Several Major Browsers to Prevent Disabling of Click-Tracking 'Hyperlink Auditing'

x_t0ken_407 quotes BleepingComputer: A HTML standard called hyperlink auditing that allows sites to track link clicks is enabled by default on Safari, Chrome, Opera, and Microsoft Edge, but will soon have no way to disable it. As it is considered a privacy risk, browsers previously allowed you to disable this feature. Now they are going in the opposite direction.

Hyperlink auditing is an HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.
The article concludes that "Firefox and Brave win the award" for people who want this click-tracking capability disabled -- since "only Brave and Firefox currently disable it by default, and do not appear to have any plans on enabling it in the future."

Turned off by default in firefox

Went looking for how to turn it off, article was kind enough to provide the necessary about:config setting, it's "browser.send_pings".

Firefox already has it off by default. Nice! for once.

Re:Turned off by default in firefox

[AmiMoJo]

For Chrome install uBlock Origin and it's an option under "Privacy".

Re:Turned off by default in firefox

My Vivaldi also has it disabled by default.

Re:Turned off by default in firefox

Went looking for how to turn it off, article was kind enough to provide the necessary about:config setting, it's "browser.send_pings".

Firefox already has it off by default. Nice! for once.

Thanks for pointing this out. In our quest to imitate other/mainstream browsers more closely and provide a better user experience, we will fast-track the disabling and eventual removal of this feature. Like we did with so many other features.

Sincerely,

Mozilla

Re:Turned off by default in firefox

[omfglearntoplay]

So what happens when Chrome when it's not an option to turn off anymore? A little worrying.

Re:Turned off by default in firefox

[GuB-42]

*Not* nice.

tl;dr : It means a worse user experience and less privacy for Firefox users.

Try to think about why that "evil" standard exists in the first place. People don't need hyperlink auditing to track you.
What they do instead is that they wrap links into redirect URLs. They use JS to hide it in the tooltip. Just make a Google search in Firefox, right click on one of the search results and "copy link location". What you'll get is a Google URL with a redirect target. Google is far from being the only one to do that.

The problem with that is that it makes "copy link location" almost useless. It also has an impact on performance. "Hyperlink auditing" is the answer to that problem. Now, look at the Google search results in Google Chrome. The links target are correct, no more of that redirect bullshit. That's because it uses the "ping" attribute to achieve the same thing.

So when it comes to Google search, both Firefox and Google Chrome users are tracked. The difference is that Firefox users can't properly copy links and are slower. Furthermore, if you have uBlock Origin installed, you will only get tracked if you are using Firefox...

Re:Turned off by default in firefox

Just make a Google search in Firefox, right click on one of the search results and "copy link location". What you'll get is a Google URL with a redirect target.

I use this to deal with the redirect links.
https://addons.mozilla.org/en-US/firefox/addon/google-search-link-fix/

Re:Turned off by default in firefox

[Wolfrider]

--Thanks for that! I double checked and hopefully won't have to change browsers since it can be disabled with that extension.

Re:Turned off by default in firefox

[Pieroxy]

What people that want to track click do today is bring you to their website and issue a 302 to redirect you to the destination website. What this feature allowed was to remove the necessary hop, and thus would make the web faster.

But since Firefox did not activate it by default, everyone is still redirected through domains everytime they click a link.

Not sure it's an actual win. Firefox do not remove a feature by disabling this, they forbid an optimization.

Re:Turned off by default in firefox

Yes it is a win for everybody that Firefox does not follow this unhappy standard. Websites that play nice--that don't having track-clicking URL's--are rewarded by working faster.

Can't this just be done with Javascript?

[phantomfive]

Can't you just encase the link in Javascript and get the clicked link that way? Or do webpages not do that very often?

Re:Can't this just be done with Javascript?

[MrL0G1C]

I loathe links made in that manner because when you right-click them they aren't treated as links so you can't open them in a new tab with a right-click or copy the link etc. That is a mistake IMO, if it's a link when you left-click it then it should also be treated as a link when you right-click it.

Re:Can't this just be done with Javascript?

Don't even need that - they could be far more honest and simply rewrite it http://clicktrackers.com/logclick&desturl=http://blah.... ; and clicktrackers simply sends a redirect to the real site name.

