Fried Fish

Out of interest, how did you implement the 'informed user' requirement? ("When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs.")

And it's disabled by default, right?

The UI component of this feature is currently unimplemented. We did not see that as a blocker to enabling this on the trunk (development) builds of Firefox. I hope to test out Ian's suggestion of adding the pings to the status bar shortly.

The feature is currently enabled by default in Firefox, but disabled for Thunderbird.

Ohh dear no...

1) privacy concerns
2) it is non-standard. you MS wannabe

Do you need a WHATWG DTD (I assume there is such a thing) to make this work, or would it work in an HTML 4 document without other modifications?

Med, please keep it polite. If you have specific privacy concerns, let's here them.

Matthew, the answer is that it would work in a HTML4 document without other modification, but to be considered conformant to the HTML5 specification, it would need to start with an appropriate doctype.

From my point of view too many people will optout of this feature (why should I waste time pinging a server to let it know that I've clicked? and also the fear of being tracked (I laugh everytime that I see cookies labeled as "dangerous spyware")), and also taking into account that the most used browser problably won't add this option for the moment, I wonder how many websites out there will go this way instead of keeping their old trustful redirects.

There are some interesting parts done in WhatWG, but I don't think that this is one of them. If the webmaster can't trust that it will work even if the feature it's in theory supported by the browser I think that they can't trust it at all and so they need to keep their old workarounds.

Of course I don't have the data to know about those websites that you mention (but I absolutely trust you), but IMHO, there are other bigger problems for the webmasters that just some pinging.

med, actually I believe you are inventing your privacy concerns. such tracking can already be done today without any javascript or cookies, using very standard features. this will only make it easier to separate the server to ping and the link destination.

OK. The reason I ask is that such HTML extensions always used to be considered "bad" by the open-source and pro-standards community. I don't really see what's different now, just because there's a working group coming up with the documents.

Med, even if it's not in a W3C specification, it's still documented and thought-out in advance by WHATWG. The W3C doesn't have to be the only influence on the web.

If I understand this correctly, this removes the need for redirect servers. So for every link, a ping to another url (for tracking purposes, is there anohter purpose?) can occur.

If that's the case, I don't think you need to justify this feature. Further, I'm not sure what UI you would present. People don't get notified now when clicking on a link that it's being tracked.

Redirects are a waste of time and putting a pref to turn this feature off would discourage web sites to use it.

This is entirely behavioral and should be handled with the DOM (JavaScript), not HTML. The WHATWG has produced some interesting ideas, but this is not one of them.

No one has mentioned what I consider to be the crucial difference between redirects and this "ping" thing: namely that redirects can be seen by the user -- they are aware they are happening. This ping thing will not be visible unless one examines the source code of every site they visit before clicking on links. Furthermore, simply informing the user that something is about to occur is not satisfactory unless the user is given the option to opt out without denying them the ability to follow the link. If a user is denied the ability to follow a link because they do not want to share their browsing habits with a third party, I think that will drive people (myself included) to use IE, which will have instantly become the more privacy-respecting browser.

I do not think that a site admin's concern about the slowness of their links is a valid reason to hijack a user's networking stack to notify arbitrary servers of their activity. If the site's admin doesn't like the redirects making their links slow they can remove the redirects.

This has too much potential for abuse. It will be uniformly rejected by the user community.

Maybe this should be limited to the current host, as for XMLHttpRequest.
If this is the case, I see no potential for abuse.

And of course the user has to have the option to disable it at all.
If this is the case, I don't think it would drive anyone to use IE.

My comments as a user:

I do not like beeing tracked as I surf the web. I really do not see any advantage from my (the users) point of view if the "dirty work" is now done in the browser instead of the website!

If "some very popular websites" ask you to disable pop-up blocking will you do so as well???

med,Matthew Wilson: canvas is not a standard, XMLHTTPRequest is not a standard, and so on. Did you scream for those ones?
A standard is not a standard until it becomes a standard. The W3C has _totally_ dropped all evolutions of HTML 4, and XHTML 2 is probably one of the best definitions ever for 'stillborn'... The Web can't wait.

"This has too much potential for abuse. It will be uniformly rejected by the user community."

No it doesn't. It has exactly the same (or less) potential for abuse than redirects, since the links are less likely to be obscured.

Are you honestly saying that you think end-users notice redirect links, deliberately copy, paste, edit and then navigate to them? Nobody does this, it's inconvenient and slow. Being able to turn off a similar but more user-friendly mechanism should satisfy the tinfoil hat wearers (who presumably also disable referrers).

> No one has mentioned what I consider to be the crucial difference between redirects and this "ping" thing: namely that redirects can be seen by the user

No one that is except Darin in the original post and comments 1 and 3. Users will be notified of the site they are pinging.

> If the webmaster can't trust that it will work even if the feature it's in theory supported by the browser I think that they can't trust it at all and so they need to keep their old workarounds.

