Slashdot Mirror
Firefox 's Ping Attribute: Useful or Spyware?
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
This isn't a question, it's obviously a little of both. Sacrifice some information about the sites you visit to allow those who run the servers (anyone, really) some feedback and statistics.
It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.
Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.
My work here is dung.
I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest. Because all of you know that it will be abused and that users will implement it wrong or find new uses for it that the developers didn't intend. Some of them may be good, some bad.
At least for childbirth. Bring in the machine that goes, PING!
If brevity is the soul of wit, then how does one explain Twitter?
One ping-disabling Firefox extension.
kind of abusive, no? I'm just imagining slashdotting more than one server... hum? another issue is the pre fetch directive on firefox... i'm starting to think my bandwidth is out of my control..
This feature is extremely useful for any website that wants to give their users better content by parsing what they're going through. It also lets you figure out who is clicking advertisements (which are usually off site) and even gives you the ability to run a multitude of websites but aggregate all the statistics on one of your machines.
Sure it can be abused -- I don't see why more of these abusive features can't be set up in a whitelist fashion. I'm already shocked that web browsers make it so difficult to white lists sites you feel are safe (or don't mind giving up some information to make your experience better).
That comes to the point of this post -- how about a standard "setup" logo/button committee that helps create a "setup" web profile that sites can use to give the users options on how they want to be configured? We've got some standard buttons already (RSS feed, etc), why not one that users could be familiar with so that they can white list or opt-in to certain additional "anti-privacy" features?
I know many websites (including a few of mine) could use more user information, and I don't see why we can't work to just setting a standard for how to do it.
Does this feature track and retain your surfing habits without your consent? Can you not opt-out of it?
If the answers are yes, I would say it is Spyware.
He who knows best knows how little he knows. - Thomas Jefferson
This is firefox we're talking about. There will be an extension available within the first day to strip out those attributes. Or even more likely a built-in option to not acknowledge them.
How is this different from the web server logging every page and image you load?
Is the concern that the 'ping' comes from your browser and not any proxy server you may be using? In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....
Of course this should be disabled by default, I just don't see this as a huge privacy issue.
v2sw7CUPhw5ln6pr5Pck4ma7u7LFw0m6g/l7Di5e6t5Ab6TH.
Websites can do all that stuff with a redirect script on the server side and the user has no control or knowledge of who is being notified. If site developers start using the ping tag instead we can selectively disable it with an extension. It gives the user control where before there was none.
Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
as i read the summary i became overcome with fear when the updates are available dialogue popped up at the bottom of my screen. coincidence....?
The only way to get rid of a temptation is to yield to it.
-Oscar Wilde
This will make it easier for Ramius to declare his intention is to defect.
Are you also recommending that Firefox be distributed with Javascript disabled? Because this ping functionality is easy enough to implement in javascript. If ping is disabled by default, then nobody will have it enabled, which means that web developers will continue to do it the old fashioned way, and the ability to disable ping will be worthless.
Doug Moen.
I have written a truly remarkable program which this sig is too small to contain.
I've used redirects a lot and if properly set up, the transfer time between the redirect and the page the user wants is minimal. If you want a redirect to a lot of complicated things or collect a lot of data, of course it's going to be slow. The idea is to keep it simple. As long as this is something I'm not forced to use, I'm fine with it, though I can see the bitching down the road when someone finds a novel way to abuse it.
GetOuttaMySpace - The Anti-Social Network
compared to before? It's not as if this functionality isn't already employed through other ways (javascript or redirects on the serverside). Now, it's just a little bit easier.
Of course you can disable javascript, but most people don't. People who do so, can also turn off this ping functionality. I'm sure an extension will allow to do this the easy way (NoScript notably).
the pun is mightier than the sword
At least if I'm not telling you to do so ;)
The default for this option must be OFF in any case. Is the firefox team really prepared to be associated with the same business practices Microsoft and -the new kid on the bloack- Apple is showing?`
A lot of websites use redirect pages to get this exact same information, and off the top of my head I imagine it is pretty simple to notify multiple urls of where you are going using some tricky javascript and even cookies and referrers can be used across sites to track visitors. This is just making a very common, and needlessly complex, mechanism infinitely simpler for the web developer.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
I doubt it's usefulness outweighs the huge downside to basicly allow any 6-yr old to track your every move. Just my .02 // And you people say IE has security problems... /// Waits for flame to start
So, I don't mean to go all "Senstionalist Title" on your ass, but the post links to a mozilla blog explaining how they've added this feature to the TRUNK. Announcing a new feature in a blog is not quite a press release, but it's a hell of lot more forthcoming that what "quietly added" implies. Also, it's been added to the Trunk, so it's not likely to actually show up in any Mozilla build for a while, much longer, if ever, in a release. This is really the way to add something like this. Put it in to see where and how it will be used and whether that's good or bad.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
1) Don't use firefox
2) Write an extension. Similar to the one that lets you know if the target is a PDF file or opens a new window or whatever...
No, this feature came from the WHATWG, which is largely a joint work effort between Mozilla and Opera.
What a fool believes, he sees, no wise man has the power to reason away.
One badly formed loop and a page request with pings could mean one hell of a DoS attack.
Wikileaks, no DNS
Isn't this just like Microsoft back in the days. Making their browser compliant to their own 'standard' HTML specification in stead of the W3C specification?
It's smelly if you ask me. If you have this marvelous new innovation for HTML, why not propose a new specification at W3C?
Good grief, that's the first thing I thought of when I read this article. I guess I've been reading Slashdot for too long.
.. but this is one of the cases where the Open Source model works well. Any truly paranoid geek out there can pull down the source tree and watch all of the changes to any of the crap the FF developers decide to throw in. They can then apply their own patches-of-paranoia and remove untrusted suspect code, build it and run it behind however many firewalls and proxies they have set up.
1. Javascript does it already
... if Microsoft said that /. would be up in arms)
2. Now you alienate any user using another browser
3. Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules"
I'm going to implement this on some pages. It would be dead interesting just to see who's got this enabled...
My first thought was "How can you track clicks with a ping?". After RTFA, it's not literally a ping to some server, it's a request to a URI, most probably an HTTP request that will contain request parameters indicating what link was clicked.
Second of all, this is not any more of a privacy intrusion than previously existed. It was always possible to track clicks within a single website via cookies, and clicks on external links (i.e. banner ads) by using a redirect first. If the author of the website wants to track what you're doing, he's already got the means, and he's had them for years.
There are 2 kinds of people in this world. Those that can keep their train of thought,
ummmmm, since it's open source, can't you just take that part out and recompile it? granted you have the expertise, anyway....
We should try and do an experimental implementation of , to see if there are any unexpected real-world problems.
That's what nightlies are for! We now see that it's a controversial tag (and they're probably already well-aware), so they're giving it a shot. Would you rather them just say "no, we don't like that potential standard, so we're not going to try implementing it"?It could enable a user comments vs people who actuall RTFA statistic. Knowing slashdot it would crash on a divide by zero error offcourse.
But wait a minute, a infinite number of pings? So the story submitter himself can also add his pings? Knowing the quality of slashdot editors (HA!) any story submitter would know who read what links in his article. Do I want him to know?
Imagine that someone puts a goatse.cx link on a forum. You don't of course admit that you been tricked but the next post is a record of all the pings the link submitter received proving that all of slashdot wanks to the goatse man.
The abuse of this feature is clear and the benefits? If slashdot really cared to know wich external links are followed or not then that is their business isn't it?
Do I really want websites to know wich external links I follow? I think this is a solution looking for a problem and in the few cases where a website needs to know the users need for privacy is superior.
Bad mozilla. This is something I would have expected of MS or the old Netscape. Now go sit in a corner and don't come out until you stop adding crap features that tattle on me without informing me.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
If this can't be disabled (in preferences, about:config, or easily in the source, or via some extension/Greasemonkey script) then I'm sticking with the current 1.5 build, or possibly off to Opera or Epiphany.
Jesus if this was put into MSIE then people would be writing to their MP/senator by now!
I cannot think of any good use for this.
People who run servers do not need that specific kind of stats, their server logs should be good enough. Only marketing (aka spyware) types would want this kind of info.
#include <sig.h>
This single attribute will notify "a list of servers to notify when you click on a link".
Is this the one rule to ping them all?
We pray for the end of ignorance and superstition
One, this is in the trunk builds - NOT the released versions.
From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."
I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.