The point of this is to hide the fact your clicks are being tracked so you don't see it.

Re:Can't this just be done with Javascript?

Can't you just encase the link in Javascript and get the clicked link that way? Or do webpages not do that very often?

Problem is that any kind of AJAX request made before or during a page navigation is liable to be terminated by the browser as the page gets unloaded.

But besides the old ping there are also beacons. Both offer an important point: the request won't be terminated.

Re:Can't this just be done with Javascript?

[viperidaenz]

The point is to also speed the request up. The ping can be done in parallel, you don't need to wait for your click-tracker to redirect you.
ad-blockers can also easily block the ping request.

Re:Can't this just be done with Javascript?

Nobody in their right mind runs random javascript like that, after the last couple decades of exploits using JS.

Re:Can't this just be done with Javascript?

[Tough+Love]

Plus, they are stealing your bandwidth and likely as not, adding latency.

Re:Can't this just be done with Javascript?

[Tough+Love]

Right, so expect Google to step up its campaign to block the adblockers.

Re: Can't this just be done with Javascript?

Of course not. It doesn't mean the JS is going to be unpredictable either

Re:Can't this just be done with Javascript?

[Galactic+Dominator]

When my facet drips, it steals my water.

Re:Can't this just be done with Javascript?

[DontBeAMoran]

They also break "command+click" which is supposed to open the link in a new tab.

Re:Can't this just be done with Javascript?

Your neighbor siphons off water every time you use your faucet.

Re:Can't this just be done with Javascript?

[Tough+Love]

That is you, pissing your water away as if it were not valuable. Fix your fucking faucet.

Re:Can't this just be done with Javascript?

[The+MAZZTer]

You can make the links work properly when right clicked, the problem is whoever coded it didn't care enough to make that happen.

The proper way to do it is to make it a normal link, but then hook up some JavaScript that stops the default link behavior and/or does something extra in the background.

Re:Can't this just be done with Javascript?

[Waccoon]

Even better, UX people are trying to bring the "swipe" paradigm to the desktop. Now, just trying to select and copy a block of text doesn't work, because clicking anywhere in the text treats it like a drag-able layer.

Modern UX is all about breaking everything that made the web work. If browsers even try to stop this BS, designers will hack their way around the fixes.

Re:Can't this just be done with Javascript?

[shadow_slicer]

They do that entirely too often. Additionally, this is a security risk because you don't know where the link goes until you click it.

Re: Can't this just be done with Javascript?

Water costs less than bandwidth and smartphone internet plans.

Re:Can't this just be done with Javascript?

Oh like you don't wanna swipe right on your desktop.

Re:Can't this just be done with Javascript?

[Kejiro]

Modern UX is all about breaking everything that made the web work.

Correction: Modern UX is all about breaking everything that made UX work

With the rise of cross-platform tools like Elektron and similar even desktop applications are moving to not being usable. Instead of having an application that works as a desktop application should, you are being met with a website that have 10% of the functionality from previous versions, and with twice the resource consumption.

Re:Can't this just be done with Javascript?

Why do they need a 'mechanism' at all?

So lets say I have a page called A. I want to track if users access it from page B or from page C. No js needed, no redirects needed. But this:

On page B:

On page C:

The webserver serves the same stuff for A_from_B and A_from_C or anything else beginning with "A_from..." But the logs clearly shows where the traffic came from.

Now, do you worry that some will type "A_from_elsewhere" in order to mess with statistics? Very few will bother - and the 'ping' mechanism is not safe from tampering either. Anyone who can compile a browser, can mess with those pings. Block them, or change them. So can anyone with a programmable firewall.

Re: Can't this just be done with Javascript?

First world problems.

Re: Can't this just be done with Javascript?

[Cederic]

Actually no, I spend more on water than on my mobile phone.

I have 'unlimited data' on my phone.

Re:Can't this just be done with Javascript?

[SurenEnfiajyan]

I guess the point is to just notify the specified website that a certain link was opened, that's it. It's much more complicated and costly to do this with Javascript because browsers block a XMLHttpRequest to other domains (cross origin policy). With just JS it can be done, for example, by creating an iframe of the advertiser website and sending a message to it, or send a request to the same domain and then that domain server will send the message to the advertiser. More complicated and also less acceptable.

