Firefox 's Ping Attribute: Useful or Spyware?

An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."

Submitter is a melodramatic idiot

[grahams]

1. You are talking about a feature just added to a development tree, not something in a released version of Firefox.
2. This feature can already be disabled (if you happen to be running a development version) using the 'browser.send_pings' preference.
3. They didn't "quietly enable" a feature, they did it in front of everyone interested. There are plenty of bugs in bugzilla talking about the implementation of this feature. If you are running a development version of Firefox and can't be bothered to keep up with what is going on in the development community, that's your problem.

Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8

// check prefs to see if pings are enabled
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
if (prefs) {
PRBool allow = PR_TRUE;
prefs->GetBoolPref("browser.send_pings", &allow);
if (!allow)
return;
}

userContent.css to the rescue

[Matt+Perry]

Add this to your userContent.css file to make links with the ping attribute have a green border when hovered:

a:hover[ping]
{
-moz-outline: 1px solid green;
}

Re:userContent.css to the rescue

[booch]

That should be:

a:hover[ping] { -moz-outline: 1px solid green !important; }

in order to keep the web site from overriding your setting.

Re:You can already do this with Javascript

[grub]

Use the Firefox NoScript extension and you can be selective about what javascript you run on a per-site basis.

RTA

[Morosoph]

I'm racking my brain to imagine why a user would ever want to enable it.

So as to avoid expensive and hidden redirects.

Re:RTA

[nicklott]

but they're not expensive to the user. No website can use this as a primary mechanism in a process as less than 1% of their users will have it enabled. So, it can only be used for things that are optional to the website, for example user tracking. And in this case it actually generates more traffic, as now you just parse your logs (or put an image in, wherein we have a mechanism that does exactly the same thing anyway).

Re:RTA

[malsdavis]

Firstly they are expensive to the user, as you have to wait for the response to come back before being able to move onto the next page and secondly being expensive for the web server does indirectly effect users.

Sure your one redirect query may not effect you much but tens of thousands of people doing it could slow a server right down.

Re:Firefox's Ping Attribute: Useful AND Spyware

[oneiros27]

I would recommend Firefox be distributed with this option disabled

Which would give web developers no reason to ever bother using it, and they'll continue doing the same little tricks they've been using for years to keep you from seeing that they're tracking the links.

Take a look at the HTML source on Fark -- you'll see javascript to overwrite the status line so it doesn't show it's tracking you ... and there are hundreds, if not thousands or millions of other sites that do the same.

If it can't be disabled then I'm off

[BestNicksRTaken]

If this can't be disabled (in preferences, about:config, or easily in the source, or via some extension/Greasemonkey script) then I'm sticking with the current 1.5 build, or possibly off to Opera or Epiphany.

Jesus if this was put into MSIE then people would be writing to their MP/senator by now!

I cannot think of any good use for this.

People who run servers do not need that specific kind of stats, their server logs should be good enough. Only marketing (aka spyware) types would want this kind of info.

Re:Possible fix

[RevDobbs]

Did you read the article, or the WHATWG spec?

It specifically mentions:

1. Links with the "ping" attribute should be diffrentiated from other links.
2. There should client-side options to control "ping" behavior, similar to current cookie options: "respond to all", "ignore 3rd party", "ignore all".

FWIW, this really seems dead in the water. First, not too many users will have it enabled (or even available, for that matter). Second, this information is already being reliably collected with cookies, mod_usertrack, javascript, and page redirect tricks -- mostly with no knowledge of the enduser.

Why go with a little-available, easily disable mechanisim when the tried-and-true method is already available?

Re:Not very useful

[Fastolfe]

Mozilla team is pulling an IE (implementing their own extensions... read the blog...

WHATWG != Mozilla

Mozilla is attempting an implementation of a standard set by an independent standards body. No, they're not the W3C, but like you pseudo-quoted out of context, "w3c doesn't have to make all the rules."

Highlighting links that have a ping attribute

[CTho9305]

If you add this to your userContent.css, links that have a ping attribute will be green:

a[ping] {
    color: green !important;
}

You could also do something like this:

a[ping] {
    -moz-opacity: 0.5 !important;
}
a[ping]:hover {
    -moz-opacity: 1 !important;
}

so that the links would be transparent until you hover over them

NoScript will take care of this baby ;)

[Giorgio+Maone]

I'm already testing and I'm about to release a NoScript version (1.1.3.6) which neutralizes this lovely ping attribute on untrusted sites, and offers also an user-accessible option, not implemented by Firefox (yet?), to disable it globally. I hope this will calm down the tinfoil hats ;)