But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.
On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.
But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.
Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"
Just me $0.02
I said no... but I missed and it came out yes.
Come on. Who asked for this 'feature'? I don't see the purpose of it. THe article states that is is for "enable link tracking mechanisms commonly employed on the web". That sounds to me that a marketing lobbying firm has leverage its influence somewho.
It will be abused really soon in my opinion. Right now the site you're browsing can track you. Tomorrow, your clicks will be broadcasted (clickcasted) to all ads firms live. Gr8t!
Assuming that IE implements the same feature, will sites use this? If clients can turn it off, I suspect that web sites won't trust it. This is something that is most accurately done on the server, and I think that's where it will stay.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
The whatwg page says that "When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs."
To me this means that the status bar or some other indicator should show the fact of the ping when you hover over the link. Does Forefox do this? I'm not running a "trunk" build.
Can we please, please, keep politics out of this? I would rather discuss the FF issue, than listen to a flame war about politics.
It would be just as easy to defeat this technology (if you did not want it), by using it against itself.
Any developer with a small amount of time on their hands can easily develop a firefox extension or greasemonkey script that will take all of the ping tags out of the page that is rendered to the user.
"Problem" solved.
Why not limit the ping to the server that made the current page? This should prevent people from embedding pings into blogs, and still allow the replacement of redirects for tracking where you go. I would think unless this is done, too many people will disable it for any real sites to use it, and it will *only* be used for nefarious purposes.
When you contact a server, it can do whatever it wants with the details of the transaction, including sending information about it to any number of 3rd party servers. All this ping tag does is offload some of that to the client. I could see how this could be used to set up a DDOS, but implying that it's a privacy risk sounds like BS/FUD to me. Kind of like cookies: They don't track anything that the server couldn't track server side if it wanted to, in which case you wouldn't be able to erase the records, which puts cookies one up imo.
Just add that code to the default and I'd consider the issue resolved.
Unless the web designer can override the setting...
"Live Free or Die." Don't like it? Then keep out of the USA
No! Not the Pages Who Say 'Ping!'
The same!
...
Ping! Ping! Ping! Ping! Ping!
Ow! Ow! Ow! Oww!
We shall say 'ping' again to you if you do not appease us.
Well, what is it you want?
We want... a shrubbery!
http://outcampaign.org/
I find this so odd. What is wrong if I want to see how many people click a link on my website? I can think of a lot of none evil uses for it. Think of it like P2P why should you eliminate a perfectly useful technology just because it can be abused?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
There will probably be a shit-storm over this. It sounds usful, though. Too bad it will be abused.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Sure, the basic functionality can be duplicated with javascript. However, tying this behavior explicitly to a "ping" attribute makes it much easier to identify and block/disable the behavior. If someone doesn't want to mess around with a NoScript extension, script whitelists, etc... then this makes life easier.
Look at it this way: I'm lazy. I don't want to be a security/privacy Nazi about any/every script on webpages I view. However, if there's an "easy" way to block something I view as potentially abusive, this ping attribute could easily be disabled.
Which makes me think that if other users are lazy like me and just want to disable "ping", this feature would likely be dead-in-the-water, and designers who want to track users would continue to use Javascript.
I only post comments when someone on the internet is wrong.
Yes, it's possible to do everything the ping tag does by using javascript or redirects. Let sites that want to engage in such practices pay the penalty. Display of such sites should be slower.
The benefits to the site developers who want to track clicks are clear, the benefits to the person looking at the page is less so.
If they're going to go any further with the "ping" feature, there should be a function (enabled by default) that prompts you before pinging the servers.
No, it's not really that simple. This is much like the difference between first-party cookies and third-party cookies. In fact, I'd be happy if they decided to limit them at that level of granularity. I honestly wouldn't mind first-party pings. This provides--as you correctly note--nothing more than they can already collect now. It does, however, significantly enhance the developers' ability to directly collect stateful click-through information.
On the other hand, I'd say third-party pings are no less (and no more) evil than third-party cookies in terms of privacy. It seems to be a fairly common practice to disable third-party cookies while leaving first-party cookies enabled. I would certainly like the option to specify my preferences at that level.
Google doesn't need this. With things like Adsense, they just use Javascript. How do you think they get the data for things like the Adsense heat map?
Even if this was some nefarious Google plot, they are hardly likely to switch to it instead of Javascript when only Gecko-based browsers support it.
Bogtha Bogtha Bogtha
So now a website might know if I visted another website sometime wow gee this is evil. It's like that time I bought a bag of cheetos and used a savings card and now there's some supermarket database that has a record of me buying cheetos oh god what will i ever do.
Do the Firefox developers really think, that web designers develop sophisticated CSS layouts, test them on all kind of browsers, come up with ingenious hacks to make them work even on IE, just to have a standards compliant and validating HTML site, and then use this ping attribute to destroy all this work?
And I thought Firefox was pushing standards compliance. It seems that as soon as they gain serious market share, developers think they can "improve" things on their own, and repeat the mistakes of Netscape Navigator and MSIE by "enhancing" HTML with their own badly designed elements and attributes.
But we already know that hubris is one of the chief virtues of a programmer.
The ping attribute allows Web pages to track which off-site links are most popular, as well as allowing advertisers to track click-through rates without obscuring the final target URI. It is possible to track users without this feature, but authors are encouraged to use the ping attribute so that the user agent can improve the user experience.
Encouraging good behaviour is great, but it doesn't fix the problem of bad guys obscuring the target URI. It will be up to the content publishers of the world to create ad policy that discourage bad behaviour...but that means they may have to turn away a few dollars here and there to be taken seriously and keep users safe.
Personally, I don't trust Firefox anymore. No matter how many times I disable "check for updates" it keeps checking for updates. No matter how many times I tell it to stop checking automatically for updates or upgrades for my extensions, it refuses to stop. Yes, I have used the preferences. I have tried manually setting them with about:config. Nothing will make it stop checking. This has been happening since the 1.5 beta and is persistent in 1.5 final.
It also appears to be impossible to install it without the "report to your master" feature (which is supposed to report crashes). It can be disabled (supposedly) later, but in the install you used to be able to uncheck it, now it's grayed out and gets installed by default every time.
Then there's the whole automatically prefetching links that you MAY click on in order to "speed up" the browsing. There's no way to tell if it's even doing this unless you are watching your network connection carefully, but it's ridiculous and it's hard to make it stop.
No application should be using the network connection without my explicit permission on each and every action. Typing a URL or clicking a link is permission, I'm TELLING it to go fetch that data. But doing crap in the background without asking me is just dishonest.
From the article:
"Websites even employ "onmousedown" event handlers that change the href attribute at the very last second before a click occurs. This makes it so that hovering over the link displays the location that you want to go to, but it still ends up taking you someplace else."
Gee, thanks for handing the spyware creators, spammers, and phishers even MORE ammunition. Let's trick the user into thinking he's clicking on one thing, and at the last minute send data to another URL. YES! Let's make it MORE difficult for users to trust their online banking applications (etc.)!!!
Comment removed based on user account deletion
I see it mentioned in a working group, but I see no confirmation this is part of any final adopted spec.
That's my only concern... that Mozilla is once again off on a path of implementing stuff before the spec is adopted, and we're going to have "Best if using Mozilla" icons showing up on websites.
A request for what? Just a simple GET request? Would it just be http://foo.com/ping_tracker.html?%5Bclicked_ur%5D
Software Wars
Comment removed based on user account deletion
I am sick and tired of waiting for a single webpage to resolve and load/submit content to/from different domains. If I visit a slashdot.org webpage, I do not want my browser to load banner adds from remote advertisers or send cookies/pings to them. I have no problem with slashdot and other websites deploying their own banner ads, as long as there come from the same servers as the webpages. There is nothing wrong with websites can submiting their server logs to advertisers, as proof of traffic revenue.
Google proved that local (non-remote) text banner ads can be profitable.
A domain lockdown security feature would insure that all content (images, cookies, pings, plugins, javascript, java, etc.) on a webpage could only access the same server that webpage is hosted on. It would help with privacy concerns, reduce bandwidth, and speed-up web browsing.
I worked out a way to do this recently using Javascript, without changing the href attribute or adding any other attributes to the link. All that is needed is to add two Javascript references in the page head.
The script adds a click event handler to each link found on the page. When the link is clicked, an AJAX-style request is sent to the server, with the URL and link text. Meanwhile the user goes on to the link destination. You can also limit the event handlers to a particular HTML element by class or ID attribute.