"One of these things is not like the others"

Chrome is open source, so it should be simple to patch Chromium to prevent enabling it instead, maybe even to patch Chrome.

Re:"One of these things is not like the others"

No. Chromium is open source. Google Chrome is not.

Re:"One of these things is not like the others"

[ChoGGi]

There's always tampermonkey

let links = document.getElementsByTagName("a");
for (let i = 0; i < links.length; i++) {
    let link = links[i];
    if (link.hasAttribute("ping")) {
        link.removeAttribute("ping");
    }
}

Assuming it works... anyone got a site with these ping links?

Re:"One of these things is not like the others"

Typo. First word should also have been Chromium.

Re: "One of these things is not like the others"

[JoeyRox]

That's what Brave is doing essentially - it's based off the Chromium code. It also provides some other nice features, such as a built-in Ad blocker and support for background playing of YouTube/video for their Android build.

Re:"One of these things is not like the others"

[grep+-v+'.*'+*]

I read about this yesterday, and immediately thought about tampermonkey. Thanks for the script.

On page link they talk about this, with

To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable.

<a href="https://www.google.com/"
ping="https://www.bleepingcomputer.com/pong.php"> Ping Me</a>

To wit: Ping Me

This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL , so users will not even realize this is happening unless they examine the sites source code. Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to.

The headers associated with the information sent in the ping request are shown below.

[HTTP_PING_FROM] => https:/ www.bleepingcomputer.com/ping.html
[HTTP_PING_TO] => https:/ www.google.com/
[CONTENT_TYPE] => text/ping

Re:"One of these things is not like the others"

[Z00L00K]

Or go around the other way - use this to generate faked pingbacks in large volume rendering the data collected useless.

Re:"One of these things is not like the others"

Damn shame TamperMonkey doesn't work in Chrome when using Incognito mode. :(

Re:"One of these things is not like the others"

Thanks for breaking my brain this morning. I can't stop trying to imagine what a volume rendering of faked pingbacks would look like.

Who cares?

Everybody wraps their hyperlinks with tracking code anyway.

Re:Who cares?

If you disable JS, or use a JS blocker then the tracking code dosn't track.

The Hyperlink Auditing causes the browser to do the tracking itself even if you disable JS.

Why?

Why ... just why....

Oh. Advertising tracking. Yeah. Blah.

Re: Why?

Duh

Re:Why?

[AHuxley]

AC, ads, always the ads.

Re:why?

[Ksevio]

Because the alternative is the page uses links to itself to a page that tracks the click and then uses a redirect header to send the user to the new page (or some javascript equivalent). In doing so, the actual destination is hidden from the user.

This is sort of a compromise, the link goes to the actual page, but it pings the site to let it know for link tracking purposes.

Basically, the sites are going to track the user clicking the link either way, it's just more transparent this way

"Safari, Chrome, Opera, and Microsoft Edge"?

"Safari, Chrome, Opera, and Microsoft Edge"?

So in other words: Safari, Chrome, Chrome and Chrome.

Re:"Safari, Chrome, Opera, and Microsoft Edge"?

[Gherald]

More like Practically Chrome, Chrome, Chrome, and Chrome

Re:"Safari, Chrome, Opera, and Microsoft Edge"?

[DontBeAMoran]

Not really, since Chrome is based on Safari, not the other way around.

Re:"Safari, Chrome, Opera, and Microsoft Edge"?

[anegg]

More like Practically Chrome, Chrome, Chrome, and Chrome

Can I get spam with that?

Re:"Safari, Chrome, Opera, and Microsoft Edge"?

[Cmdln+Daco]

Chrome and Safari are based on Konqueror, which is a KDE project. Apple always copies somebody else's code, but retains many lawyers to keep others from copying theirs.

Re:"Safari, Chrome, Opera, and Microsoft Edge"?

[DontBeAMoran]

That still doesn't invalidate the fact that Chrome is based on Safari (Webkit), not the other way around.

KHTML (Konqueror), Webkit (Safari), Blink (Chrome, Opera, Edge).

Re:"Safari, Chrome, Opera, and Microsoft Edge"?

