Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 's Ping Attribute: Useful or Spyware?

Posted by CmdrTaco on from the wear-your-foil-hats dept.

An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."

21 of 575 comments (clear)

  1. Firefox's Ping Attribute: Useful AND Spyware by eldavojohn · · Score: 5, Insightful

    This isn't a question, it's obviously a little of both. Sacrifice some information about the sites you visit to allow those who run the servers (anyone, really) some feedback and statistics.

    It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.

    Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.

    --
    My work here is dung.
    1. Re:Firefox's Ping Attribute: Useful AND Spyware by Stevyn · · Score: 5, Funny

      Nooo! Here in the US, the media polarizes two options and have people in bow ties argue it. You're either in agreement with this idea or totally against it.

    2. Re:Firefox's Ping Attribute: Useful AND Spyware by timeOday · · Score: 5, Insightful
      As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.
      I'm racking my brain to imagine why a user would ever want to enable it.
    3. Re:Firefox's Ping Attribute: Useful AND Spyware by heavy+snowfall · · Score: 5, Insightful

      As I see it this will only make it easier to avoid tracking. At the moment tracking links are often obfuscated like this one. With this new attribute and the ability to disable it you get a plain non-tracked destination URL.

      Because of this, and it being mozilla-specific for now, websites that currently use tracking URL's will see no value in switching over.

      As for privacy concerns, it's already quite easy to track people on the web. Those who avoid it now are more in the know and would probably just add this to the list of things to disable.

    4. Re:Firefox's Ping Attribute: Useful AND Spyware by kawika · · Score: 5, Insightful

      The blog is right that from a user perspective this is good because it makes the target page load faster and makes the tracking transparent. However, this gives the marketer or website even less control than they have now.

      Today, ad or other link tracking is generally handled like this: The link target specifies a tracking page and passes in a magic word or number that specifies the campaign or other info (e.g., "go.php?id=123" or "click.asp?campaign=A1254S"). That page logs the click in some database and issues a redirect to the actual destination page. Sometimes the web server log acts as the "database" and the click stats are processed from the logs.

      With this new scheme, idea is supposed to be that the href target would be the actual destination and there would be no need for the time-consuming redirect. The separate ping attribute would take care of notifying the server similar to what happens today. But now the target page is out in the open for the client to see, and it is not essential to use the ping URL at all! Once users start blocking ping URLs, as they inevitably will, this transparency means that click stats will be very unreliable.

      Since a lot of revenue depends on click numbers, this outcome is bad for commercial web sites. Therefore, very few money links will ever use this scheme and will instead stay with the tried-and-true redirect pages.

  2. Consider what may happen by suso · · Score: 5, Insightful

    I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest. Because all of you know that it will be abused and that users will implement it wrong or find new uses for it that the developers didn't intend. Some of them may be good, some bad.

  3. Coming soon to a browser near you: by Whiteout · · Score: 5, Insightful

    One ping-disabling Firefox extension.

  4. Very useful by dada21 · · Score: 5, Interesting

    This feature is extremely useful for any website that wants to give their users better content by parsing what they're going through. It also lets you figure out who is clicking advertisements (which are usually off site) and even gives you the ability to run a multitude of websites but aggregate all the statistics on one of your machines.

    Sure it can be abused -- I don't see why more of these abusive features can't be set up in a whitelist fashion. I'm already shocked that web browsers make it so difficult to white lists sites you feel are safe (or don't mind giving up some information to make your experience better).

    That comes to the point of this post -- how about a standard "setup" logo/button committee that helps create a "setup" web profile that sites can use to give the users options on how they want to be configured? We've got some standard buttons already (RSS feed, etc), why not one that users could be familiar with so that they can white list or opt-in to certain additional "anti-privacy" features?

    I know many websites (including a few of mine) could use more user information, and I don't see why we can't work to just setting a standard for how to do it.

  5. Submitter is a melodramatic idiot by grahams · · Score: 5, Informative
    1. You are talking about a feature just added to a development tree, not something in a released version of Firefox.
    2. This feature can already be disabled (if you happen to be running a development version) using the 'browser.send_pings' preference.
    3. They didn't "quietly enable" a feature, they did it in front of everyone interested. There are plenty of bugs in bugzilla talking about the implementation of this feature. If you are running a development version of Firefox and can't be bothered to keep up with what is going on in the development community, that's your problem.

    Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8

    // check prefs to see if pings are enabled
    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
    if (prefs) {
    PRBool allow = PR_TRUE;
    prefs->GetBoolPref("browser.send_pings", &allow);
    if (!allow)
    return;
    }
  6. userContent.css to the rescue by Matt+Perry · · Score: 5, Informative
    Add this to your userContent.css file to make links with the ping attribute have a green border when hovered:
    a:hover[ping]
    {
    -moz-outline: 1px solid green;
    }
    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    1. Re:userContent.css to the rescue by booch · · Score: 5, Informative
      That should be:
      a:hover[ping] { -moz-outline: 1px solid green !important; }
      in order to keep the web site from overriding your setting.
      --
      Software sucks. Open Source sucks less.
  7. Give me aping. One ping only, please by hkgroove · · Score: 5, Funny

    This will make it easier for Ramius to declare his intention is to defect.

  8. You can already do this with Javascript by dmoen · · Score: 5, Interesting
    I would recommend Firefox be distributed with this option disabled.

    Are you also recommending that Firefox be distributed with Javascript disabled? Because this ping functionality is easy enough to implement in javascript. If ping is disabled by default, then nobody will have it enabled, which means that web developers will continue to do it the old fashioned way, and the ability to disable ping will be worthless.

    Doug Moen.

    --
    I have written a truly remarkable program which this sig is too small to contain.
  9. Don't worry yet by courtarro · · Score: 5, Interesting
    "Quietly" refers to Mozilla's inclusion of this feature in the nightly trunk versions, not the official version available for download. That's hardly cause for concern. I'll bet most of the features added to nightlies are "quiet", so that's just a bit of fear mongering. It's a development version! I personally don't like the idea of pings that much, but I'm willing to bet it will have a UI to allow disabling when it's released to the masses. According to the bug request to implement it:

    We should try and do an experimental implementation of , to see if there are any unexpected real-world problems.

    That's what nightlies are for! We now see that it's a controversial tag (and they're probably already well-aware), so they're giving it a shot. Would you rather them just say "no, we don't like that potential standard, so we're not going to try implementing it"?
  10. Facts of the matter by Panaflex · · Score: 5, Insightful

    One, this is in the trunk builds - NOT the released versions.

    From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."

    I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.

    But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.

    On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.

    But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.

    Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"

    Just me $0.02

    --
    I said no... but I missed and it came out yes.
  11. Possible fix by spitzak · · Score: 5, Interesting

    Why not limit the ping to the server that made the current page? This should prevent people from embedding pings into blogs, and still allow the replacement of redirects for tracking where you go. I would think unless this is done, too many people will disable it for any real sites to use it, and it will *only* be used for nefarious purposes.

    1. Re:Possible fix by RevDobbs · · Score: 5, Informative

      Did you read the article, or the WHATWG spec?

      It specifically mentions:

      1. Links with the "ping" attribute should be diffrentiated from other links.
      2. There should client-side options to control "ping" behavior, similar to current cookie options: "respond to all", "ignore 3rd party", "ignore all".

      FWIW, this really seems dead in the water. First, not too many users will have it enabled (or even available, for that matter). Second, this information is already being reliably collected with cookies, mod_usertrack, javascript, and page redirect tricks -- mostly with no knowledge of the enduser.

      Why go with a little-available, easily disable mechanisim when the tried-and-true method is already available?

  12. Re:RTA by nicklott · · Score: 5, Informative

    but they're not expensive to the user. No website can use this as a primary mechanism in a process as less than 1% of their users will have it enabled. So, it can only be used for things that are optional to the website, for example user tracking. And in this case it actually generates more traffic, as now you just parse your logs (or put an image in, wherein we have a mechanism that does exactly the same thing anyway).

  13. Re:RTA by malsdavis · · Score: 5, Informative

    Firstly they are expensive to the user, as you have to wait for the response to come back before being able to move onto the next page and secondly being expensive for the web server does indirectly effect users.

    Sure your one redirect query may not effect you much but tens of thousands of people doing it could slow a server right down.

  14. it's all about Google adwords by SethJohnson · · Score: 5, Interesting

    Why would a web developer use the ping attribute now?

    I think the main developer who would want to use it is Google with their adwords program. They're probably trying to minimize the bandwidth those redirects consume for all the clicking that happens on their ads. This is on top of the bandwidth of every page view requesting the ads to be embedded in the first place, which can't be avoided...

    Even if Google can shave off 6% of unneccessary redirects (all Firefox users), that's a big bandwidth savings.

    Seth

    --
    $5 / month hosted VPS on linux = awesome!
  15. Highlighting links that have a ping attribute by CTho9305 · · Score: 5, Informative

    If you add this to your userContent.css, links that have a ping attribute will be green:

    a[ping] {
        color: green !important;
    }

    You could also do something like this:

    a[ping] {
        -moz-opacity: 0.5 !important;
    }
    a[ping]:hover {
        -moz-opacity: 1 !important;
    }

    so that the links would be transparent until you hover over them

    --
    My server