Yes, it could be used for nefarious purposes... but from a site administration standpoint, it is useful to see which links are being clicked. It goes beyond just server logs... you can see which areas of your page are most visible or draw the user's attention, for instance.
I posted some of my code for this last month. (This is a link to my site, which has no commercial purpose and does not employ tracking of any kind, including the technique described above.)
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
If you don't like the ping attribute, look through the code and disable it in your copy.
Acid2 only measures the particular edgecasitis that the Acid2 authors managed to think of - web developers seem capable of introducing many more. What's needed isn't more acid tests but a W3-approved regression suite.
I agree that would be the reason to enable it.
But it's a lousy scenario. There shouldn't *be* expensive, hidden redirects, and we're just encouraging what I consider (at best) stupid. even (worse) anti-social, possibly evil behavior.
I'm completely in favor of progress, but it seems the net is always taking at least one step back (in some cases a few dozen) for every step forward.
We should be encouraging content providers to produce clean web page sthat do what we expect them to do, simply, instead of to be ever more complex, sneaky, tricky marketing tools. or worse.
I never realized before why URLs wouldn't show up in the status bar on fark. After reading your comment, though, I allowed javascript to change the status bar and the issue was fixed. I think in the case of fark they aren't trying to be sneaky so much as user-friendly. The redirect URLs are unreadable because of the URL-encoding of the link destination. I don't particularly care that fark knows when I click an external link from their site, but I do enjoy the ability to see a readable URL by hovering over links with the mouse.
Why would a web developer use the ping attribute now?
I think the main developer who would want to use it is Google with their adwords program. They're probably trying to minimize the bandwidth those redirects consume for all the clicking that happens on their ads. This is on top of the bandwidth of every page view requesting the ads to be embedded in the first place, which can't be avoided...
Even if Google can shave off 6% of unneccessary redirects (all Firefox users), that's a big bandwidth savings.
Seth
$5 / month hosted VPS on linux = awesome!
So you are either only surfing websites made by 6 year olds or sites that want to send tracking information to sites run by 6 year old.
(As many other posts have already stated) Most commercial sites you visit are already doing a variation of this. They either contian tracking information as query string parameters, or in the URL and redirect (302) you to your final page. In the case of a redirect, your browser sends two http requests before getting you to your destination.
In the current state of affairs, you have to wait for this processing to happen before getting to your final destination. Adding the attribute will allow it to happen asynchronously and get you to your final destination quicker.
Other differences of using this vs. the current state of affairs:
-You can turn it off
-You can know that a link has tracking
Link tracking is happening now, and has been happening for a long time.
What's wrong with making the process transparent and provinding a better user experience in the process?
As for security, this is a privacy issue, not a security issue. Currently you have no control of the privacy of your link clicking. This could actually give you some control, if used.
Microsoft should implement it as well.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Hi! Firefox Rocks and everybody's know that! If they decide to implement this feature, I trust them because they code excellent products. Anyway even if they are some spam, it will be a millions times better that Internet Explorer that is a really crap product. Even if Firefox corrupt my entire hard disk, I will choose this one because I hate the microsoft products that are too expensive for the poor quality that it represents! Trust Firefox, they know waht they does and more than we thought!!! Thanks, Sebastinator! Thank you for visiting my web site and posting your comments on the forum!
Thanks for visiting my Web site! Post your comments on my forum!
Is it just me ? when I RTFA it states that.. "The feature itself was designed and specified by the WhatWG." and whern I look at the WhatWG site I see this information:
"Editor:
Ian Hickson, Google, ian at hixie.ch
© Copyright 2004, 2005 Apple Computer, Inc., Mozilla Foundation, and Opera Software ASA."
and in the acknoledgement section..
"Special thanks also to the Microsoft employees"
So why does everyone keep saying that Mozilla came up with and implemented this feature on their own, and are creating their own standards.. It looks to me like the WhatWG, where ping originated, is a combined effort of a working group made up of multiple parties.
That many Slashdot posters can't be wrong, maybe I missed something...
far...out
These two have equivalent functionality:
" >...</a>
<a href="http://example.com/redirect?http://foo.com/
and
<a ping="http://example.com/ping?http://foo.com/" href="http://foo.com/">...</a>
The former is in wide use everywhere on the web. Both report the EXACT same data about the user to the server. The difference is that the latter is faster for the end user. Both can be blocked by Firefox prefs or extensions.
This is universally a good thing!
or if you're using a nightly trunk, file a bug report on that...
From a site design perspective it shouldn't be hard to do both. When the user first hits the site then give them a javascript link tracker as well as the ping one, then once you receive a ping from them then you can disable the javascript for the rest of their session and keep the experience snappy.
Notifying/blocking redirects and disabling pings are both worthwhile for many (possibly most) of us! This pinging might even work in the favour of ping-blockers, as it's easy to block unredirected traffic. Maybe unpinged traffic will also be blocked.
Personally, I liked toad3k's idea.
Wikileaks, no DNS
You would think so. Starting with cookies, though, there's always been a major component of web design and development which hinges on deliberately obfuscating important events from the user.
I don't want to get too heavy into tin-foilery over this. It would be difficult to support a claim that these pings and cookies are used for anything but the most innocuous of data mining and profiling pursuits. Here is where a natural danger sense comes into play, though: if people are being so careful not to draw attention to the extra activities of the software then just what are they hiding?
fast as fast can be. you'll never catch me.
Anyone else care to remember the <BLINK> fiasco?
It is obvious that a "middleman" like Google is the one who will benefit the most from this. But one has to wonder: how much influence does Google have on Firefox development these days? And has Firefox become the de-facto "Google browser", catering to Google's needs only?
If you add this to your userContent.css, links that have a ping attribute will be green:
a[ping] {
color: green !important;
}
You could also do something like this:
a[ping] {
-moz-opacity: 0.5 !important;
}
a[ping]:hover {
-moz-opacity: 1 !important;
}
so that the links would be transparent until you hover over them
My server
OK, I've been avoiding it, but I think the time has come to do as some friends have, and run privoxy (www.privoxy.org).
The real questionhere is - how can we disable this "feature" if we don't want all that it offers?
that's how I see it anyway . . .
This is already happening. Most comercial sites ALREADY track all of the link clicks on their sites. The majority of them use 302 redirects so, you can't turn them off.
k ing2 +service
The only thing use of this attribute would do is make transparent what has ALREADY been happening for years.
When I worked at a media company, we had a cluster of servers dedicated to link tracking. All links on the site would send you here, and it would send you a 302 to your destination. Try disabling redirects, and you will see the web stop working.
Whats wrong with the idea of not hiding the tracking that is already happening?
As for stats, people want to know is you clicked on a linked image instead of linked text. They want to know what colors get clicked on more.
Did I mention many, many sites already do this?
the technology to do is is pervasive:
Perl CGI
http://www.google.com/search?q=perl+cgi+link+trac
PHP
http://www.google.com/search?q=php+link+tracking
All kinds of stuff
http://www.google.com/search?q=%22link+tracking%2
----- If communism is a system where the government owns business, what do you call a system where business owns govern
I'm not *sure* about this, but I think that gnome's file dialogs have been incorporated into GTK+ proper. And with that said, what's wrong with the gnome file dialog? They're certainly better thant the old (old old) GTK one...
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
myself I'd add a bit of extra script to make sure that the ping came back first but still not much harder
<script language="javascript">
function ping(urls) {
var html_doc = document.getElementsByTagName('head').item(0);
var js;
var u;
for (u in urls) {
js = document.createElement('script');
js.setAttribute('language', 'javascript');
js.setAttribute('type', 'text/javascript');
js.setAttribute('src', urls[u] + '?userinfo=DrSkwid&sid=174300');
html_doc.appendChild(js);
}
return true;
}
</script>
<a href="http://offsite/link.html" onlclick="return ping(['http://slashdot.org/logping.pl', 'http://digg.com/logping.php']);">visit offsite link</a>
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
There is no ping tag.
FTA, it is an attribute to the anchor "a" tag. Globally removing attribute values is trivially easy to do in javascript.
Curiously, I don't see anyone trying to figure out how to defeat the redirect link tracking that happens today in every browser.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
My question is where did this idea come from? Is it in an HTML standard somewhere? If not, they shouldn't have bothered putting it in IMHO. How can I tell my friends that Firefox aims to be more standards compliant if the Mozilla team is putting in proprietary HTML features?