Their code is just too ugly to integrate into anything. I think the GCC devs. just gave up trying to integrate Apples Objective-C implementation into GCCs trunk long before Apple moved to clang.

Chromium Issue 935978

Chrome devs have removed the hidden setting while they debate promoting it into the regular settings UI. If you want this, star the bug (but don't flood the comments too much):
Issue 935978

Re:Chromium Issue 935978

that makes no fucking sense...

REMOVE a setting that was available but hidden from normal user view... while considering adding it to the regular configuration UI?

why not leave it the fuck alone while you're having your internal debate... then relocate it when and if it's decided it should be moved.

captcha:stumped

Pale Moon - OFF by default

Turned off by default in Pale Moon too.

(I checked...)

AC

Re:HTTP IS GARBAGE! It isn't just Javascript, peop

HTTP is worthless

No! You couldn't be more wrong!

HTTPS is worthless! In fact it's dangerous. It's a bear trap. Watch out!

Re:Tim Berners-Lee, the hypocrite

I couldn't have said it better. I hope he rots in hell. Pure scum.

Re:Tim Berners-Lee, the hypocrite

[fustakrakich]

Fucking hypocrite.

Oh please! He's a businessman. What's the big deal?

And by likely future chromium forks

[ron_ivi]

Devil's advocate.... ... good.

This is exactly the motivation people need to move to different F/OSS chromium forks.

Yet another reason to use Firefox

[Tough+Love]

Look folks, as long as Google has control of the browser engine source code, Google has you by the short hairs. Worse, control of the binaries as in Android. Open source or not. Not only is Firefox just an all round nicer browser to use (my opinion, if you disagree then please direct your fan mail to Larry Page) it is the only browser that gives a toss about your privacy.

Re:Yet another reason to use Firefox

Only criminals want this level of privacy. If you are a decent person, you shouldn't have any reason to care at all whether or not sites track your clicks.

Usage of Firefox should automatically be grounds for search of one's personal property and data, since such people obviously have something to hide.

Re:Yet another reason to use Firefox

[Tough+Love]

Right, ask selfless Eric Schmidt, he'll tell you.

Re:Yet another reason to use Firefox

Funny enough, having reinstalled Firefox for the first time in ~3years it's safe to say they have enough OTHER crap still enabled by default that pings are the least of oyour worries. They have so much telemetry I doubt even they know what half of it is any more. See https://github.com/ghacksuserjs/ghacks-user.js for example.

Re:Yet another reason to use Firefox

[dargaud]

...posted as an anonymous coward... how fitting !

Winning

As a forever user of Netscape, Mozilla, FF, since forever, I give you all the 1-finger salute. I feel secure. The SJW shit needs to end soon, but I'm not switching browsers.

Re:Winning

Yeah, Firefox is to browsers like democracy is to government; it's the worst, except for all the others.

Re:Tim Berners-Lee, the hypocrite

[diamondmagic]

No, "ping" isn't in the official HTML specification. What /. linked to is the Google's unofficial fork of HTML.

Ha, just like Javascript, Mozilla will...

eventually cave in.

Firefox users used to be able to check a preferences box to enable/disable Javascript. There were some sites I would only visit with JS disabled first, and others where I wanted it enabled. I assumed the Mozilla team would eventually do the user-friendly thing and allow preferences to be set for certain oft-visited websites (perhaps a user-editable file listing special websites and whether to enable audi,video,popups,JavaScript and preserve cookies when otherwise clearing them) but nope - they appear to have caved to ad sellers and disabled the disabling of JS.

They seem to currently also be ignoring the option to disable popups.

The users get the browser for free, so they are NOT the customer.
The advertizers are directly or indirectly donating money to the Mozilla Foundation, so THEY are the customer and they will get what they want as soon as enough people at Mozilla decide to relax their principles.

Re:Ha, just like Javascript, Mozilla will...

[bhcompy]

You can still accomplish that with NoScript and uBO in Firefox. Or you can use Brave, which has it all built in.

Re:Ha, just like Javascript, Mozilla will...

Can't you turn it off in about:config?

For WHAT?

You deranged idiots are incredible. You clearly want a police state where any person can be locked up on a whim if the "right people" disagree with them, and you think of yourselves as the "right people".

