Slashdot Mirror

← Back to Stories (view on slashdot.org)

Several Major Browsers to Prevent Disabling of Click-Tracking 'Hyperlink Auditing' (bleepingcomputer.com)

Posted by EditorDavid on from the pinging-back dept.

x_t0ken_407 quotes BleepingComputer: A HTML standard called hyperlink auditing that allows sites to track link clicks is enabled by default on Safari, Chrome, Opera, and Microsoft Edge, but will soon have no way to disable it. As it is considered a privacy risk, browsers previously allowed you to disable this feature. Now they are going in the opposite direction.

Hyperlink auditing is an HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.
The article concludes that "Firefox and Brave win the award" for people who want this click-tracking capability disabled -- since "only Brave and Firefox currently disable it by default, and do not appear to have any plans on enabling it in the future."

76 of 142 comments (clear)

  1. Turned off by default in firefox by Anonymous Coward · · Score: 5, Informative

    Went looking for how to turn it off, article was kind enough to provide the necessary about:config setting, it's "browser.send_pings".

    Firefox already has it off by default. Nice! for once.

    1. Re:Turned off by default in firefox by AmiMoJo · · Score: 5, Informative

      For Chrome install uBlock Origin and it's an option under "Privacy".

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Turned off by default in firefox by omfglearntoplay · · Score: 2

      So what happens when Chrome when it's not an option to turn off anymore? A little worrying.

    3. Re:Turned off by default in firefox by GuB-42 · · Score: 2

      *Not* nice.

      tl;dr : It means a worse user experience and less privacy for Firefox users.

      Try to think about why that "evil" standard exists in the first place. People don't need hyperlink auditing to track you.
      What they do instead is that they wrap links into redirect URLs. They use JS to hide it in the tooltip. Just make a Google search in Firefox, right click on one of the search results and "copy link location". What you'll get is a Google URL with a redirect target. Google is far from being the only one to do that.

      The problem with that is that it makes "copy link location" almost useless. It also has an impact on performance. "Hyperlink auditing" is the answer to that problem. Now, look at the Google search results in Google Chrome. The links target are correct, no more of that redirect bullshit. That's because it uses the "ping" attribute to achieve the same thing.

      So when it comes to Google search, both Firefox and Google Chrome users are tracked. The difference is that Firefox users can't properly copy links and are slower. Furthermore, if you have uBlock Origin installed, you will only get tracked if you are using Firefox...

    4. Re:Turned off by default in firefox by Wolfrider · · Score: 1

      --Thanks for that! I double checked and hopefully won't have to change browsers since it can be disabled with that extension.

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    5. Re:Turned off by default in firefox by Pieroxy · · Score: 2

      What people that want to track click do today is bring you to their website and issue a 302 to redirect you to the destination website. What this feature allowed was to remove the necessary hop, and thus would make the web faster.

      But since Firefox did not activate it by default, everyone is still redirected through domains everytime they click a link.

      Not sure it's an actual win. Firefox do not remove a feature by disabling this, they forbid an optimization.

      --
      Write boring code, not shiny code!
  2. Can't this just be done with Javascript? by phantomfive · · Score: 2

    Can't you just encase the link in Javascript and get the clicked link that way? Or do webpages not do that very often?

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Can't this just be done with Javascript? by MrL0G1C · · Score: 5, Insightful

      I loathe links made in that manner because when you right-click them they aren't treated as links so you can't open them in a new tab with a right-click or copy the link etc. That is a mistake IMO, if it's a link when you left-click it then it should also be treated as a link when you right-click it.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
    2. Re:Can't this just be done with Javascript? by Anonymous Coward · · Score: 2

      Don't even need that - they could be far more honest and simply rewrite it http://clicktrackers.com/logclick&desturl=http://blah.... ; and clicktrackers simply sends a redirect to the real site name.

      The point of this is to hide the fact your clicks are being tracked so you don't see it.

    3. Re:Can't this just be done with Javascript? by viperidaenz · · Score: 3

      The point is to also speed the request up. The ping can be done in parallel, you don't need to wait for your click-tracker to redirect you.
      ad-blockers can also easily block the ping request.