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
We use Websidestory's HBX product where I work. It's quite nice from a marketing standpoint. Technically, it's just javascript and cookies. Sure -- it doesn't work for people who turn off cookies or JavaScript, but those people are rarer than you think. One plus is it doesn't impact the click stream. An other upside to the HBX method is you get less false positives from robots and other machine visitors.
We also use redirects (CGIs,various J2EE dealies) -- that method is very labor intensive and it trashes SEO. It destroys SEO. And you have to dedicate many hours to weeding out the "clicks" from robots and machines.
This ping method might be used if IE adopted it, but it sounds like a pain in the neck -- we'd have to build a new app and tool for marketing to monitor the clicks.
Ok, everyone change your links to ping="http://www.microsoft.com". How long will they keep up with this additional traffic? How long will it take for microsoft to sue somebody? Not long.
> what's wrong with the gnome file dialog?
The most obvious problem is that, unlike the old
XUL file browser, they don't use the current Firefox
theme. This makes them look completely out of place
on screen.
More importantly, the design of the new file browser
is fundamentally broken; it's been dumbed down to the
point of unusability. There's no obvious place to type
filenames rather than using the mouse, the display of
the directory tree is non-standard, clicking on
"Browse for other folders" in the save dialog triples
the size of the window and often moves the cancel/save
buttons off the bottom of the screen, etc.
The disaster that is the new GTK file browser is the
main reason that I'm still using GTK1 versions of
Mozilla etc.
So everyone wins. Website operators have a nifty new feature, users have more options for protecting their privacy. Where's the problem?
My bicyles
Do not confuse this feature with spyware. Tracking cookies have always been used by advertising companies, yet they can be disabled. But I'd rather stick with tracking cookies than having to navigate through sites with embedded flash because the sponsors require them to. This "cookies = spyware" is just paranoia to me.
Anyway, if a website gives you a "ping" attribute, what prevents the same site from obfuscating the link and doing some redirections? It's EXACTLY THE SAME! If there can be any abuse, it's because the attribute is provided BY THE WEBSITE'S CONTENT. And who controls the website content?
One major abuse I could see are phishing sites, but if you already entered a phishing site it's your own fault, and I *REALLY* doubt a bank site would add ping attributes to their website.
In comparison, SPYWARE steals resources, bandwith, CPU and Memory, and makes your system unstable, stealing also YOUR VALUABLE TIME.
So, no, the ping attribute is NOT SPYWARE. I think the article submitter was too sensationalist by putting this in the headline.
This is an important point. An AJAX application will quite merrily send and recieve large quantities of data without you knowing - this is by design. It relies on being able to do things 'behind the user's back'.
Think of it this way - if you had a popup every time a local application wanted to communicate with the hard disk, how quickly would you become angry?
How many people can read hex if only you and dead people can read hex?
> You would think so. Starting with cookies, though, there's
> always been a major component of web design and development
> which hinges on deliberately obfuscating important events
> from the user.
Still using cookies as an example, progress has been towards better "cookie privacy". Items like blocking 3rd party cookies by default, a clear "clear all information" button, limits which override cookie expiries, etc. all give the user more control over his/her privacy.
To add this "ping" feature w/o also providing control over its use to users is rather surprising since, otherwise, Firefox has been moving in the right direction.
This is not just surprising, but incredibly disappointing.
Say this becomes commonplace in all browsers so that its an issue, many sites use javascript or images to do similar things in order to generate better web stats. Unless you turn off javascript and images, or edit the site's code you already have this sort of thing going on.
This method is more upfront, and will allow stats to be done without javascript---and it will make it easier for an extension to track and disable it. Right now, its nearly impossible to block them from doing it short of turning off javascript and images.
Democracy Now! - uncensored, anti-establishment news
Why should anyone blame Firefox? They simply created a fully compatible browser. The blame should be on the sites that use this tag for bad reasons. This tag used properly could be used within companies to make more usable sites among other personalized things. It all comes down to how it is implemented.
Saying that you'd stop using Firefox if this is deployed is like saying you'd stop going to Wal-Mart if they have cameras watching you ... but wait ... they do. Face it. You're on the web. You're being tracked. OMG! Slashdot is tracking me now!!1!!1
... as a tool to improve user experience, this is a GREAT idea. decouple the link tracking from the target page loading. however, until it's adopted in a standard way by all browsers, it's useless. this can already be done in numerous ways thru javascript, proxy pages, inventive link creation, mod-rewrite ... there are as many ways to track user clicks as there are competent developers.
but seriously
sure, make it disableable. additionally, make it configurable to set the maximum number of PINGs per click. and lastly, limit the URLs to the originating site only.
"Glory is fleeting, but obscurity is forever." - Napoleon Bonaparte
After reading the included link *and* reading the comments of the implementors they don't get it. They don't want to disable it by default or Just No Do It.
They don't want to inform the user of it. They don't care if it violates security concerns or privacy concerns. And they come across a condesending and holier than thou.
I will no longer support that or any future version of Firefox unless this is removed completely and a privacy statement is issued where they pledge to protect the users security and privacy. I will not allow my systems to be upgraded and will not recommend my company consider it. I will actively work against them.
The firefox crew are more vile than M$ for you've violated my trust.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
I'm already testing and I'm about to release a NoScript version (1.1.3.6) which neutralizes this lovely ping attribute on untrusted sites, and offers also an user-accessible option, not implemented by Firefox (yet?), to disable it globally. I hope this will calm down the tinfoil hats ;)
There's a browser safer than Firefox, it is Firefox, with NoScript
Think this through. No site is going to totally drop outbound click tracking via the old redirect-chaining in favor of this.
It only works in firefox, and only when turned on.
If I were to support it, as a developer, I would set up a 'ping sniffer' on the home page, with a 'ping' attribute to all links. It would track to a page on the site who's only purpose is to add a 'visitorSupportsPing' attribute to the visitor's session cookie. Note that this is only done on the home page, and only when the attribute does not already exist.
From then on, I can dynamically emit either redirect-chained links, or ping-tracked links based on what the client supports.
From that point on, EVERY visitor will still be tracked, it's just their choice to enable ping-tracking and save themselves the redirect. If cookies are disabled, they just get the old redirect-chained method.
One last note. No high-volume site is going to bother to do this, unless it's with a high-performance isapi/nsapi/httphandler filter. The performance hit otherwise would just be too high.
I just want to ask: What functionality does this give to me, as a user, that couldn't be entirely implemented on the server side without requiring anything to happen behind my back?
I use the web to view content. Ceding the argument of complex layouts (graphics, frames, fonts, etc.) there is no content that I've viewed in the last 8 years which requires any functionality on my browser's part beyond what I could get from lynx. What does this ping bring to me, as a user, and why should I care to have it at all?
AJAX doesn't impress me either. Webapps, while nice for jobs and web-coders (everyone needs to make a living somehow), should die. There's a better and more secure way to do everything which any web-app does.
fast as fast can be. you'll never catch me.
Adding a ping attribute to links isn't anything resembling spyware, and it doesn't, as a lot of people seem to think, make the web a worse place to be. It adds a polite way for websites to ask for click information. They don't intrude any more than redirects do, but instead of seeing:
e xample.com/nextpage
http://www.example.com/tracker.cgi?go=http://www.
or the more obnoxious:
http://www.example.com/go?id=fluffernutter
in the status bar, users will see:
http://www.example.com/nextpage
and in addition, they will have the ability to easily turn off the pinging. There are javascript bookmarklets that get around the first style, but nothing that gets around the second style. The third style will make it a browser preference. Anyone who thinks that most users spend a whole lot of time thinking about the urls of links that they are clicking on probably isn't thinking right.
max
Nerd rage is the funniest rage.
The Firefox 'ping feature' is a good example of why we need a choice of more than one browser to use. The ping tracking is great for website owners but not great for the unwashed masses of users who might not want to wear radio tracking collars and have RFIDs implanted in their left cheek. If there is only one viable choice in web browsers, that browser will be under enormous pressure and temptation to implement features of dubious value to users. With a choice of two or more, users can amble over and give the competition a shot when their primary browser does something user-unfriendly. Even better would be wide support for open standards and a choice of 3, 4, or 5 browsers that all support the standards. Hey, what's wrong with dreaming?
Not everyone views the web as "read-only", so to speak.