History is littered with the corpses of the victims of tyranny who themselves enabled that tyranny in the dreams of using it to oppress their political opponents.

At least the Trumpsters chanting "Lock her up!" had a list of actual violations of actual laws for which they wanter her locked up. The FBI even admitted to that list when James Comey infamously stated that "no reasonable" prosecutor would prosecuter her for her crimes, and then moments later announced that if anybody else did the same thing, that person WOULD be prosecuted. You people who've been snorting some sort of drug from Rachel Maddow or Chris Hayes or Chris Cuomo, or Don Lemon, etc have no flipping idea of what laws you imagine Trump has violated.

Morons.

Re:For WHAT?

... have no flipping idea of what laws you imagine Trump has violated.

Obstruction of justice pertaining to the investigation into claims that Russia interfered in the election.

President Donald Trump: “But regardless of recommendation, I was going to fire Comey, knowing there was no good time to do it. And, in fact, when I decided to just do it, I said to myself—I said, you know, this Russia thing with Trump and Russia is a made-up story. It’s an excuse by the Democrats for having lost an election that they should have won.”

Thing is, it doesn't matter whether or not the Russia thing is completely made up; Trump determined that Comey was responsible for the investigation and used his position to suppress it.

Re:For WHAT?

What a lovely pack of lies you have their. Shame if actual facts went and let everyone know what a deluded fool you are.

Re:For WHAT?

[quicks0rt]

Sure, Hillary should be in jail, but she's not the one in power now is she? Trump while denouncing Hillary, committed and is committing all the same as Hillary had done. Obstruction of justice, violation of emolument clause, willfully ignoring border laws to further political goals, violating Campaign rules, using private emails (surprise, surprise), the list goes on and on.

The fact that this got voted insightful means there are a lot of morons who drunk the trump-aide and refuses to see for what he is. But you got this one right: "if anybody else did the same thing, that person WOULD be prosecuted." Indeed, if Trump was not a sitting president on the forefront of executive power, he WOULD be prosecuted.

Re:Tim Berners-Lee, the hypocrite

[Cmdln+Daco]

How long has it been since he was a CERN employee? Long enough ago that CERN is safe from his influence?

Re:Tim Berners-Lee, the hypocrite

[Dracos]

Drafts of HTLM5 included a ping attribute on the a element for doing exactly this. Anyone with a brain could see it would be an order of magnitude more exploitable and abusable than cookies. At some point it was removed from HTML5 officially, but the W3C has gotten into a habit of modularizing things.

ping is better than redirect

[kiviQr]

At least you can see where you are going. Plus you can block ping with browser extensions. Redirects not so much.

Re:ping is better than redirect

[devslash0]

Correct. I even started working such an extension this morning. I'm sure I'm not alone.

Re:ping is better than redirect

Untill they block those plugin/addons too. It's all a boiling pot, the only solution is not to play.

The majority of people still do not use any kind of adblock, when that changes you'll see them go after uBo and uM.

Firefox is Doomed

[jaa101]

This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party. The surprise here is that Safari has recently disabled this feature since Apple is much less beholden to advertising interests. There's a chance that the Safari change was inadvertent, or at least wan't considered very high up the corporate ladder. With luck Apple will put the feature back.

Re:Firefox is Doomed

Apple is becoming a media company. The devices are only a path to deliver their content. The privacy mantra is a marketing gimmick.

Re:Firefox is Doomed

[AmiMoJo]

Apple probably did it for the same reason everyone else did - it actually enhances privacy.

There are two ways you can audit clicks on links. You can use the proper HTML hyperlink auditing system, or you can write some horrible Javascript. The HTML hyperlink auditing system can be optimized by the browser for performance, and blocked by extensions, and means you get a real link instead of some Javascript that can't be copy/pasted or opened in a new tab.

By encouraging everyone to use HTML hyperlink auditing it actually improves privacy by making it easier to block and making links work like they are supposed to.

The next step will be to disable the Javascript option. Don't allow OnClick() to rewrite the page URL.

Re:Firefox is Doomed

This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party.

What makes open-source so cool, is that money is not a concern. They can have all the ad-money there is - and still not be able to prevent a browser that 'doesn't go with their program'. Sure, they can buy+close companies. Open-source browsers are still there, can still be worked on by the interested, and can still be used by anyone who care.