Yeah, this discussion happened on the WHATWG mailing list. Basically it amounted to this feature being a tool that sites can use to implement a common thing in a less user-hostile way, if they so choose. The theory, which apparently at least one large web marketing firm agrees with, is that being trasparent about collecting advertising data, even if users can disable the feature, is better than doing so in one of the confusing ways that people do it at the moment (e.g. by performing a redirect so the staus bar points to the redirect URL and not the infinitley more useful final destination).

Jerry: I think most people don't notice redirects - and even when they notice them, they don't consider them harmful. (header) Redirects can't be disabled, because this would break website functionality. They aren't reported because the user doesn't want to be bothered with it in the first place. Redirect urls can easily obfuscated, so the user can't figure out if he will be redirected when clicking on a link. Now, why complain about a new feature that has the same implications for end users, but a lot of advantages also?

This is about speeding up the users web experience, reducing server load and internet traffic on the whole. I'd rather see a well-thought standard that accomplishes this than redirect pages.

While I don't really see how this is any different from what's currently available, I can see that some people would be (and are) concerned.

I like the idea of it only being available for the originating host. It's a source of annoyance that I can't copy links from sites that use redirects (google, particularly) without manually stripping off the extra junk. It's also annoying that I don't know they're there without manually checking links, so this idea has a chance to do some real good.

There's a precarious balance here between the needs of users and the needs of website operators. Take too much away from either side and they just won't use the feature.

Matthew: The difference between WhatWG work and non-standard browser additions is that WhatWG features are discussed in public, in a place where anyone who wants to can watch and contribute, and that three of the four major browser manufacturers have said they will implement it and are involved in its discussion.

rebron: On the WhatWG mailing list, Hixie said Also, at least one of the biggest Web advertisement companies would rather let a user go to the target site without tracking them than track them against their wishes ... (I would consider my source on this matter reasonably authoritative.). I find that a bit odd myself, but if their data tells them that's the way to go, I can only be happy.

Herorev: I don't agree--I think it's correct being in markup--but you should bring it up on the WhatWG list.

Jerry: Users will be notified when clicking on a link pings other servers. That's in the spec as a SHOULD, and as Darin explained it just isn't implemented in Firefox yet. Furthermore, also as Darin explained, under the current system if a site wants to they can easily make it so the tracking is hidden. The end result is that anywhere this is used the user experience is improved, and nowhere is it degraded.

Dao: Limiting it to the current host would be impossible. Take for example google ads on websites: google is the one that needs to be notified, not the website hosting the ads.

I must agree with Jerry here. This is no better than what Google used a while ago. They used javascript to load an image in the background, effectively tracking all clicks on the results page. This is something you browser makers should protect us from, not make easier. If you decide to implement this I want to be asked with a popup every time someone wants to ping from my computer. And don't make it another one of those "Yeah, always allow this" options.

Just because websites are already using tracking mechanisms, it doesn't mean that the Mozilla Foundation should help them to do so.
Moreover, adding arbitrary attributes to the HTML doctype, sounds like Ms vs Netscape to me. Please don't repeat the mistakes of the past. If you don't like HTML, please come up with a completely different format, don't try to hijack an existing one.

Sounds interesting to me. Wouldn't expect an option that let me turn off pings. Also perhaps some visual indicator for ping links so no one has to install an extension.

In the interest of privacy, this function is user controlable right?

Mozilla has critical bugs open like this one:
https://bugzilla.mozilla.org/show_bug.cgi?id=242207
and they start adding more spyware in the meantime.
Konqueror/Safary is a pretty good alternative.

So how long until there's an extension or a greasemonkey script to strip this out of the link code in the pages?

I agree that it should be limited to the current host and or the host to whom one is being directed.

Also, how will this affect encrypted connections and requests?

I'm not at all sure i'll continue to use Firefox if this feature is a standard component...how is this disabled in an environment where we centrally administer hundreds of machines? User concerns over privacy and security were primary in our decision to make the switch from IE even though most casual users prefered it. Legit or not, the appearance of similar privacy issues with Firefox would be sufficient to erode user confidence in the product. If i can't disable it, I'll likely just let people go back to IE rather than try to explain the redirect thing. Users just won't get that and won't care.

Doesn't this bring up a potential misuse in DOS attacks?.

If this is enabled by default in Firefox, I will immediately stop using Firefox and go back to IE (already done it). Make it optional for users who actually desire the performance benefits.

"namely that redirects can be seen by the user -- they are aware they are happening."

In theory but certainly not in practice. Most are too quick to be seen.

Jerry, how are redirects visible to the user? They may see the URL in the location bar change for a fraction of a second, but very few real-world users notice, realize what is happening, or care.

This standard is similar to the wiretap features that router companies were adding to their routers to improve the ability of law enforcement to do wiretaps. People can already do these things today (clickstream tracking and wiretapping), but solutions to do it are poor, they break easily and have potential privacy issues (such as the difficulty of wiretapping a network connection without seeing a lot of traffic from 3rd parties you don't intend to monitor). Existing solutions perform poorly and are fairly kludgy. All this does is create a clean, performant and thought-out way of accomplishing what people are already doing.