    4. Re:Can't this just be done with Javascript? by Tough+Love · · Score: 1

      Plus, they are stealing your bandwidth and likely as not, adding latency.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    5. Re:Can't this just be done with Javascript? by Galactic+Dominator · · Score: 1

      When my facet drips, it steals my water.

      --
      brandelf -t FreeBSD /brain
    6. Re:Can't this just be done with Javascript? by DontBeAMoran · · Score: 3

      They also break "command+click" which is supposed to open the link in a new tab.

      --
      #DeleteFacebook
    7. Re:Can't this just be done with Javascript? by Tough+Love · · Score: 1

      That is you, pissing your water away as if it were not valuable. Fix your fucking faucet.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    8. Re:Can't this just be done with Javascript? by The+MAZZTer · · Score: 4, Informative

      You can make the links work properly when right clicked, the problem is whoever coded it didn't care enough to make that happen.

      The proper way to do it is to make it a normal link, but then hook up some JavaScript that stops the default link behavior and/or does something extra in the background.

    9. Re:Can't this just be done with Javascript? by Waccoon · · Score: 2

      Even better, UX people are trying to bring the "swipe" paradigm to the desktop. Now, just trying to select and copy a block of text doesn't work, because clicking anywhere in the text treats it like a drag-able layer.

      Modern UX is all about breaking everything that made the web work. If browsers even try to stop this BS, designers will hack their way around the fixes.

    10. Re:Can't this just be done with Javascript? by shadow_slicer · · Score: 1

      They do that entirely too often. Additionally, this is a security risk because you don't know where the link goes until you click it.

    11. Re:Can't this just be done with Javascript? by Kejiro · · Score: 1

      Modern UX is all about breaking everything that made the web work.

      Correction: Modern UX is all about breaking everything that made UX work

      With the rise of cross-platform tools like Elektron and similar even desktop applications are moving to not being usable. Instead of having an application that works as a desktop application should, you are being met with a website that have 10% of the functionality from previous versions, and with twice the resource consumption.

    12. Re: Can't this just be done with Javascript? by Cederic · · Score: 1

      Actually no, I spend more on water than on my mobile phone.

      I have 'unlimited data' on my phone.

    13. Re:Can't this just be done with Javascript? by SurenEnfiajyan · · Score: 1

      I guess the point is to just notify the specified website that a certain link was opened, that's it. It's much more complicated and costly to do this with Javascript because browsers block a XMLHttpRequest to other domains (cross origin policy). With just JS it can be done, for example, by creating an iframe of the advertiser website and sending a message to it, or send a request to the same domain and then that domain server will send the message to the advertiser. More complicated and also less acceptable.

  3. "One of these things is not like the others" by Anonymous Coward · · Score: 1

    Chrome is open source, so it should be simple to patch Chromium to prevent enabling it instead, maybe even to patch Chrome.

    1. Re:"One of these things is not like the others" by ChoGGi · · Score: 3, Informative

      There's always tampermonkey

      let links = document.getElementsByTagName("a");
      for (let i = 0; i < links.length; i++) {
          let link = links[i];
          if (link.hasAttribute("ping")) {
              link.removeAttribute("ping");
          }
      }

      Assuming it works... anyone got a site with these ping links?

    2. Re: "One of these things is not like the others" by JoeyRox · · Score: 1

      That's what Brave is doing essentially - it's based off the Chromium code. It also provides some other nice features, such as a built-in Ad blocker and support for background playing of YouTube/video for their Android build.

    3. Re:"One of these things is not like the others" by grep+-v+'.*'+* · · Score: 4, Informative
      I read about this yesterday, and immediately thought about tampermonkey. Thanks for the script.

      On page link they talk about this, with

      To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable.

      <a href="https://www.google.com/"
      ping="https://www.bleepingcomputer.com/pong.php"> Ping Me</a>

      To wit: Ping Me

      This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL , so users will not even realize this is happening unless they examine the sites source code. Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to.

      The headers associated with the information sent in the ping request are shown below.

      [HTTP_PING_FROM] => https:/ www.bleepingcomputer.com/ping.html
      [HTTP_PING_TO] => https:/ www.google.com/
      [CONTENT_TYPE] => text/ping

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    4. Re:"One of these things is not like the others" by Z00L00K · · Score: 4, Insightful

      Or go around the other way - use this to generate faked pingbacks in large volume rendering the data collected useless.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  4. "Safari, Chrome, Opera, and Microsoft Edge"? by Anonymous Coward · · Score: 1

    "Safari, Chrome, Opera, and Microsoft Edge"?