Re:Firefox is Doomed

[Tom]

Money from the internet comes from advertising

True, but a bit like saying that money in the movie industry comes from renting DVDs.

There are other business models. And advertisement is slowly but surely moving the way it should, to the trashbin of history. I've been on the charge in this one, I admit, I've had adblockers running since the very first alpha versions appeared, and I despite ads in the real world as well. But every year I hear more people complaining about ads and more people that I help in installing adblockers.

Sites are already reacting to adblockers if they detect them, that is new and a good sign that the business model is nearing its end. Good riddance.

Re:Firefox is Doomed

[Luckyo]

"Surrender peasants, because otherwise we'll slaughter you in an even more painful way".

How about no slaughter at all?

Re:Tim Berners-Lee, the hypocrite

[fahrbot-bot]

How long has it been since he was a CERN employee? Long enough ago that CERN is safe from his influence?

So... no longer a conCERN.

Re:Tim Berners-Lee, the hypocrite

W3C isn't a dictatorship. It has been controlled by corporate interested for over a decade. He has commented on this for years. Maybe if you would get your head out of your ass you would know this.

Re:Tim Berners-Lee, the hypocrite

[shadow_slicer]

How is the w3c version "official" if no one is following it anymore? After the XHTML debacle the WHATWG created HTML5. The w3c tries to remain relevant by taking occasional snapshots of the WHATWG standard, but they have no real authority anymore. Calling it "Google's" unofficial fork is incorrect - it was created and is maintained by a consortium of browser developers and is the authoritative reference for HTML5.

Trying to get rid of nasty redirects

[shadow_slicer]

The reason they're doing this is not to track people more. They're doing this so more developers use the ping attribute for this functionality instead of hacky JavaScript or redirects (which prevent the user from seeing what URL the link goes to, increase navigation latency since everything ends up serialized, make it hard to copy the real URL or open the URL in a new window, etc.).

If things go as they typically do, browsers will start blocking the old behavior from working or otherwise disincentivising that behavior once enough of the internet has migrated.

Re:Trying to get rid of nasty redirects

Who cares, it seems blockable (or nicer blockable if anyone uses it.)

Re:Tim Berners-Lee, the hypocrite

Perhaps. But you can't call Tim Berners-Lee a hypocrite for something that's in the WhatWG specification and not in the W3 specification.

World History 101

You clearly want a police state where any person can be locked up on a whim if the "right people" disagree with them

Isn't that every country ever? A small group of people get together and tell a larger group of people how things are going to be ... or else.

Re: World History 101

[Aristos+Mazer]

No. In a republic, a large group of people pick a small group of people and tell the small group to tell the large group what to do. The difference is significant.

Re: World History 101

And that small group of people end up doing whatever they want. Or what another smaller group (the rich) tell them to do.

So some years later you get to choose some other small group of people. And guess what...

Re: World History 101

I'm confused given that large small are all relative.
To control a Gov doesn't take that many ppl compared to an uprising.
Would welcome clarification

Re:Tim Berners-Lee, the hypocrite

[diamondmagic]

Every website and their mother was moving to XHTML, the XHTML debacle is that Internet Explorer wouldn't support the application/xhtml+xml media type. That's it. It's perfectly fine to use XHTML now that IE6 is no longer a thing.

And no, their fork is not authoritative, it's only defined for Web browsers, it lacks features required for Internet media types in general, the IETF assigned authority for HTML to the W3C in RFC2854, and the IANA still registers text/html as maintained by the W3C. https://www.iana.org/assignmen...

sorta missing the point there...

Why does a user need to download and install optional stuff to make the basic functionality safe?

Script blocking used to be intgrated, and frankly it is to a certain extent a vulnerability to build into Firefox the ability for a script/plugin to make changes to a basic security function like this. By all means, allow addons to automate the loading of certain pages, or filter certain content or help manage bookmarks or the way things look on screen but allowing plugins to monkey with security issues like whether remote code will be allowed to auto-execute on the desktop is a baddie.

Also, why should only the more-advanced users get these important options? They're the ones less likely to be victimized by malware.