Dao, why would it matter? I can use a standard link tag to send someone to a site/URL that is outside of my security context today without this standard. That's sort of fundamental to the web. So, today, the means exist for doing clickstream tracking like this across security boundaries. Why would someone want to use a technique like this crippled in such a way? There's no security benefit to doing what you're asking. It's just a hit, after all. The page doing the linking (or pinging) isn't actually fetching data across security boundaries. There's no security issue here.

P.S. Your website is about to be Slashdot'd.

Considering some (many?) organizations block ping at their border routers, such a feature would be rendered absolutely worthless.

Jerry:

Do you have the option to opt-out of current click tracking schemes? Perhaps if you're willing to copy and paste the URL, editing out the redirect script. That is, if you're lucky and the site uses the full URL in the link and not some ID number that doesn't tell you anything.

This sort of thing happens on the web. It's being used on lots of major sites, and I doubt anyone is taking steps to opt-out currently. A standard, declarative way to implement the feature will allow for user notification (and possibly an opt-out method) as well as remove some of the performance penalty incurred by current javascript or redirect script implementations.

I'm also concerned that this goes too far with regards to privacy, since as explained in previous postings "ordinary" redirects would still reveal themselves in the URL bar whereas in this case it would both be hidden and optionally even a multi-server ping.

The very least that should be done is to have a well-visible notification in the status bar or, alternatively, a very obvious hint directly at the hyperlink that this is a tracking link (a tinfoil hat candidate would imagine this e.g. being a nice "spying eyes" icon directly beside the link which would also display further explanation via tooltip if mouse hovers over the eyes).

This should NOT be enabled by default and IF it is enabled, it should ask the user if this behavior is actually wanted before the first ping attribute is actually processed. This has major privacy and performance issues. Why the hell did they implement this draft crap instead of getting the missing actual standard CSS features right, for instance?

Whenever I read WhatWG I'm horrified. Their ideas always include some junk that is not necessary, because the W3C specs already allow the desired functionality (I'm thinking of <canvas> here), but actually implement a clean separation of content, layout and functions. The WhatWG ideas seem to stumble back into the feature-wars of old every single fucking time...

I'm actually ashamed that both Mozilla & Opera are part of this. Please, implement full W3C first, and, if you really feel the need to include this era's <blink>, then at least give me the option to turn off any non-standard tags. Do not return to the painful days of "designed for", please?

When exactly will this release be available to the community? I need to know exactly when to stop recommending firefox to my users.

I hope you guys have implemented "pings" so that they can ONLY GO TO THE ORIGINATING SERVER. It least with redirects the user can have some assurance that the link is going to a site that they legitimately consented to viewing in the first place (and have agreed to privacy policies, etc.).

Great, all I need, DoSing attempting from my browser and the lovely privacy invasion that youve just compiled into code. Getting people to move to Firefox is hard enough and its going to decline once the media jump on the "Alternative to Insecure Browser trounces your privacy"

Rethink it, do yourself a favor

In order to get around the critical mass issue, a javascript could be created that detects whether or not the feature is available.

If available and on, the script would do nothing.

If unavailable, the script would process the document and transform <a href="blah" ping="ping?url=blah"/> into <a href="ping?url=blah&forward=true"/>.

If available and off, a respectful script would do nothing. Clearly, there is also the possibility to force the behaviour.

Perhaps the WHAT WG should develop this compatibility script themselves if they want to increase adoption rates.

I was wanting to create a personal bookmarking site and this would solve my problem(without using redirects) so all I need is access to the originating host. Block it from going to other websites sounds like a good idea.

There are two aspects of this feature that need to be addressed. Some have asked whether there will be a UI so that the feature might be turned off. The problem with this is that most users will opt to turn the feature off thereby forcing websites to continue their old way of using redirects rather than the ping backs. So you can't build in an option to turn the ping attribute off.

However, the other issue is making the web browser user aware of all the URL's that will be pinged when clicking on a link. There must be a way to list all the URL's that will get pinged. One possible way would be in a similar manner to the current way that all the RSS feeds are listed in a small pop down menu in the status bar. Not giving this information to web surfers is simply an invitation to spammers and phishers.

Good idea, Dao ... while that limitation of XMLHttpRequest is not impossible to work around, it does require the hosting site to support some sort of proxy service for requests. ... and lets face it ... once the data makes it to the hosting site, they can really do with it what they want.

As to a disable option, if it doesn't exist in the normal config options for Firefox, it will exist as an extension in ... 3 ... 2 ... 1 ...

In today's Firefox trunk build (about:config)

browser.send_pings is set to true by default.

Seems like yet another avenue for denial-of-service attacks, too. All I have to do is get a ping attribute on a reasonably popular web site to point to other places I want to bog down with network traffic.

And Just out of curiousity, how _would_ one disable this 'feature' if one _was_ concerned about privacy?