    So in other words: Safari, Chrome, Chrome and Chrome.

    1. Re:"Safari, Chrome, Opera, and Microsoft Edge"? by Gherald · · Score: 1

      More like Practically Chrome, Chrome, Chrome, and Chrome

      --
      The unofficial /. digest
    2. Re:"Safari, Chrome, Opera, and Microsoft Edge"? by DontBeAMoran · · Score: 1

      Not really, since Chrome is based on Safari, not the other way around.

      --
      #DeleteFacebook
    3. Re:"Safari, Chrome, Opera, and Microsoft Edge"? by anegg · · Score: 3, Funny

      More like Practically Chrome, Chrome, Chrome, and Chrome

      Can I get spam with that?

    4. Re:"Safari, Chrome, Opera, and Microsoft Edge"? by Cmdln+Daco · · Score: 2

      Chrome and Safari are based on Konqueror, which is a KDE project. Apple always copies somebody else's code, but retains many lawyers to keep others from copying theirs.

    5. Re:"Safari, Chrome, Opera, and Microsoft Edge"? by DontBeAMoran · · Score: 1

      That still doesn't invalidate the fact that Chrome is based on Safari (Webkit), not the other way around.

      KHTML (Konqueror), Webkit (Safari), Blink (Chrome, Opera, Edge).

      --
      #DeleteFacebook
  5. Chromium Issue 935978 by Anonymous Coward · · Score: 5, Informative

    Chrome devs have removed the hidden setting while they debate promoting it into the regular settings UI. If you want this, star the bug (but don't flood the comments too much):
    Issue 935978

  6. Pale Moon - OFF by default by Anonymous Coward · · Score: 3, Informative

    Turned off by default in Pale Moon too.

    (I checked...)

    AC

  7. Re:Tim Berners-Lee, the hypocrite by fustakrakich · · Score: 1

    Fucking hypocrite.

    Oh please! He's a businessman. What's the big deal?

    --
    “He’s not deformed, he’s just drunk!”
  8. And by likely future chromium forks by ron_ivi · · Score: 1

    Devil's advocate.... ... good.

    This is exactly the motivation people need to move to different F/OSS chromium forks.

  9. Yet another reason to use Firefox by Tough+Love · · Score: 4, Insightful

    Look folks, as long as Google has control of the browser engine source code, Google has you by the short hairs. Worse, control of the binaries as in Android. Open source or not. Not only is Firefox just an all round nicer browser to use (my opinion, if you disagree then please direct your fan mail to Larry Page) it is the only browser that gives a toss about your privacy.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re:Yet another reason to use Firefox by Tough+Love · · Score: 3, Informative

      Right, ask selfless Eric Schmidt, he'll tell you.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    2. Re:Yet another reason to use Firefox by dargaud · · Score: 2

      ...posted as an anonymous coward... how fitting !

      --
      Non-Linux Penguins ?
  10. Re:Tim Berners-Lee, the hypocrite by diamondmagic · · Score: 5, Informative

    No, "ping" isn't in the official HTML specification. What /. linked to is the Google's unofficial fork of HTML.

    --
    Wonder what the public key field is for?
  11. Ha, just like Javascript, Mozilla will... by Anonymous Coward · · Score: 1, Insightful

    eventually cave in.

    Firefox users used to be able to check a preferences box to enable/disable Javascript. There were some sites I would only visit with JS disabled first, and others where I wanted it enabled. I assumed the Mozilla team would eventually do the user-friendly thing and allow preferences to be set for certain oft-visited websites (perhaps a user-editable file listing special websites and whether to enable audi,video,popups,JavaScript and preserve cookies when otherwise clearing them) but nope - they appear to have caved to ad sellers and disabled the disabling of JS.

    They seem to currently also be ignoring the option to disable popups.

    The users get the browser for free, so they are NOT the customer.
    The advertizers are directly or indirectly donating money to the Mozilla Foundation, so THEY are the customer and they will get what they want as soon as enough people at Mozilla decide to relax their principles.

