very LARGE CAPACITY of an ICMP Echo payload.
Once this slippery slope of this feature's introduction occurs... Mozilla.Org and Firefox will stoop down to Microsoft's level... and it's game over (or should I say, end-of-life) for the dissidents of very hostile governments.
My recommendation is to nip this at the bud, effectively and immediately before further lives are lost.
--
"Dammit, Scott McNealy, We definitely do have some modicum of privacy worth saving."
All it means is that it's time to make a new Proxomitron (http://www.proxomitron.info/) filter.
DELETED!
Could someone please tell me *how* to disable ping? Cheers, -BM
http://melbournephilosophy.com/
The whole reason I started using Firefox, and pushed everyone I know to use it, was its unwavering focus on the user and their experience of the web. Enabling pop up blocking by default is a good example of this. It hurts advertisers, but too bad. Firefox doesn't exist to cater to advertisers. The Browser for the People, and all that.
The ONLY purpose for this ping feature is to make it easier to spy on user behavior. There is no benefit to the user. In fact, this results in pushing the load (bandwidth costs) that used to be on the server to ping advertising partners off on the client. The main benefit is in simplifying the server side infrastructure required to spy on user movement through the web.
We know from history that yet another way of redirecting the client to talk to 3rd parties unknown to them can only result in lower security.
P.S. I've never seen a Slashdot discussion thread with so much active PR management in it. Any critical comment is met with tons of highly moderated rebuttals that are very misleading: "No privacy impact! Javascript already does it, so what can it hurt! There will be a mod that lets you turn it off!" I wish these people would identify their own interests in the outcome of the debate. Mine is: I'm a user who does not want to be spied on, or support software that actively helps others spy on me.
Where else are you going to see such things as "Submitter is a melodramatic idiot (Score:5, Informative)"?
So what's to stop sites sporting links with text saying "http://someothersite/page" with an actual link to "http://thissite/redirect/hexstring" which will pop you over to the othersite page anyway? If they can track the hit on their own URL, they can then notify every frickin' server on the internet that you clicked it. The only way around it is to cut-n-paste the text of the link - assuming it's a URL itself and not merely a descriptive string. Where's the difference between that and ping-enabled links?
Adding "standard" means of tracking clicks would be very good for users that love privacy. One -- they can disable it (settings/plug-in/etc). Two -- companies that make firewall/filter products will include neat little option "remove PING from links" and kill ping attribute from tags (and pieces of javascript that would try to set it). :)
Of course, precisely because of all of the above it probably won't take off. And making ping support mandatory would result in even bigger collective gasp and "They're taking after Big Evil Corporations" accusations
Hyperom.com
Who the fuck asked for this "feature?" This is 1000 times worse than cookie tracking.
What next? The firefox mouse tracker? Tracks all the mouse movements on the web page.
I bet than NSA-owned company, Google, which hires many firefox developers is behind this stunt.
It should be enabled by default, though indicated to those who want to know about it. Why? Because tracking click-throughs happens one way or the other and the current way is horrifically slow (but also maintains your privacy by only allowing webmasters to see where you're EXITing their site).
The new way makes the process shitloads faster while preserving the existing and pretty reasonable bounds of privacy.
Would you rather hit a redirect with every google link and wait for your browser to build up a second connection to the real site OR immediately connect to the real site from the very beginning, while the tracking shit completes in the background? I'd vote for backgrounding any day, but it's not going to happen with reactionary hoards of knee jerkers on slashdot getting it disabled by default.
As to the silent operation of this feature: that's already being accomplished with javascript. Though I agree that in both cases the browser should make it easier to see what's going to happen when you click a link.
Firefox is trying too hard to add new features that most users don't want or need. The average user want webpages to look the same as they do under IE - not always true. They want all websites to work - IE specific ones, including lots of online banking and webmail still don't right (yeah I know about the activex issues). We don't need RSS feeds, non rfc compliant Ping features, etc. We want a secure, compatible and stable browser. In that order too I think.
Firefox still has a crapload of annoying problems. Want an some examples? Under Windows, open multiple firefox windows or tabs and click on a download link. All the other windows and tabs are hung until the download starts. Can we say piss-poor threading? Firefox's attempt to cache everything into all available memory still makes it a fscking memory hog. My browser shouldn't be claiming 150-meg with one stinking window open. And don't tell me I need to go into the settings to fix this. That's no better than the MS Office bar preloading everything and sucking up too much memory. Some Flash content still causes Firefox to crash. Autoproxy config still doesn't work right and a corrupt proxy.pac file crashes Firefox. Patching is still a bit of a joke.
Do I need to go on? If Internet Explorer wasn't such a nightmare from a security standpoint, Firefox would have zero appeal for the average Windows user. It's still an unstable Beta product as far as I'm concerned.
Morons! Are you all just missing the point here?
Far from just providing things that are useful to users, Firefox/Mozilla developers are now providing things that are useful to website owners!
This is an important development!
First, it means that Firefox/Mozilla has graduated to a level that only IE has seen thus far.
Secondly, it means that the Firefox/Mozilla team has sold out! They are now working for the creators of content, not the users of content!
Fuck 'em! Fuck 'em all! I need them and their constant pursuit of filthy lire not at all! They are no better than Microsoft after all!
I don't expect this to be read at all but by those who read at sub-notice levels. But those who read this, be afraid! Be very, very afraid!
Hang on... Firefox 2 roadmap 'had' to be approved by Google? I think this is undermining by stealth. The project is not the property of those developers that are on Google's payroll... I can see this (legitimately) becoming another one of those "Google borrows freely from open source, pushes others to use it, and then keeps much of its work inhouse" things
This is exactly why Open Source is better! How long would it have taken to uncover such a debatable feature in a closed source product?
Boffoonery - downloadable Comedy Benefit for Bletchley Park