This feature is privacy-invasive and should be disabled by default. If the user clicks on a ping-equipped link, Firefox should inform him that a ping is desired and how to enable the feature (either generally or just this once). Privacy on the web is troublesome enough as it is. Please do not implement features like that without clear consent.

Richard, you are confusing "ping" in this context with an ICMP echo request (typically generated by command-line "ping" programs). This feature does not generate ICMP messages. It simply requests that the browser perform additional HTTP requests against the "ping" URLs. All traffic is standard HTTP traffic and there should be no new firewall implications.

I like the idea. And there should not be a user override. But the links should be restricted to the current host to prevent malicious behaviour. Very useful!

No web-browser on my desktop will ever honor such a "ping" attribute. If that means, I'll stop using Mozilla... so be it.

This is being touted as potentially reducing server load and improving the user's page load times. But user's also don't like to be tracked, and want to discourage servers from doing so.

From this perspective, it may be more desireable to make redirects even slower and more server-side intensive than they already are, so as to discourage servers from implementing such features. Such a policy would potentially improve user's page load times and bandwidth consumption as well, since servers would not do redirects as often.

The proposal's justifications seem a lot like saying "if you can't beat them, then just give them what they want."

browser.send_pings
There you go...

I use Firefox because I trusted the Mozilla team not to do this kind of thing. I do not want my surfing to be tracked and I do not like Mozilla making it easier for that to happen. A bad call by someone. Perhaps evidence that Mozilla is becoming more subject to commercial pressures.

Oh please, don't even try to use the inclusion of the non-W3C standard XMLHttpRequest as justification. XMLHttpRequest was there to allow mozilla to match ie's functionality in a lot of places, with a clear benefit to the user.

This "ping" extension has a clearer benefit to tracking sites, advertisers, and a somewhat stretched benefit to users of "well your destination page will load faster". I find it amusing you want to use faster page loading as an excuse, yet the already enabled preloading can of course slow down page loading due to strain on a server.

It's somewhat embarassing to read the claims that were made for Firefox with regards to privacy then to now look at this, enabled by default, and the lack of p3p support. How very Microsoft of you.

Please don't do this. This can already be done with Javascript, which is where behavior belongs.
Standards are meant to be agreed upon standards not "Hey, maybe if we add this feature everyone will think it's great and it will become standard."
Don't you see that this is what fueled the browser wars? You add 'ping' MS adds 'touch' and eventually somebody in the MozFound says "Wouldn't it be spiffy if we had a tag that would make text flash? Some major websites requested it!"
This is a very slippery slope. Please, let's just not do this.

It's in the DEVELOPMENT version of Firefox only. And it can be disabled by the user simply by changing the preference:

browser.send_pings

There is NO guaranty that it will even make it to the released version. This is just sensiationalism.

1. seems like this is yet another of a long chain of features being added to web browsers without due consideration of the privacy characteristics...going all the way back to cookies. just because a few people think that this is a good idea doesn't mean it is a good idea. it's fairly easy to identify something new that has a benefit; very difficult to understand exactly what implications that new something has for privacy.

2. even if there are already other ways to harm a user's privacy, this doesn't justify adding another one. that's like using a previous accidental error to justify deliberately making a new error.

Jerry, how is simply informing the user not satisfactory. As you mentioned, currently with redirects the user can see that it is a redirect, at least to some degree. Yet, the options are still either click on the link and go through the redirect or not click on the link.

Should this then not be enough in the case of the ping attribute - showing the user that some sort of tracking is going on, and that's it?

I personally think that while this does have the potential to be abused, in its current spec, the ping attribute is no different than redirects in terms of the user being tracked. It just seems to be more 'anti-privacy' because the tracking is more apparent to the user than in a redirect.

All I ask is that there be a way to turn it off. I don't care if there's a prefs UI or not, as long as I can go to about:config and disable it I'll be happy.

That said, I probably wouldn't actually disable it, but I want the knowledge that I can if the (perceived) need arises.

Add this feature and everyone will either:

1. Disable the feature if its possible.
2. Patch Mozilla to disable it (and suddenly, you are going to loose all the tech-savvy users).
3. Go back to MSIE or Opera.

I, for one, don't give a flying fuck on what "several big sites" want. If they are big, they can afford to add the infrastructure to solve the problem in their side. I'm not interested in notifing nobody of what I'm doing.

They are *NOT* your users, I am. And it will take me like..5 seconds to get rid of the firefox if you end up implementing this kind of crap.

> Doesn't this bring up a potential misuse in DOS attacks?.

Get at a few popular sites' index page (slashdot, digg) and introduce a few ping's to a site you don't like. ;)

I just can't grasp people that scream at spyware or anything else. There are plenty of cases where I can see abuse, but this is not just one. So I beg people that scream around here to give me an example of HOW this feature could have ANY drawback to the user than using javascript redirects.

Sam Gentle, the thing is here, nobody takes away anything from any side. Webmasters ways are potentially easier, user clicks are potentially faster. It's a Win-Win.