    1. Re:Ha, just like Javascript, Mozilla will... by bhcompy · · Score: 1

      You can still accomplish that with NoScript and uBO in Firefox. Or you can use Brave, which has it all built in.

  12. For WHAT? by Anonymous Coward · · Score: 4, Insightful

    You deranged idiots are incredible. You clearly want a police state where any person can be locked up on a whim if the "right people" disagree with them, and you think of yourselves as the "right people".

    History is littered with the corpses of the victims of tyranny who themselves enabled that tyranny in the dreams of using it to oppress their political opponents.

    At least the Trumpsters chanting "Lock her up!" had a list of actual violations of actual laws for which they wanter her locked up. The FBI even admitted to that list when James Comey infamously stated that "no reasonable" prosecutor would prosecuter her for her crimes, and then moments later announced that if anybody else did the same thing, that person WOULD be prosecuted. You people who've been snorting some sort of drug from Rachel Maddow or Chris Hayes or Chris Cuomo, or Don Lemon, etc have no flipping idea of what laws you imagine Trump has violated.

    Morons.

    1. Re:For WHAT? by quicks0rt · · Score: 1

      Sure, Hillary should be in jail, but she's not the one in power now is she? Trump while denouncing Hillary, committed and is committing all the same as Hillary had done. Obstruction of justice, violation of emolument clause, willfully ignoring border laws to further political goals, violating Campaign rules, using private emails (surprise, surprise), the list goes on and on.

      The fact that this got voted insightful means there are a lot of morons who drunk the trump-aide and refuses to see for what he is. But you got this one right: "if anybody else did the same thing, that person WOULD be prosecuted." Indeed, if Trump was not a sitting president on the forefront of executive power, he WOULD be prosecuted.

  13. Re:Tim Berners-Lee, the hypocrite by Cmdln+Daco · · Score: 1

    How long has it been since he was a CERN employee? Long enough ago that CERN is safe from his influence?

  14. Re:Tim Berners-Lee, the hypocrite by Dracos · · Score: 2

    Drafts of HTLM5 included a ping attribute on the a element for doing exactly this. Anyone with a brain could see it would be an order of magnitude more exploitable and abusable than cookies. At some point it was removed from HTML5 officially, but the W3C has gotten into a habit of modularizing things.

  15. ping is better than redirect by kiviQr · · Score: 2

    At least you can see where you are going. Plus you can block ping with browser extensions. Redirects not so much.

    1. Re:ping is better than redirect by devslash0 · · Score: 1

      Correct. I even started working such an extension this morning. I'm sure I'm not alone.

  16. Firefox is Doomed by jaa101 · · Score: 4, Interesting

    This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party. The surprise here is that Safari has recently disabled this feature since Apple is much less beholden to advertising interests. There's a chance that the Safari change was inadvertent, or at least wan't considered very high up the corporate ladder. With luck Apple will put the feature back.

    1. Re:Firefox is Doomed by AmiMoJo · · Score: 4, Insightful

      Apple probably did it for the same reason everyone else did - it actually enhances privacy.

      There are two ways you can audit clicks on links. You can use the proper HTML hyperlink auditing system, or you can write some horrible Javascript. The HTML hyperlink auditing system can be optimized by the browser for performance, and blocked by extensions, and means you get a real link instead of some Javascript that can't be copy/pasted or opened in a new tab.

      By encouraging everyone to use HTML hyperlink auditing it actually improves privacy by making it easier to block and making links work like they are supposed to.

      The next step will be to disable the Javascript option. Don't allow OnClick() to rewrite the page URL.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Firefox is Doomed by Anonymous Coward · · Score: 1

      This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party.

      What makes open-source so cool, is that money is not a concern. They can have all the ad-money there is - and still not be able to prevent a browser that 'doesn't go with their program'. Sure, they can buy+close companies. Open-source browsers are still there, can still be worked on by the interested, and can still be used by anyone who care.

    3. Re:Firefox is Doomed by Tom · · Score: 1

      Money from the internet comes from advertising

      True, but a bit like saying that money in the movie industry comes from renting DVDs.

      There are other business models. And advertisement is slowly but surely moving the way it should, to the trashbin of history. I've been on the charge in this one, I admit, I've had adblockers running since the very first alpha versions appeared, and I despite ads in the real world as well. But every year I hear more people complaining about ads and more people that I help in installing adblockers.

