Slashdot Mirror
Firefox 's Ping Attribute: Useful or Spyware?
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
This isn't a question, it's obviously a little of both. Sacrifice some information about the sites you visit to allow those who run the servers (anyone, really) some feedback and statistics.
It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.
Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.
My work here is dung.
I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest. Because all of you know that it will be abused and that users will implement it wrong or find new uses for it that the developers didn't intend. Some of them may be good, some bad.
At least for childbirth. Bring in the machine that goes, PING!
If brevity is the soul of wit, then how does one explain Twitter?
One ping-disabling Firefox extension.
This feature is extremely useful for any website that wants to give their users better content by parsing what they're going through. It also lets you figure out who is clicking advertisements (which are usually off site) and even gives you the ability to run a multitude of websites but aggregate all the statistics on one of your machines.
Sure it can be abused -- I don't see why more of these abusive features can't be set up in a whitelist fashion. I'm already shocked that web browsers make it so difficult to white lists sites you feel are safe (or don't mind giving up some information to make your experience better).
That comes to the point of this post -- how about a standard "setup" logo/button committee that helps create a "setup" web profile that sites can use to give the users options on how they want to be configured? We've got some standard buttons already (RSS feed, etc), why not one that users could be familiar with so that they can white list or opt-in to certain additional "anti-privacy" features?
I know many websites (including a few of mine) could use more user information, and I don't see why we can't work to just setting a standard for how to do it.
This is firefox we're talking about. There will be an extension available within the first day to strip out those attributes. Or even more likely a built-in option to not acknowledge them.
Websites can do all that stuff with a redirect script on the server side and the user has no control or knowledge of who is being notified. If site developers start using the ping tag instead we can selectively disable it with an extension. It gives the user control where before there was none.
Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
as i read the summary i became overcome with fear when the updates are available dialogue popped up at the bottom of my screen. coincidence....?
The only way to get rid of a temptation is to yield to it.
-Oscar Wilde
This will make it easier for Ramius to declare his intention is to defect.
Are you also recommending that Firefox be distributed with Javascript disabled? Because this ping functionality is easy enough to implement in javascript. If ping is disabled by default, then nobody will have it enabled, which means that web developers will continue to do it the old fashioned way, and the ability to disable ping will be worthless.
Doug Moen.
I have written a truly remarkable program which this sig is too small to contain.
Does this feature track and retain your surfing habits without your consent?
No.
Can you not opt-out of it?
Disable the feature. Easy.
It's not spyware by your definition. It has the added benefit of giving the user some control instead of being secretly tracked by the server side.
A lot of websites use redirect pages to get this exact same information, and off the top of my head I imagine it is pretty simple to notify multiple urls of where you are going using some tricky javascript and even cookies and referrers can be used across sites to track visitors. This is just making a very common, and needlessly complex, mechanism infinitely simpler for the web developer.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
So, I don't mean to go all "Senstionalist Title" on your ass, but the post links to a mozilla blog explaining how they've added this feature to the TRUNK. Announcing a new feature in a blog is not quite a press release, but it's a hell of lot more forthcoming that what "quietly added" implies. Also, it's been added to the Trunk, so it's not likely to actually show up in any Mozilla build for a while, much longer, if ever, in a release. This is really the way to add something like this. Put it in to see where and how it will be used and whether that's good or bad.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
Wikileaks, no DNS
1. Javascript does it already
... if Microsoft said that /. would be up in arms)
2. Now you alienate any user using another browser
3. Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules"
We should try and do an experimental implementation of , to see if there are any unexpected real-world problems.
That's what nightlies are for! We now see that it's a controversial tag (and they're probably already well-aware), so they're giving it a shot. Would you rather them just say "no, we don't like that potential standard, so we're not going to try implementing it"?If this can't be disabled (in preferences, about:config, or easily in the source, or via some extension/Greasemonkey script) then I'm sticking with the current 1.5 build, or possibly off to Opera or Epiphany.
Jesus if this was put into MSIE then people would be writing to their MP/senator by now!
I cannot think of any good use for this.
People who run servers do not need that specific kind of stats, their server logs should be good enough. Only marketing (aka spyware) types would want this kind of info.
#include <sig.h>
One, this is in the trunk builds - NOT the released versions.
From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."
I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.
But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.
On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.
But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.
Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"
Just me $0.02
I said no... but I missed and it came out yes.
Assuming that IE implements the same feature, will sites use this? If clients can turn it off, I suspect that web sites won't trust it. This is something that is most accurately done on the server, and I think that's where it will stay.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Disable the feature. Easy.
This kind of misses the point. If Firefox is to become a mainstream internet browser, it needs to be anti-spyware and usable from a clean install onwards. Making it the ideal browser for the tweakers, where it's at its most usable after multiple options have been changed and several extensions installed, is not going to make it the browser of choice for the general public.
As far as grabbing market share goes, it's the default settings that make the difference.
Why not limit the ping to the server that made the current page? This should prevent people from embedding pings into blogs, and still allow the replacement of redirects for tracking where you go. I would think unless this is done, too many people will disable it for any real sites to use it, and it will *only* be used for nefarious purposes.
It's different because web server logs only record what you ask that server for. Web server logs don't record what you ask other servers for.
This is essentially what the Referer header does, except in reverse. Instead of telling a new server where you have come from, it tells the old server where you are going.
This is already possible with Javascript, and it was possible with CSS too - I'm not sure if it still is, but the technique was basically to suggest a local background image to style :active links - so when the link becomes :active (when it gets clicked on), the browser downloads the background image and you know the link was clicked.
Bogtha Bogtha Bogtha
Acid2 only measures the particular edgecasitis that the Acid2 authors managed to think of - web developers seem capable of introducing many more. What's needed isn't more acid tests but a W3-approved regression suite.
Why would a web developer use the ping attribute now?
I think the main developer who would want to use it is Google with their adwords program. They're probably trying to minimize the bandwidth those redirects consume for all the clicking that happens on their ads. This is on top of the bandwidth of every page view requesting the ads to be embedded in the first place, which can't be avoided...
Even if Google can shave off 6% of unneccessary redirects (all Firefox users), that's a big bandwidth savings.
Seth
$5 / month hosted VPS on linux = awesome!
If you add this to your userContent.css, links that have a ping attribute will be green:
a[ping] {
color: green !important;
}
You could also do something like this:
a[ping] {
-moz-opacity: 0.5 !important;
}
a[ping]:hover {
-moz-opacity: 1 !important;
}
so that the links would be transparent until you hover over them
My server
This is an important point. An AJAX application will quite merrily send and recieve large quantities of data without you knowing - this is by design. It relies on being able to do things 'behind the user's back'.
Think of it this way - if you had a popup every time a local application wanted to communicate with the hard disk, how quickly would you become angry?
How many people can read hex if only you and dead people can read hex?
I'm already testing and I'm about to release a NoScript version (1.1.3.6) which neutralizes this lovely ping attribute on untrusted sites, and offers also an user-accessible option, not implemented by Firefox (yet?), to disable it globally. I hope this will calm down the tinfoil hats ;)
There's a browser safer than Firefox, it is Firefox, with NoScript