And those screaming after privacy just are blind to see that this will induce no change whatsoever to what their browser do, but fasten clicks.

Well... Please don't tell me I'm wrong. Show me.
Posted by:

I like this idea. While I believe it's use won't be as widespread as it should be, I believe it will, at the very least, make the web a little faster from the user perspective.

It also sounds like this feature will actually help those with privacy concerns. If you can turn it off, then those 3rd party sites don't get notified. At the moment, you can't really turn off the redirects. Sure, for those that use the onmousedown event, turning off javascript can protect you from that, but other sites just plain redirect. And, of course, you can copy/paste the "real" url, but that's impractical for the normal surfer.

As for the notification, I think a notice on the status bar is more than enough. Perhaps have a popup the first time a ping link is clicked on. Allow the user to disable the popup notice (and give the user the ability to say no on the popup).. Similar to the secure popups that appear when you first install the browser. And the user can just disable the feature in the settings, why bother popping up every time?

First, I can totally see the value of this feature. It allows me to browse faster (assuming the ping is sent on a low priority background thread). Second, it seems the privacy issue boils down to two things; I should be able to disable anything that makes it difficult to know what my browser is doing (like JavaScript), and anything that is not easily disabled should clearly inform me of what it is doing. Add pings to the status bar (as you mention you intend) and I will like it. Do not and I will not.

I guess I have to switch to Opera now.

Folks, thanks for all the great feedback on this feature.

I want to point out an interesting detail that I left out of the original article: namely, that it is possible to implement something like in IE by exploiting a bug with the way "(new Image).src = ..." works. An image loaded that way actually runs to completion even if the user has navigated away from the website that initiated the image load. Websites use that trick today with IE for click-tracking.

I can't see this ever actually working, because it needs to be universally supported and never disabled.

An alternative might be to turn the idea on its head - instead of having a ping attribute have something like a redirect attribute and the href would be the page that is pinged.

If the browser doesn't support 'redirect', then the href will be loaded as happens now, and will then forward the user on. If the browser does support redirect, then it will load the redirect page to the user and silently ping the href.

It still relies on the browser being honest - it could just go to the redirect without touching the href - but it means that browsers without this feature are still tracked.

This is a bad feature. It should not be included in Mozilla or Firefox. If it must be included, it should be disabled by default. I will not use any version of Mozilla or Firefox in which this feature is included and enabled by default. I would support a fork of the Mozilla source if there is no other way to stop the adoption of this feature.

A commenter writes: I think most people don't notice redirects - and even when they notice them, they don't consider them harmful.

Some data.

There are at least two FF extensions to remove or notify the user of redirects. According to addons.mozilla.org, the one has been downloaded 51,346 times, the other 35,665 times.

a third extension, to de-obfuscate links, has been download 10113 times.

Ugh... people are so ignorant. This is not invasive. Every major website already tracks every link you click, this just makes it slightly cleaner and faster for you as an end user. The website you are on has every right to know what you are clicking, they are afterall providing a service to you, and often times for free. Currently such tracking is implemented with redirects, or javascript, or other ugly implementations. This will speed up your browsing experience and actually let you see where you are going when you click a link. There are so many methods implemented already that allow you to be tracked its not even funny. This is no different than putting 1x1 transparent pixels on a site, 1 pixel for every site you want pinged. Stop being ignorant people and stop being paranoid. If someone knowing what link you clicked is in any way detrimental to you then you've got far worse problems.

-Steve

"Are you honestly saying that you think end-users notice redirect links,"

The answer is YES. And frankly, if I'm not given the option to turn this off, Firefox will no longer be my browser. Period, end of story.

I started using Firefox specifically "because" the developers seemed concerned more about the end-users than the website developers (of which there are more who would abuse this feature, than those who would honorably use it in the spirit it is intended). I say politely, and with all due respect, that I think it is somewhat naive to act as though leaving this option in the hands of web site owners will not lead to abuse.

I think this will be a very useful feature.

That I as a user will have control over the ping's (even if its through an extension) is a whole lot better than having NOTHING now.

Is there a bugzilla somewhere where one could vote against this?

The way I see it, I would prefer 2 options, much like cookies: Enabling/Disabling a ping to the same site, and to a different site. I would have the same site enabled by default, because they're already tracking you with their own redirects, webbugs and cookies. Other sites can take a flying leap, and should be disabled by default.

When I use a browser on a clean operating system install, simply going a Google search alerts me with something along the lines of, "You are about to send plain text data. Do you want to be alert about this every time? [ Yes ] [ No ]" Seems so simple to me. Enable it by default, and the first time an offending link is clicked, have some sort of warning and/or option, which the user can change later if they so choose.

Of course, you won't get any warnings the first time you click on one of Google's search result links. I hope everyone who's getting ready to leave Firefox has already left Google, 'cause not only are they tracking your movements, but if you're logged in at the same time, they know who you are alongside where you're going =O

In other news, Pizza Hut locations across America may be tracking which of their locations you visit by tracking your vehicle's license plate number ;) [Never mind if you live outside the states, or don't own a vehicle.]

a very useful feature for all hackers and spyware fans eh? not for us the end-users though. lose it..