I use quite a few sites as tools that give me access to data or features provided by someone that I wouldn't normally have access to. Examples include bank sites and stock brokerage firm sites.
One additional response to your comment: how about providing insight as to the "more secure" alternatives to AJAX that provide the same functionality and fill the same niche rather than simply saying it "should die".
"I have no special gift, I am only passionately curious." - Albert Einstein
Couldn't a crafty webmaster load up a javascript on an adwords page to add all the adwords links as ping fields to all the links on the page via the DOM? Then all the links on the page would generate adwords clicks right?
Does this protocol check for duplicate links in the ping? What happens if I put like 10 or 100 of the same link in the ping. With a popular enough website I could innundate other websites with garbage ping requests.
---k--
</stupid>
One of the big lessons we learned from REFERER and Cookies is that it's easy to think about the privacy implications of a feature in isolation, but when you combine it with other features it's a lot more complex - e.g. DoubleClick works because you can combine the two features, so even though Website A's cookies don't get shared with Website B, DoubleClick can track cookies across sessions and use REFERER to track the sites that include its ad banners.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Now I can set up a website so that it has 100's of one pixel images. I line of code will have Firefox reload the page after a certain interval of time. Since the page is most likely cached, files will not be loaded from my website while Firefox may very well dutifully ping the site of my choosing. I am an open source fan of the biggest sort, however I am not too fond of Forefox 1.5 and above. Firefox is becoming more and more like its rival. :-(
:-)
But hey, at least I can change it to do what I want and get rid of the undesirable "features" that were added.
An extension probably won't be necessary by the time 2.0 is released. Either Firefox will abandon the feature, or they'll have written the UI to disable it.
It's technically not necessary right now for people who are willing to deal with about:config and toggle the preference there -- which is the only people who should be using the trunk builds anyway.
Communication between an application and my hard drive should not result in data leaving my immediate "control zone" (or at least one would hope). That same sort of activity occuring over a public network to an unknown destination is more insecure by orders of magnitude.
Your point is valid that AJAX functionality poses many of the same issues as this Firefox "feature", but I politely refute your hypothetical example.
Firefox 's Ping Attribute: Useful or Spyware?
Yes.
m0nstr42.blogspot.com
1. It can already be turned off via about:config (RTFA), and if it actually makes it into Firefox 2.0 there will probably be a checkbox in Preferences.
2. As a guy with a website, I'm actually curious as to which links people click on to leave. Server logs will tell me which pages on my site are most popular and where visitors are coming from, but they won't tell me where they're going unless I go to the effort of creating a redirect script and linking through that -- and while I'm curious, I don't care enough to go to that effort. (Though advertisers and sites with marketroids do care, and have gone to the effort -- often sneakily.)
Windows users should just wait a short while, until KDE 4 is release. Due to the recent QT 4 changes, it has been anticipated that Konqueror will run natively on Windows.
The Konqueror codebase is far cleaner than that of Gecko and Firefox. Not only that, but QT may prove to be superior for writing efficient crossplatform applications.
Cyric Zndovzny at your service.
If this were IE doing this, we'd be up in arms. But instead, it's Firefox and people are bending over backwards to justify and condone this.
Have you even *read* the comments? People *are* up in arms!
I actually recall a feature request in bugzilla to do just that.
Is there NoHTTP extension for Firefox? Tracking can be implemented even using obfuscated URLs and HTTP redirects. Server can share its logs with 3rd party as well, so ping attribute doesn't allow any more spying that is already possible...
The ping will help reduce page loads as well. Only headers need be exchanged when you use the ping, instead of loading some shim graphic to handle hit tracking, which people will do with or without ping.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This is actually in the specification:
The spec also indicates that users should be able to disable it:
This is a first-pass implementation in a developer build, so they haven't implemented the UI to disable it (though you can get to it via about:config) and there's no mention of the notification yet, but I'd expect both to be in any released version of Firefox that includes this.
On the DDOS issue, I have to admit I'm surprised that the spec doesn't limit the number of URLs that can be pinged.
I know that this will be extraordinarily out of the box type thinking which was discarded back around '95 when the intarweb was used to create a huge marketing bubble...
Use your imagination and come up with something which doesn't involve HTTP and port 80. I know, it's tough because there's so little out there. Looking at the internet today one would think that HTTP and port 80 were the whole reason behind designing desktop computers.
And, again... what functionality does this new ping give to _ME_, the user who bought this hardware and is paying the electric bill to run this browser? If I were to talk with the author of the code for this little snippet what explanation would he be able to give to justify that _I_, the user, want this?
fast as fast can be. you'll never catch me.
From the standard definition:
When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URI.
From the Article blurb:
this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
It seems the implementation is not done properly.
The big advantage of web apps is that they don't require installation.
.Net and Hailstorm a few years back (funny how people didn't like it much). Web apps are the "right now" solution which can get this type of app running and in use today.
Sure, you can come up with a zero-install app with roaming profiles running on a distributed, remotely-accessible platform using something other than HTTP and a web browser -- but you'd need to set up the infrastructure and get the platform installed on as many PCs as possible. That's the next-gen "right" solution, and I recall Microsoft talking about this type of thing with
If I remember correctly, which I may not, the only reason Konqueror passed the ACID2 test was because it was hacked to specifically render it. I could be wrong. I'd be surprised if that wasn't the case, though, considering last time I used Konq, the rest of the world was in the 5+ generation of browsers, and it was still in the 2.0 generation.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
hmm. I had no idea that Mozilla used GTK at all.
It sure as hell never has on any of my installations.
But, you're right, the GTK2 file dialogues are of the worst possible order.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Go to about:config and look for browser.send_pings, set it to false. This is defaulting to true in the overnight trunk builds, although you won't have it yet if you just run the official releases. But next time you get an update, check for it and you can disable it.
You already are paying the bandwidth costs of tracking.
If tracking is done via big $%& query strings, your pages are bigger. If its done (more commonly) by redirects, you pay it even more.
If you have the option to turn it off, you might actually save some bandwidth.
Also, consider there are better uses than simple advertising. Your favorite sights, by knows what you click on and look at, can offer you more of what you want. You can be presented with more relevant information.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Additionally, if you had any sense at all, you'd realize that Firefox NEVER used the GTK dialog in the first place. It used an XUL-based dialog that was pretty basic but did the job well.
There's no reason that Linux should be the odd man out by having an inferior version. Especially with all the idiots acting like Firefox is somehow a "Linux app" when clearly the Windows (and probably Mac, though I've never used it) version gets all the love.
Hopefully the Mozilla kids get their shit together and fix it or Konqueror steps up and fills the role it should already be playing as the dominant Linux web browser.
The Farewell Tour II
>
> AJAX is faster because there are fewer page loads.
>
You do know about browser cache, don't you?
For the page in itself, if most webpages weren't composed half of useless JavaScript (be it advertising or not), HTML tables used for design and deprecated tags/attributes, I guess we would not need to limit page loads.
>
> The ping will help reduce page loads as well. Only headers need be exchanged when you use the ping,
> instead of loading some shim graphic to handle hit tracking, which people will do with or without ping.
>
Better yet: do not track users and care for your content instead. Web server logs are way enough for the only legitimate purposes there are to keep stats: manage your server bandwidth and maybe check if what you are writing/serving, has been read/saw/heard by many or few. You should not care about anything else.
What's so quiet about a public blog post by a developer on weblogs.mozillazine.org that goes into detail about how it works and why?
You want it because the provider of the link is going to monitor your click-thru whether you like it or not. At least this way you can click on a link, which points directly to the page, and get there without them having to resort to http redirection and possibly javascript to obscure the fact that they're redirecting you.
I don't understand how visitors could have any problems with such an attribute, it could save alot of resources both browser & serverwise.
The people that would use it are going to find a way to track visitors one way or the other.
In all actuality, by the time anyone even gets the option to click such a link, they've likely been tracked 6 ways from Sunday already anyways.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
JavaScript. Invisible frames which load arbitrary pages. All-transparent GIFs. There are tons and tons of tactics which *are already used* to give webmasters the same abilities. PING is just a less-evil way of doing them.
It's a Good Thing, damnit!
I see. As long as we're halfway down the lion's throat we might as well go all the way.
If anything you've illustrated why we should be critically looking at web designers and developers and asking,"Just what are you up to?"
fast as fast can be. you'll never catch me.