Oh, and another thing: with JS blocking made optional in a plugin that is vulnerable to breaking in every new release, what's to prevent click tracking to eventually be migrated to a plugin at some point and making that option also unavailable to most users (Most Firefox users do not even know what a plugin is, let alone to even look for something called NoScript and even if they knew they needed it, knew what it was called, knew where to find it, and trusted the download, the odds are insanely low that they would know all that for a click tracker.

Again, my basic question: Why was a basic security function moved into a plugin? It doesn't make things better for a user and it doesn't even make the code simpler. I'm rather big on the "Why" question - I find it often elicits very interesting things.

Re:sorta missing the point there...

[bhcompy]

Ah, the old fashioned "I'm just asking questions, here" guy. Why? Because they made a choice. Who gives a shit why? Reality is reality. Live with it, or don't. No one cares about AC opinions

Re:sorta missing the point there...

[Cederic]

Why does a user need to download and install optional stuff to make the basic functionality safe?

Because the browser's role is to use HTTP to access a server, process the the response and render it for the user.

The user needs to understand the range of responses that may be possible and whether to process and render them or not, including potential recommendations from the server to retrieve adverts, executable code or images of kittens playing in snow.

A browser that disables Javascript by default would be rejected by most people as it would fail miserably to correctly display the websites they want to use.

why should only the more-advanced users get these important options?

Because anybody that knows and understands that these options exist and should be considered is already immediately a more advanced user.

Again, my basic question: Why was a basic security function moved into a plugin?

Because security in IT terms is not an absolute. It's a compromise. If you want to be secure switch off your fucking computer.

Re:sorta missing the point there...

[xryl]

You want to disable Javascript with no extension? It's easy, start the developer's console, click settings, click disable Javascript.
Now, you won't have javascript enabled. Sure, it's MUCH easier with an extension, since it's one click only. Don't blame the developer for some dream/need (only) you want. The feature is present, so don't be lazy and instead of ranting, use it.

IMHO, most user wants javascript. So any sane developer will try to satisfy the majority of his users.

Re:sorta missing the point there...

Because half the web won't work with scripting disabled. Sorry but times have changed,

Re:sorta missing the point there...

RED HERRING. Brave allows per site enable and disable. Firefox does not. It sold out its customers to advertisers.

Re:sorta missing the point there...

Why does a user need to download and install optional stuff to make the basic functionality safe?

Because they chose a browser that is intended to serve the interests of other parties above the interests of the user.

A selfish, rational person wouldn't do that. But these people did, so they should expect below-average utility. They are making a personal sacrifice because they want to help support someone else's business. It's worth having a slightly less enjoyable life, if it makes someone's marketing job a little easier. Think about what's really important to you: making marketing jobs easier. You'd give up nearly anything for that, wouldn't you?

Re:sorta missing the point there...

[mysidia]

Because security in IT terms is not an absolute. It's a compromise. If you want to be secure switch off your fucking computer.

Based on that argument...... Chrome should eliminate HTTPS certificate verification support, accept any connection presented by default, and make that an optional Add-On that has to be installed; Rejecting old versions of SSL such as SSLv3 would also be an Optional Addon similar to the option to shut off scripting... because Security in IT terms is not an absolute, and verifying TLS connections has nothing to do with processing HTTP requests.

Re:sorta missing the point there...

[Cederic]

I know. It's almost as though the browser manufacturers aren't consistent in where they choose the balance between security and providing a user experience.

You should write to them all suggesting they sort it out.

Could this industry be mislead with their own tact

I wonder what would come from misleading the advertisement industry targeting their own practices.

What fresh nonsense

First off this was never a major feature even some power users would have known of.

Secondly link tracking is used by web masters / site owners to know what links you click on their site.

Web masters / site owners track visitors so they can better understand them *and* improve their site.

Firefox Focus

[emil]

Does Firefox Focus normally stop a majority of these? The Android version is based on webview/blink, but it has an integrated adblocker.

Yet another reason to use Tor Browser

[emil]

Tor Browser will present you with many more warnings and generally provide far more security information than Firefox. The most common are: don't maximize the browser window on a desktop, and beware of fingerprinting with the canvas element, and noscript redirect warnings.