You say that "that this change is being considered with the utmost regard for user privacy," but it's clear that you're really trying to solve a performance problem: "The net result is that you end up waiting for the redirect to occur before your browser even begins to load the site that you want to go to."

Addressing performance is good. But nothing in your post suggests that you're considering privacy at all in the implementation of it. Just *stating* that you're maintaining users' privacy when you're actually doing something else is the way the Bush administration works, but not how open-source software should. "Hey, we informed Congress/developers/users what we were doing! Didn't you read the fine print/popup? It's *your* fault for not opting out/monitoring us/stopping us in the first place!"

It's almost as if you're suggesting there's a privacy improvement here so that you can get an appealing technical solution implemented.

Get used to it, the web tracks your personal info from the color of your eyebrows to the size of your toenails. If ping means Google, porn sites, etc, will do less javascript hacks and redirect trickery to track what they already track, then this feature is useful. However, the fact that Firefox will most likely be the only browser to implement it for a while means that websites will still have to employ all the javascript hacks as a backup, for that period of time. but hey, why not add a ping ?

If you're one of those people who won't use Gmail because you're weirded-out by ads that actually pertain to your interests then you should probably stop using the Internet :)

The reasoning some folks employ here seems to be that if other folks do bad things, they themselves should be able to introduce entirely new bad things. The famous arms manufacturer argument: Firefox doesn't hurt people, people hurt people. I hope I do not have to explain what's wrong with that argument. (In case I do: think BLINK.)

If you decide to implement a feature according to spec, one would expect you to implement the entire feature, which includes the GUI. People who click links may keep an eye on the status bar because they have gotten used to getting a raw deal on the web (this should provide you with a hint about the importance of knowing what a click means!), so the status bar seems the logical location for any feedback on the type of link you're clicking. But the address that typically appears in the status bar is situational knowledge; whereas the fact that a link leads to multiple addresses is functional knowledge, and should probably be part of the rendering of the link text or object itself.

Anyway, it is good to see that you are working on an advanced hypertext experience. Does this mean you are going to implement (or already have implemented) fat links too?

As a techincal user,(and commercial geek for rent) but NOT a developer, or fulltime website person, I can say I too will STOP installing firefox on ALL machines I service/sell/update/un-spamify
if this makes it to a formal release.
two reasons
1) Possible Privacy implications
1a) THE sense that mozilla.org NOW has sold out
1b) that they've coded a easy "idiot here" feature
2) Non-standard, ie designed for XXX again
2a) I still have to explain to people that firefox works for ONLY 90% of the websites due to the non-stand coding practices of Micro$quish. Now I have to recommmend a program that does this TOO?

End of user comments!
Putting this in, EVEN if there is a plug-in, will TOTALLY undermine the effort for foxfire to spread.
(and I've been using it before it was called foxfire too!)

I've been using Mozilla for years. I'll drop it like a hot potatoe if this is implemented.

More on the issue.
check out the slashdot discussion.

http://yro.slashdot.org/article.pl?sid=06/01/18/1427212&from=rss

important question.
If this CANNOT be disabled, users will NOT choose firefox any more

IF this feature CAN be disabled (or can be via a plug in, heavens forbit) then DEVELOPERS will NOT use this feature, except for the sleazy sites that want to trick users.
and will cause firefox Terrible publicity!

it's a catch-22 situation.

To all the people complaining about this new feature - this offers nothing new that's not already happening.
Most current tracking uses scripting but defaults to standard images (1x1 transparent gif) - thus unless you have disabled scripting AND image loading from sites other than the originating server, then your browsing will on many sites already be tracked.
The above doesn't even modify the URL in the status bar. Only in the (from my experience) few situations where tracking is done through server-side redirects, will this be visible in the statusbar (unless of.c. scripting is used to obfuscate this).

I am not convinced that this will be a useful new feature, considering the amount of features that current tracking captures (javascript support, screen resolution, operating system etc). It appears as if the "ping" will only capture the clickstream - unless combined with as much scripting as we currently have. However I do welcome the addition of new features as long as they come from an open debate and are thought through.

"I want to point out an interesting detail that I left out of the original article: namely, that it is possible to implement something like in IE by exploiting a bug with the way "(new Image).src = ..." works. An image loaded that way actually runs to completion even if the user has navigated away from the website that initiated the image load. Websites use that trick today with IE for click-tracking."

Are you saying you intentionally implemented an exploitable IE bug as a new Firefox feature?

A link is a link is a link. This 'feature' belongs firmly in the Javascript realm - not as a default browser behaviour. And as previously said, this would need to be universally supported to be of *any* value to the ones who need to need track outbound links.

I think the thing most of the people who are screaming that this is a bad idea are missing is that any information that is going to be collected by a ping, is already being collected.