The alternative is the same stuff happening on the client side, as it is right now, but through more user-hostile means. Think hidden frames and DIVs, transparent GIFs, JavaScript being used to make arbitrary requests, and all that junk.
ping gives a less user-hostile alternative to all of that miscellany -- and one that the users can actually easily turn off. It's a Good Thing. Embrace it.
Precisely why we should not be adding new features to allow the same thing to happen. Instead the devs should be looking back and securing the existing protocols.
I hate to bring politics into this but this is the exact same pattern with our legal system: Why go back and refine the old when we can just keep writing new?
Can you imagine applying that meme to your code base for any major application? Why, it would end up looking like a collection of bandaids with a million loopholes in each one. Ask Microsoft how well that works out for security and reliability.
fast as fast can be. you'll never catch me.
And allow websites to download the entire contents of the history folder. Why have cookie controls at all if the devs are just going to shoe-in another workaround? We should allow every website to read every other website's cookies. Why are we beating around the bush?
fast as fast can be. you'll never catch me.
that Firefox includes an option to disable this feature.
- Let us fight together for a patent-free EU.
And with that said, what's wrong with the gnome file dialog? They're certainly better thant the old (old old) GTK one...
:)
The fact that they're not nearly as good as the old old GTK ones
The old GTK file dialogs were perfect, besides the matter of their default size (which let you see about two characters of each filename). The split-pane view was good, the text-entry box had magical tab completion that was just awsome, and everything was fast and simple. The new GNOMish dialogs in 2.recent are complicated and slow. I don't even get a damn box to type into, except for the magical "popup" one that doesn't provide nearly as much useful feedback as the old-style one. Opening a file is a noticeably slower and more painful task. The only plusses are the more reasonable size and the "handy places" on the left.
Kindly reserved your snide "tone" for times when you are correct. The browser cache will not help you load pages with dynamic content unless you use some form of content replacement technology... like AJAX. Meanwhile, even while using AJAX, you can be caching javascript, by including them with a SCRIPT directive instead of your webserver's INCLUDE directive - this is the normal means of including javascript, anyway.
And, if you think Javascript is useless, then you can't be helped, anyway. Even just good old DHTML is a means for reducing page loads, which depends on Javascript.
Reducing page loads is a good thing no matter why you do it, as it decreases the load on the entire internet between you and the server, including your machine, every node in between the two end points, and the server itself.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
...or more specifically the comments below:
Out of interest, how did you implement the 'informed user' requirement? ("When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs.")
Posted by: Malcolm at January 17, 2006 12:14 PM
The UI component of this feature is currently unimplemented. We did not see that as a blocker to enabling this on the trunk (development) builds of Firefox. I hope to test out Ian's suggestion of adding the pings to the status bar shortly.
The feature is currently enabled by default in Firefox, but disabled for Thunderbird.
Posted by: Darin at January 17, 2006 12:33 PM
Acid2 only measures the particular edgecasitis that the Acid2 authors managed to think of - web developers seem capable of introducing many more. What's needed isn't more acid tests but a W3-approved regression suite.
Too rigid. I developed a fairly complex layout for a website that was IE, Firefox, Opera and W3C-compliant (hardest of all after IE compatibility, you'd be surprised how forgiving browsers really are). Strangely enough it had a small rendering bug on Safari and I presume Konqueror as well. Anyway, Firefox and Opera were almost to the pixel identical. When they all pass ACID2 I think you have to really go out of your way to make it render differently on W3C-compliant pages. If your page isn't valid (X)HTML/CSS, then expect things to behave odd. What is needed is better tools to create compliant pages - I've seen so many broken tools that should have been put to death long ago.
Kjella
Live today, because you never know what tomorrow brings
As a TOR user, that's ANOTHER thing to block off, only this time it is a critical IP protocol component: ping (aka ICMP Echo/Echo-Reply). Correct purpose of TOR end-user is not to have 'spurious emission' of javascript, UDP, ICMP and...AND Domain Name Service, DNS) during a typical TCP session (i.e., web browsing) which may reveal its own IP address.
Wait until the next revision of this Firefox feature to embed HTTP cookies (or *shudder* user, account, password, hostname ) into the very LARGE CAPACITY of an ICMP Echo payload.
Once this slippery slope of this feature's introduction occurs... Mozilla.Org and Firefox will stoop down to Microsoft's level... and it's game over (or should I say, end-of-life) for the dissidents of very hostile governments.
My recommendation is to nip this at the bud, effectively and immediately before further lives are lost.
--
"Dammit, Scott McNealy, We definitely do have some modicum of privacy worth saving."
Could someone please tell me *how* to disable ping? Cheers, -BM
http://melbournephilosophy.com/
AJAX doesn't impress me either. Webapps, while nice for jobs and web-coders (everyone needs to make a living somehow), should die. There's a better and more secure way to do everything which any web-app does.
AJAX has it's place. For many websites it isn't of any use and it can confuse the interface if not used without providing the user with feedback. However there are applications where it is very useful. Gmail is probably the most well known. As far as web mail goes it provides a far better user experience than those that don't use it.
And there other applications such as drag and drop on a web page that it can be used for. Sure these things can be done without the use of XMLHttpRequests, and some of them without DHTML but this makes the entire user experience slower and more painful.
You may want to argue that these things should not be done using a browser and that custom application should be used for these tasks. This doesn't work however if you want access these programs at multiple locations. Often the program that you want to use is not installed or configured properly while you can usually guarantee that there will be a web browser installed.
Writing off a technology because it is used in places where it doesn't need to be seems rather shorted sighted to me. AJAX difinetly has its place and can be very useful.
The whole reason I started using Firefox, and pushed everyone I know to use it, was its unwavering focus on the user and their experience of the web. Enabling pop up blocking by default is a good example of this. It hurts advertisers, but too bad. Firefox doesn't exist to cater to advertisers. The Browser for the People, and all that.
The ONLY purpose for this ping feature is to make it easier to spy on user behavior. There is no benefit to the user. In fact, this results in pushing the load (bandwidth costs) that used to be on the server to ping advertising partners off on the client. The main benefit is in simplifying the server side infrastructure required to spy on user movement through the web.
We know from history that yet another way of redirecting the client to talk to 3rd parties unknown to them can only result in lower security.
P.S. I've never seen a Slashdot discussion thread with so much active PR management in it. Any critical comment is met with tons of highly moderated rebuttals that are very misleading: "No privacy impact! Javascript already does it, so what can it hurt! There will be a mod that lets you turn it off!" I wish these people would identify their own interests in the outcome of the debate. Mine is: I'm a user who does not want to be spied on, or support software that actively helps others spy on me.
I would agree if you could demonstrate the usefulness of AJAX outside of a web browser. AJAX may, in itself, be a fantastic design. The question still remains, though,"What are we really trying to accomplish and should we be doing this with a web browser at all?"
Lately the following has become increasingly obvious: We're adding new features to keep and track users on the web to generate databases and clicks for (artificial) revenue to show numbers to the investors so that we can get more capital to add new features to keep and track users on the web to generate databases and clicks for (artificial) revenue to show numbers to the investors so that we can get more capital to add new features...
Can you see why I, as a user, am no longer impressed with port 80? I'm not really fond of pyramid schemes.
fast as fast can be. you'll never catch me.
Not possible: The "existing protocols" leak information when behaving exactly as designed and specified, and can't be secured without throwing them out and writing completely new standards. That is to say: Improving the implementations of those standards cannot reduce the amount of leakage, because that leakage necessarily occurs when the standard is implemented as designed. That's not important, though, because the leakage in question is not sufficient as to have a significant, non-theoretical detrimental effect on the userbase.
Now, if you think we really ought to write completely new standards that prevent the "immoral" loopholes from being exercised, I urge you to consider some of the consequences:
And so forth. Revizing HTML and related standards to focus on security in place of functionality -- neutering the Web to minimize the amount of (even harmless) information exposed without user confirmation -- is an absolutely horrid idea. Moreover, even if it were a good idea, it would never be accepted by a public accustomed to having functionality over usability.
So -- if you want to live in that world, here's what you do: Turn off Flash and JavaScript; disable all your browser plugins; disable images; go into the source of your browser and turn off support for frames and DIVs unless you affirmatively choose to load them after seeing their URLs, and go spend time pretending that you've actually bought yourself some level of privacy that's actually sufficient to have any substantial, non-detrimental effect whatsoever on how you interact with the outside world... but please leave the rest of us alone when we're trying to make life better for ourselves. You might want to read Secrets and Lies. One of its themes is the difference between real and merely illusory security; it's something you might do well to grasp.