      Sites are already reacting to adblockers if they detect them, that is new and a good sign that the business model is nearing its end. Good riddance.

      --
      Assorted stuff I do sometimes: Lemuria.org
    4. Re:Firefox is Doomed by Luckyo · · Score: 1

      "Surrender peasants, because otherwise we'll slaughter you in an even more painful way".

      How about no slaughter at all?

  17. Re:Tim Berners-Lee, the hypocrite by fahrbot-bot · · Score: 1

    How long has it been since he was a CERN employee? Long enough ago that CERN is safe from his influence?

    So... no longer a conCERN.

    --
    It must have been something you assimilated. . . .
  18. Re:Why? by AHuxley · · Score: 2

    AC, ads, always the ads.

    --
    Domestic spying is now "Benign Information Gathering"
  19. Re:Tim Berners-Lee, the hypocrite by shadow_slicer · · Score: 2

    How is the w3c version "official" if no one is following it anymore? After the XHTML debacle the WHATWG created HTML5. The w3c tries to remain relevant by taking occasional snapshots of the WHATWG standard, but they have no real authority anymore. Calling it "Google's" unofficial fork is incorrect - it was created and is maintained by a consortium of browser developers and is the authoritative reference for HTML5.

  20. Trying to get rid of nasty redirects by shadow_slicer · · Score: 1

    The reason they're doing this is not to track people more. They're doing this so more developers use the ping attribute for this functionality instead of hacky JavaScript or redirects (which prevent the user from seeing what URL the link goes to, increase navigation latency since everything ends up serialized, make it hard to copy the real URL or open the URL in a new window, etc.).

    If things go as they typically do, browsers will start blocking the old behavior from working or otherwise disincentivising that behavior once enough of the internet has migrated.

  21. Re:Tim Berners-Lee, the hypocrite by diamondmagic · · Score: 2

    Every website and their mother was moving to XHTML, the XHTML debacle is that Internet Explorer wouldn't support the application/xhtml+xml media type. That's it. It's perfectly fine to use XHTML now that IE6 is no longer a thing.

    And no, their fork is not authoritative, it's only defined for Web browsers, it lacks features required for Internet media types in general, the IETF assigned authority for HTML to the W3C in RFC2854, and the IANA still registers text/html as maintained by the W3C. https://www.iana.org/assignmen...

    --
    Wonder what the public key field is for?
  22. Re:sorta missing the point there... by bhcompy · · Score: 1

    Ah, the old fashioned "I'm just asking questions, here" guy. Why? Because they made a choice. Who gives a shit why? Reality is reality. Live with it, or don't. No one cares about AC opinions

  23. Firefox Focus by emil · · Score: 1

    Does Firefox Focus normally stop a majority of these? The Android version is based on webview/blink, but it has an integrated adblocker.

  24. Yet another reason to use Tor Browser by emil · · Score: 1

    Tor Browser will present you with many more warnings and generally provide far more security information than Firefox. The most common are: don't maximize the browser window on a desktop, and beware of fingerprinting with the canvas element, and noscript redirect warnings.

    1. Re:Yet another reason to use Tor Browser by Tough+Love · · Score: 1

      What happens when you maximize the browser window?

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  25. Re: World History 101 by Aristos+Mazer · · Score: 1

    No. In a republic, a large group of people pick a small group of people and tell the small group to tell the large group what to do. The difference is significant.

  26. Recommendations by d3bruts1d · · Score: 2

    w3c publishes recommendations not specifications.

    "And thirdly, it is more what you'd call guidelines than actual rules." — Captain Hector Barbossa

    1. Re:Recommendations by diamondmagic · · Score: 1

      If you want to be that pedantic about it, the W3C publishes specifications endorsed by their member bodies called W3C Recommendations, among other forms technical reports (TRs).

      They are specifications because they are the documents authoritative for defining (i.e. specifying) how to interpret an Internet media type.

      --
      Wonder what the public key field is for?
  27. why? by sad_ · · Score: 1

    why is this an HTML standard?
    the standard mentions that it will increase transparancy for the user, but sure looks like a heavy price to pay.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  28. Re:sorta missing the point there... by Cederic · · Score: 1

    Why does a user need to download and install optional stuff to make the basic functionality safe?