I can literally think of a half dozen obvious ways to collect and share the information without resorting to a ping or a redirect:
1) log scan - I get the IP address and I can even pull the browser type if I want to.
2) use a scripting language to create the page - php, perl, whatever - all can record to some nice database somewhere.
3) Use Perl::Pg to create some bogus image and flag your information on the img src= request
4) use body onload= to open a dummy window that just loads a body onload="document.close()" statement.
5) Packet filtering on the firewall.
6) Include flash/java/activeX applet that has a 1X1 pixel size in some corner and have it report back.

In various scripts and for various reasons, I have used the first 4.

So if the browser people want to make my life as a designer easier by giving me a ping option, I'll use it if I need to track usage.

If the people with the tin hats decide that being notified that I am tracking them is too much, I'll go back to not telling them - it's that simple.

I say don't add it. From a developer standpoint, it doesn't belong in the HTML, and from a user standpoint I don't want it. Really, if it is included I don't think it will be adopted. Why would a site that already does click-tracking re-work it to use the ping attribute for Firefox when they already have a solution that works for all browsers? All this will do is hurt Firefox's credibility.

> Are you saying you intentionally implemented an exploitable IE bug as a new Firefox feature?

Of course not. I'm saying that due to a bug in IE, websites are able to make link clicks send pings. As a result, websites that employ click tracking perform better in IE from the user's perspective. My interest is in improving the page-load performance of Firefox.

It seems to me that the best way to implement something akin to this, whilst remaining user-focused (as in "good for the user") would be to extend the "Accept-Encoding:" mechanism, a la "gzip". Something like "Accept-Tracking:HTTPPing" seems workable.

That way, it can default to disabled, be enabled by the user if they're comfortable with it, be parsed by the server in order to decide which tracking mechanism the browser supports, allowing for the page to be dynamically crafted to use the old redirect-methods if needed, etc.

Very interesting.
I won't repeat the valid concerns others have expressed about privacy, the potential abuse of the feature to create DoS attacks, or the fact that it is a non-standard feature.
I will though, emphasize this. Having a third-party site track me (the "user") through the use of Javascript or whatever other means is not the same as having the very same website manipulate my browser (through the use of ping attributes).
I believe the latter has too much potential for abuse, and I do not understand why it seemed like a good idea to implement to the developers.

I built many web sites while working for a web design company. We always built our pages to be browser neutral. We checked them against IE, FF and Safari (tough to do sometimes!). I can't see myself ever coding this just for FF. I know it wouldn't bother the other clients, but all it would tell me is how many FF clients clicked a link, not how many visitors clicked a link. I use WebTrends & query parameters for analytics. This sounds like a "blink" or "marquee" tag...not very useful.

Nobody seems to be addressing what seems to me to be the most critical problem with this:

This is essentially making link tracking into a distributed application and shifting a content provider's bandwidth and CPU costs associated with link tracking to the end user without his/her permission. In essence, this amounts to donating the user's bandwidth to content providers without their explicit permission. I do not fancy subsidizing Goggle or Doubleclick by donating my bandwidth to their tracking efforts, and I'm disappointed that the Mozilla Team is so eager to have all Firefox users do just that unless they opt out (which assumes they know about it).

As far as this "feature" speeding up page loads, I don't think that's is a legitimate issue in this case. If a content provider loads up their links with redirects and their servers are too slow to deal with those redirects, then they need to upgrade their hardware rather than force me to do their link tracking for them. If they are unwilling to make that investment then their pages *should* be slow.

http://gemal.dk/browserspy/ping.php
will test to see if your browser supports the ping attribute

So I can control cookies, turn control javascript, turn off autoredirects, turn off images from 3rd party sites; and because these features can be turned off and are being abused by website tracking/marketing companies, you're implementing another way for websites to track us passively? Ridiculous.

Is explaining privacy on the internet too simple? Are we trying to make users so desparately out of their depth that they have no way to safeguard whatever privacy they may pretend to keep?

Its sad day when 'the good guys' go bad.

NO NO NO. Do _NOT_ do this. This is a privacy disaster, if implemented as described in a real product.

Yes, websites track IP addresses when someone queries THEM, but that's not what this does -- it lets SOMEONE ELSE track users, without consent of the user and possibly without consent of the website. A _vast_ number of sites are vulnerable to cross-site scripting, too, so making it easy to FAIL to filter this is a real problem in practice.

And yes, I _DO_ examine each URL before I click it. So do others. If Javascript allows information to leak out to another site (e.g., while hovering or onclick), then that's clearly a privacy defect and needs to be fixed.

Firefox is for USERS, not for MALICIOUS SITES. Please remember the difference.

Darin: Is there a special header sent with the ping request? like when doing link prefetch?

This is clearly a feature that needs strong clear definition and wide browser support in order to be useful to website creators in the least.

One vagueness that will need to be addressed is it's interaction with cookies. Are site/session cookies sent with the PING? If they are, I might consider that an intrusive invasion of privacy ... although this would be marginal at best. The site receiving the PING could still track a user's IP address ... although in this age of NAT that would be somewhat less useful to them. Alternatively, the site generating the HTML could simply add a parameter to the PING request which it could use to track users ... or build the user identifier into the base url and use mod-rewrite to do the needful. There are many ways to track a user ... which is why i say "marginal at best."