Where else are you going to see such things as "Submitter is a melodramatic idiot (Score:5, Informative)"?
AJAX's place is definately on browsers - they are an application installed on most PCs which can interface with external servers using common, standard (In theory) methods. This gives me the ability to work in the same environment, with the same data, in different physical locations.
Yes, there are more permanent local applications which can do the same. I use Outlook 2003 and Exchange 2003. Outlook is a big powerful application which is installed locally and maintains its own copy of the data, but should I need to roam I can use Outlook Web Access (AJAX). Exchange Server does all the hard work of keeping things working on the same page.
How many people can read hex if only you and dead people can read hex?
That's just bunk. The issue here is tracking mechanisms embedded in the client application. If you look at my history you'll see that I'm all in favor of whatever they feel like doing on the server side. Put a href wherever you like. If that's enough for tracking then why are all these other vectors needed?
Who is benefitting so greatly from the current insecure implementations that I'm required to behave like a hermit just to stay aware of possible exploitation whether it be computer, social, financial, political, or otherwise?
To continue my metaphor (this is the parents checking on the kids when everything goes quiet): Your protests sound very similar to,"Nothing Dad. We're just reading." while carefully tucking something under the bed.
fast as fast can be. you'll never catch me.
Adding "standard" means of tracking clicks would be very good for users that love privacy. One -- they can disable it (settings/plug-in/etc). Two -- companies that make firewall/filter products will include neat little option "remove PING from links" and kill ping attribute from tags (and pieces of javascript that would try to set it). :)
Of course, precisely because of all of the above it probably won't take off. And making ping support mandatory would result in even bigger collective gasp and "They're taking after Big Evil Corporations" accusations
Hyperom.com
It should be enabled by default, though indicated to those who want to know about it. Why? Because tracking click-throughs happens one way or the other and the current way is horrifically slow (but also maintains your privacy by only allowing webmasters to see where you're EXITing their site).
The new way makes the process shitloads faster while preserving the existing and pretty reasonable bounds of privacy.
Would you rather hit a redirect with every google link and wait for your browser to build up a second connection to the real site OR immediately connect to the real site from the very beginning, while the tracking shit completes in the background? I'd vote for backgrounding any day, but it's not going to happen with reactionary hoards of knee jerkers on slashdot getting it disabled by default.
As to the silent operation of this feature: that's already being accomplished with javascript. Though I agree that in both cases the browser should make it easier to see what's going to happen when you click a link.
Firefox is trying too hard to add new features that most users don't want or need. The average user want webpages to look the same as they do under IE - not always true. They want all websites to work - IE specific ones, including lots of online banking and webmail still don't right (yeah I know about the activex issues). We don't need RSS feeds, non rfc compliant Ping features, etc. We want a secure, compatible and stable browser. In that order too I think.
Firefox still has a crapload of annoying problems. Want an some examples? Under Windows, open multiple firefox windows or tabs and click on a download link. All the other windows and tabs are hung until the download starts. Can we say piss-poor threading? Firefox's attempt to cache everything into all available memory still makes it a fscking memory hog. My browser shouldn't be claiming 150-meg with one stinking window open. And don't tell me I need to go into the settings to fix this. That's no better than the MS Office bar preloading everything and sucking up too much memory. Some Flash content still causes Firefox to crash. Autoproxy config still doesn't work right and a corrupt proxy.pac file crashes Firefox. Patching is still a bit of a joke.
Do I need to go on? If Internet Explorer wasn't such a nightmare from a security standpoint, Firefox would have zero appeal for the average Windows user. It's still an unstable Beta product as far as I'm concerned.
My argument is that the standards in question are not buggy -- rather, that the tools they provide in order to give the user good and useful functionality can also be turned towards ill use. Developing a web browser that can't leak information back to the server is analogous to developing a hammer that can't smash someone's skull in: It won't be very good for nails either.
Putting an HREF in is causing the client to take action: In particular, you're asking the client to go and affirmatively download an extra image from the server. If said image contains no useful information, that's exactly the same as doing a separate ping request -- except that you caused the rendering engine to slow down and wait for that image to be retrieved.
The purpose of the extra vector in this case, then, is to have a mechanism that doesn't slow down the rendering engine, because the browser knows it can make that request only after the content needed for page display has already been loaded.
Who is benefitting? You. When you use Google Maps, you benefit from JavaScript that can make asynchronous (hidden!) calls back to the server. When you use Slashdot, you benefit from having the images loaded off a separate server farm (which can track you just as much as the ping tag can). When you use almost any banking site, you benefit from frames and DIVs (which can be used to cause new, hidden page requests, but also make for a pleasing page layout). Et cetera.
This ping tag gives away no more information than the approaches I mention in the above paragraph (which you say are "server-based" and thus harmless), but it has the additional benefit of not slowing down your browser.
Given that your argument seem to be based on a presumption that a ping tag gives away more information than a IMG HREF can, I claim that the assertions on which your core argument is based are factually incorrect. Until you can explain how your argument is based on real, genuine facts about the technology in question, I'm forced to write this off as baseless paranoia -- and question my continued involvement in this thread.
Give me a genuine, technical explanation of what risks the PING tag adds which wouldn't otherwise exist, and we'll be able to have a real discussion -- talking not about what the other person "sounds like", but actually discussing the merits and faults of the technology in question.
Again, your entire argument is centered on "it can already be done, so what's wrong with it?" My question still is,"Why do I want this code running on my system?" You give a few examples but none of them require client side tracking.
fast as fast can be. you'll never catch me.
No, it isn't.
My argument is thus: It already is done in more destructive ways; why not accept a less-destructive (lower-impact, easily disabled) one in its place?
If you don't have this code on your system, you're stuck with the more-destructive approaches; you get longer page load times, can't easily disable the extra requests, and still are being tracked by advertisers.
Your use of the term destructive is debatable. There's no clear indication that existing methods are destructive.
Accepting this "less destructive" method will not remove the others from use.
You don't expect me to take the page load time FUD seriously, do you?
What's next after ping? A bash shell hosted inside of Moz for the server side pages to play with?
I really wish I could work a Hitler reference in on this one, too.
fast as fast can be. you'll never catch me.
They are "destructive" in the following senses:
If none of these things are destructive, then the PING approach is also not destructive, since its impact is a subset of the first attribute of the existing approaches: It allows a 3rd party to track when a page is being loaded.
If you can show that the PING approach has any additional impact, then do so; otherwise, you're just trolling (and admittedly, I've bit).
At least with javascript and a href you can lie and say you're not tracking the users. With ping the plausible deniability goes to zero pretty fast.
fast as fast can be. you'll never catch me.
There's a reason that logic classes teach "slippery slope" as a fallacy.
Do you want to be lied to? With ping you can tell which requests are tracking the users and which ones are providing content, and you can turn off the ping requests with a simple switch in your browser. With a HREF, you can't.
I wasn't making a slippery slope argument. I was showing a logical progression. Today the devs want to be able to request a ping. Tomorrow they'll want more. This is Linux ActiveX, that's all it is.
fast as fast can be. you'll never catch me.
That smells like a slippery slope argument to me. That said, it's still wrong.
See, this is a "ping" in the logical sense: "Notify me". It's just another HTTP request, the same as a request for an image or page, except that the results aren't used as part of the rendering process. It's not a ping in the sense of "invoke some arbitrary non-browser-related functionality on my system" (as an ICMP ping, or invocation of the OS's ping tool, would be).
Perhaps they should have used a different name.
How much demand is there for this feature to be implemented on the server side? ie. I load a page with a ping request, my client forwards the request to the server which gave me the page and the server then makes the ping to the address inside the request?
Why must I, as the client user, be automatically included on an internet notify list? Will Slashdot moderators be notified when I wake up in the morning and check Sourceforge if the sf.net page has a ping for something like user-track-for-moderator-awareness.slashdot.org? Will e-mails read on Gmail be able to request pings so that we can get subpoenas in e-mail?
Look... there's just no good reason for this.
fast as fast can be. you'll never catch me.
If they're going to go any further with the "ping" feature, there should be a function (enabled by default) that prompts you before pinging the servers.
:)
Or a way to disable it altogether (if one doesn't exist). Time to write some patches...or extensions
If you can't convince them, convict them.
Refute this concrete example then:
// Do evil click tracking here.