Re:Yet another reason to use Tor Browser

[Tough+Love]

What happens when you maximize the browser window?

Re:Yet another reason to use Tor Browser

Fingerprinting, you get the screen size, possibly the exact size of your taskbar, the size of your window decorations, etc. everything that contributes to the final maximal window size and anything that may slightly differ between systems can be used to track you and the aforementioned things can differ even when you don't expect it. I once had to set up a UI test environment that had to be a pixel perfect mirror of the system used by our Q.A. people - you could identify the exact UI theme used when the tests where created, as using a different theme resulted in slightly different window sizes and offset all recorded coordinates to be wrong.

Re:Yet another reason to use Tor Browser

Doesn't letterboxing remove this risk? If letterboxing is enabled and your browser window is maximized the page is still limited by the letterbox.

Recommendations

[d3bruts1d]

w3c publishes recommendations not specifications.

"And thirdly, it is more what you'd call guidelines than actual rules." — Captain Hector Barbossa

Re:Recommendations

[diamondmagic]

If you want to be that pedantic about it, the W3C publishes specifications endorsed by their member bodies called W3C Recommendations, among other forms technical reports (TRs).

They are specifications because they are the documents authoritative for defining (i.e. specifying) how to interpret an Internet media type.

why?

[sad_]

why is this an HTML standard?
the standard mentions that it will increase transparancy for the user, but sure looks like a heavy price to pay.

Re:Tim Berners-Lee, the hypocrite

I follow the w3c version, so your assumption is wrong.

Re:Tim Berners-Lee, the hypocrite

[Hodr]

I would argue that any software standard not tied to actual routing of packets has no authoritative source. God didn't dictate ownership of "HTML", and whoever can convince the most people to use their standard wins by default. Crying about it won't help, they can and will say "Nanny nanny boo boo, stick your head in doo-doo".

Re:Tim Berners-Lee, the hypocrite

[AndrewFlagg]

is this the HTTP_REFERER post that alot of people watch? or something else? Google Analytics on the outs?

Re: Tim Berners-Lee, the hypocrite

How did this get a +1 ?

Where the fuck were YOU to protect the Internet?

Even if anyone asked Tim about it, and they probably didn't, they don't have to do what he says.

GDPR Link Tax

[cordovaCon83]

Maybe this is a reaction to the GDPR's proposed Link Tax? Did that even make it into the GDPR?

Re:GDPR Link Tax

[devslash0]

Interesting point of view. Maybe you're right. Laying technical foundations to enforce the absurd law.

Chinese Web For Everyone!

So much freedumbs!

Re:Tim Berners-Lee, the hypocrite

[diamondmagic]

The HTTP Referer header (i.e. short for "referrer") is defined in HTTP (RFC7231 is the latest release). It's optional but widely-deployed, and mostly intended for intra-site diagnostics, e.g. determining which pages have bad links.

There's a few other headers with similar purposes, like User-Agent (which is also widely deployed) and From (the same header as in email can also be used in HTTP, but use in HTTP is very small, usually only seen in crawlers/robots, where the user would want to be contacted by the server admin if there's a problem.) I've never seen issues with defining such a header.

Re:Tim Berners-Lee, the hypocrite

[diamondmagic]

OK, but then we're back at the IE6 philosophy of Embrace, Extend, Extinguish. That set back progress in the Web by a decade.

No choice

Browsers were also known as "User Agents", but ever since broadband reached the mainstream consumer, there has been less and less of the "User" represented by the user agent.

The original role of the browser as a computerized representative of the visitor's choices in the exchange between the consumer and the producer is all but gone now. With the most popular sites being from conglomerates and giants who lobby or buy seats at the browser standards body now, how could this ever have been expected to ended differently?

A normal linux distro from 2003 could easily have 5 browsers if you installed various Desktop Environments from the full 4GB DVD (none of the browsers were Internet Explorer even at the hight of its imperial dominance). They were ALL open source and would have easily allowed someone to compile all this stuff out of the way. Where did they all go off to die? Complexity killed them. Low mom & pop percentages killed them. Firefox killed them (just like Chromium killed Edge)

Re: HTTP IS GARBAGE! It isn't just Javascript, peo

I understood that https was supposed to be more secure, what pray tell what makes it a bear trap?