    Because the browser's role is to use HTTP to access a server, process the the response and render it for the user.

    The user needs to understand the range of responses that may be possible and whether to process and render them or not, including potential recommendations from the server to retrieve adverts, executable code or images of kittens playing in snow.

    A browser that disables Javascript by default would be rejected by most people as it would fail miserably to correctly display the websites they want to use.

    why should only the more-advanced users get these important options?

    Because anybody that knows and understands that these options exist and should be considered is already immediately a more advanced user.

    Again, my basic question: Why was a basic security function moved into a plugin?

    Because security in IT terms is not an absolute. It's a compromise. If you want to be secure switch off your fucking computer.

  29. Re:sorta missing the point there... by xryl · · Score: 1

    You want to disable Javascript with no extension? It's easy, start the developer's console, click settings, click disable Javascript.
    Now, you won't have javascript enabled. Sure, it's MUCH easier with an extension, since it's one click only. Don't blame the developer for some dream/need (only) you want. The feature is present, so don't be lazy and instead of ranting, use it.

    IMHO, most user wants javascript. So any sane developer will try to satisfy the majority of his users.

  30. Re:Tim Berners-Lee, the hypocrite by Hodr · · Score: 1

    I would argue that any software standard not tied to actual routing of packets has no authoritative source. God didn't dictate ownership of "HTML", and whoever can convince the most people to use their standard wins by default. Crying about it won't help, they can and will say "Nanny nanny boo boo, stick your head in doo-doo".

  31. Re:Tim Berners-Lee, the hypocrite by AndrewFlagg · · Score: 1

    is this the HTTP_REFERER post that alot of people watch? or something else? Google Analytics on the outs?

  32. GDPR Link Tax by cordovaCon83 · · Score: 1

    Maybe this is a reaction to the GDPR's proposed Link Tax? Did that even make it into the GDPR?

    1. Re:GDPR Link Tax by devslash0 · · Score: 1

      Interesting point of view. Maybe you're right. Laying technical foundations to enforce the absurd law.

  33. Re:why? by Ksevio · · Score: 1

    Because the alternative is the page uses links to itself to a page that tracks the click and then uses a redirect header to send the user to the new page (or some javascript equivalent). In doing so, the actual destination is hidden from the user.

    This is sort of a compromise, the link goes to the actual page, but it pings the site to let it know for link tracking purposes.

    Basically, the sites are going to track the user clicking the link either way, it's just more transparent this way

  34. Re:Tim Berners-Lee, the hypocrite by diamondmagic · · Score: 1

    The HTTP Referer header (i.e. short for "referrer") is defined in HTTP (RFC7231 is the latest release). It's optional but widely-deployed, and mostly intended for intra-site diagnostics, e.g. determining which pages have bad links.

    There's a few other headers with similar purposes, like User-Agent (which is also widely deployed) and From (the same header as in email can also be used in HTTP, but use in HTTP is very small, usually only seen in crawlers/robots, where the user would want to be contacted by the server admin if there's a problem.) I've never seen issues with defining such a header.

    --
    Wonder what the public key field is for?
  35. Re:Tim Berners-Lee, the hypocrite by diamondmagic · · Score: 1

    OK, but then we're back at the IE6 philosophy of Embrace, Extend, Extinguish. That set back progress in the Web by a decade.

    --
    Wonder what the public key field is for?
  36. Re:sorta missing the point there... by mysidia · · Score: 1

    Because security in IT terms is not an absolute. It's a compromise. If you want to be secure switch off your fucking computer.

    Based on that argument...... Chrome should eliminate HTTPS certificate verification support, accept any connection presented by default, and make that an optional Add-On that has to be installed; Rejecting old versions of SSL such as SSLv3 would also be an Optional Addon similar to the option to shut off scripting... because Security in IT terms is not an absolute, and verifying TLS connections has nothing to do with processing HTTP requests.

  37. Re:sorta missing the point there... by Cederic · · Score: 1

    I know. It's almost as though the browser manufacturers aren't consistent in where they choose the balance between security and providing a user experience.

    You should write to them all suggesting they sort it out.