<script>
function make_onclick(old_oo)
{
var old_onclick = old_oo;
return function () {
if (old_onclick)
return old_onclick()
}
}
var x = document.getElementsByTagName('a');
for (var i=0;i<x.length;i++)
{
x[i].onclick = make_onclick(x[i].onclick ? x[i].onclick : null);
}
</script>
Put that at the end of any web page and you should be able to run whatever you want on any link click.
I claim invention rights on a WWW based internet notify list based upon a collaborative effort by websites using HTTP PING, or other WWW methods, and a centralized server... :)
fast as fast can be. you'll never catch me.
If one wanted the server to do a HTTP PING itself, and didn't mind writing a little server-side code, one could just do that as a CGI or something pretty darned easily -- without even needing to bounce the request between the server and the client (which is just unnecessary traffic and lag). However, this tag is going to be used largely by folks who do mind writing a little server-side code: Maybe they just have static hosting and can't run arbitrary code serverside; maybe it's not worth the trouble to them compared to a little HTML that makes the client do the request; maybe it's for advertising purposes and the advertisers won't trust a notification that's coming via a server owned by the folks who are receiving money on a per-click basis. (I sure wouldn't).
Hmm... that depends on whether they're allowing cookies to be attached to this PING (which they can be with IMG HREFs); I'd need to read the spec to determine if it's possible (and if I wasn't so tired, I'd go do that right now -- but I need to be getting to bed). It's a valid question -- but again, this isn't something that couldn't be done with preexisting techniques; HTTP PING is just another approach, but it isn't in the rendering path and can be turned off with a switch in the browser.
Since gmail (like all responsible mail clients which use a general-purpose HTML rendering engine for display of incoming messages) sanitizes the HTML that's included in email messages, this shouldn't be possible. If they didn't support such sanitization, existing methods (yadda yadda).If you want to be able to assimilate user data then pay for a decent hosting company.
fast as fast can be. you'll never catch me.
Hang on... Firefox 2 roadmap 'had' to be approved by Google? I think this is undermining by stealth. The project is not the property of those developers that are on Google's payroll... I can see this (legitimately) becoming another one of those "Google borrows freely from open source, pushes others to use it, and then keeps much of its work inhouse" things
Because if Google worked by analyzing server logs handed to them by every Joe Blow who runs their own web page to accurately count hits, they would be taken for a ride by dishonest server operators handing them fake logs. How isn't this a valid reason? I did point it out in the post you're responding to.
Why not? Just because something benefits the sysadmins doesn't mean it can't also benefit the user.
No, no, maybe I mispoke, I think we agree.. What I was saying is that there is more security in a standard app communicating with my hard drive than in an "app" that is browser based communicating with an unknown system over a public network like the internet. There is far less of a chance of "middlemen" in my IDE cable. If I were paranoid about the first instance, I can just unplug the machine from network access, and lock it down from local access. (Assuming no one has already installed some sort of keylogger).
Applications built through the browser, like AJAX, do a lot of things behind the scenes that can be tricky to monitor, just like the Firefox ping can be transparent to the user. I was implying that these sorts of applications are more difficult to secure than the above "closed" machine "by orders of magnitude" because they rely on the network.. you can't simply turn off the connnection. At the very least you would have to do some traffic monitoring/filtering, and encryption if you want to stop man in the middle capture.
In the example given, there was a comparison between AJAX and an app run off the local harddrive. To me, in terms of security, those are wildly different animals because the hard drive only app at least offers me easy localization.
fast as fast can be. you'll never catch me.
I think you know the definition of better;
less crappy than the worse alternatives.
It's one thing to work with folks who aren't particularly cooperative. It's another thing to be engaging in financial transactions with a self-selected group of folks who have monetary incentive to be dishonest. In these cases, checks, balanaces and auditing are necessary to be in the business at all.
Do you have any problem with double-book accounting? How about 3rd-party audits of investment companies? Allowing the logs of a client hit on a site to go to two places instead of one is a necessary safety measure to prevent companies who are buying ad space from being defrauded as easily -- and it's done as a matter of course anyhow. Supporting the PING tag will simply let it happen without adding an extra tenth of a second or so to the user's page load time.
Somehow the print advertising industry doesn't have this problem even though the inflation of distribution numbers is known and accepted. I don't see any counters, let alone license plate trackers, on roadside billboards. I have no problem with checking the authenticity of the books but every other industry has reached and equilibrium of trust. It's no secret that clicks are easily falsified on the 'net using bots. Yet another tracking mechanism isn't going to do diddly to fix inflated page ranks.
No more drivel about this being necessary for advertising. Other industries have figured it out without tagging every man woman and child who walks the street.
fast as fast can be. you'll never catch me.
This is exactly why Open Source is better! How long would it have taken to uncover such a debatable feature in a closed source product?
I've covered this in other comments. Many of these sites cannot survive without revenue and people will not pay for the content directly, so this is a non-starter. Instead of going away, the ads will simply become harder to block. The current trend is to use flash and gif animations but they will end up being replaced with CSS ads and javascript animation (image flipping, CSS-changing, and such) so that people can have ads that are much harder to block.
And again, this is also a non-starter. There is no reason not to develop web applications! If you don't like them, don't use them, but centralizing information is highly useful. In addition, you can use javascript (and other scripting) to make web sites useful to one another, sharing information. This makes the web more useful. You're trying to make the web less useful! This will not fly.
Good idea, but it won't reduce page loads.
See my previous point, you're trying to reduce functionality. It's not going to be like that. People want dynamic web pages! The fact that you seem to not want any pages with any kind of complex dynamic content doesn't change that fact.
You still haven't given any reason why web applications are a bad idea, except that you don't like them. There are many reasons why they are good ideas. If you don't like them, you don't have to use them. Those of us who do will continue to do so. The web will continue to be a complicated place, in much the same way that the world is.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm not sure if you're still misunderstanding the limited scope of what PING requests allow, or if you're just using an overexpansive metaphor for effect. Unless PING requests allow cookies to be attached to them (which they shouldn't -- it would be a yet another cheap loophole to the "cookies are local to the server you're getting your page from" rule), there's no tagging.
It's yet another network request which serves no purpose except for tracking. There's an IP address attached to that network request. A little cross-referencing with other available recent databases makes the need for cookies just silly. What are you hiding?
There is no good reason for this.
fast as fast can be. you'll never catch me.
Tracking an IP address is one thing; tracking a user is another. The tie between an IP and a user is tenuous in these days of pervasive NAT and dynamic IP assignment.
Oh please. Everyone already knows that only cookies which contain "personally identifiable information" can be used to profile the users.
You're going to have to try a lot harder if you want to convince me that IP address logs aren't cross-referenced with cookie databases on a regular basis.
fast as fast can be. you'll never catch me.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Uh-huh. Right. So just what are those mega Google cubes doing? I suppose they're all just innocently serving up web-pages. The marketers surely wouldn't bother putting together things as easy as an IP log and a cookie database. That'd be much too difficult for them.
Right.
fast as fast can be. you'll never catch me.
btw java web start is running today for anyone who has the JRE installed. so are java applets for that matter (though web start seems better than applets in a couple of ways
1: it does a end run round the firefox 100% height issue which means you can't just make your applet fill the windows (you can hack arround this with javascript but its apparently very hard to get it to work perfectly)
2: you don't have all the window trash that a typical browser window has
3: your app is far less likely to get closed by mistake.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
It's not that you can't combine them -- it's that you get too many false positives if you do.
Why did Raggedy-Ann get kicked out of the toybox?
fast as fast can be. you'll never catch me.
Huh?
She was caught repeatedly sitting on Pinocchio's face and demanding that he tell another lie.
I can't believe you fell for that.
fast as fast can be. you'll never catch me.
I think what it brings to you as a user is a bit of extra speed in browsing.
Current setup: a website like freshmeat.net that wants to get click statistics turns every link into something like http://freshmeat.net/redirect/xyz.com. You click on that link - your browser makes a request to freshmeat.net, which sends a redirect, and your browser then goes to the correct site xyz.com.
New setup with this 'ping' attribute: the link goes directly to xyz.com. The new page appears quickly and your browser can inform freshmeat.net asynchronously, so you don't have to wait. Also, you can easily turn off pinging with a single UI preference if you are concerned about privacy. With the old way of doing things there is no way for the user to turn it on or off.
-- Ed Avis ed@membled.com