The ability to disable the PING feature would be a must. I would also suggest a configurable way to limit the number of PINGs possible out of one click event.

Clearly the goal of this feature is "improved user experience." If implemented in a site-limited way, like XMLHttpRequest, I can't see how it would add any new abilities to a malicious developer's toolbox.

Geez... It's like the great cookie debate of '96-'97 all over again.

Everyone who is promising to drop "Foxfire" unless it offers a way to turn it off need to read some of the comments already given...

I honestly don't see what the big deal is. Everytime you navigate to a page, you inform that page where you're coming from via a referrer. This includes potentially private information such as search strings used to find that page.

This allows for websites to track not where you're coming from, but where you're going to. Everyone already does it via referrers and JS image handling, so why not bring it out in the open?

I seriously doubt everyone who is complaining about privacy concerns here actually disables their referrer information. Doubt it. And if there are individuals who want to disable all of these features, they can. (If they can read...)

The standards process through which this emerged is an entirely separate topic...

Google already does this with a scrap of javascript on every single search result page.

It uses the image insert technique which works in IE and Firefox.

Why can't webmasters just mimic that - we don't need special features like that in Firefox.

Is it not obvious from the comments that >>everyone<< wants to have at least a dialog to opt out of the ping thing before the browser first attempts it? Even the specification mentions this! Pleeeeeease implement it, because otherwise I am starting to have strange feelings about the direction that Firefox is taking... which is sad, given the fact that I have been using it for so long...

So, how does starting several 'ping' connections while my page is loading... make my page load faster? This just generates more traffic on the wire during the time my page is loading.
Not a good idea in my opinion. At least add the option to disable this 'feature'.

I agree that this will be too widely abused.

The scenario that comes to mind is that someone sets up a shady web site, phishing brings them the users, then the users click the links and their "ping" (and let me know if I'm interpreting ping incorrectly) is sent to a server which contains their IPs.

They then have a giant list to feed into a vulnerability app to see what they may or may not be able to do to this user.

I agree this should be a javascript coding item, not HTML. HTML is for presentation.

I'm sure the Chinese government is going to thank you for this feature; but, not those dissidents who are going to now be more easily tracked using your “improvements.”

I’m sure those dissidents will think quite kindly of you as a Coke bottle is being shoved up their ass because they were tracked to a “non-government-approved” information site.

Please keep up the good work and go to the nearest Chinese consulate to collect your medal. Good job! Really!!

First Cisco IMPROVES their routers to work more “efficiently” with Chinese firewalls, and now this! You sure have come a long way baby! Although, I must say that I do not care much for your chosen direction of travel.

I like it. It will enable websites that do referer-tracking now to improve the user experience for browsers that support ping by using the same webpages as before with the addition of 10 lines Javascript that converts all links automagically to use the ping attribute therefore speeding up the page loading. All others will get the slower referer-type tracking.

Just my 2 cents after reading the whole lot of comments above:
(1) Some, or most, actually, people posting above need to check their assumptions. Tracking is NOT a good thing, unless the user has explicitly opted in. Tracking must be justified, the user must be aware of it and willing to pay the price (in cash as a subscription or in loading time).

(2) The justification in more than a few posts above is “it is already being done” is completely bogus. Please when considering whether to implement this in Firefox DO NOT ASSUME that everybody is happy with tracking, and nobody is doing anything about it. Several ways to circumvent existing tracking methods are outlined above, and I would argue that they are being used by people who care. Do not make life more difficult by providing yet another method of tracking.

(3) Regarding people who do not care whether they’re being tracked or not – the fact that they do not care (at the moment of actually clicking the link) IS NOT sufficient justification for tracking. They may start caring a second after, but it would be too late and the damage (real or perceived) is done.

(4) As far as my limited understanding goes, currently sites, big or small, must incur a penalty for tracking link clicks. It is a combination of increased server load, possibly increased investment in programming the tracking mechanism, and last but not least, increased load times for users, meaning increased chances of losing users to other sites offering the same content. Removing that penalty with no added benefit to the user (in addition to faster loading time) will only MAKE MORE SITES EMPLOY TRACKING. Which is not where I want to go.

Short version – No need to provide new ways to do an inherently bad thing. Especially if doing so would cost less to those actually doing it. Lower cost will mean more sites actually doing it. Tracking is just bad, and more of a bad thing cannot be a good thing. Period.

Edit: In response to a post (Posted by: at January 18, 2006 08:46 AM) which appeared while I was writing this – I absolutely DO NOT want to make life easier for a webmaster who want to follow my habits. Revealing my habits/preferences/etc. costs money, and I would very much to retain the option to be the one who decided whether the content of the web site is sufficient payment for that information. You, the webmaster, have no right in taking that option away, anytime. You, the webmaster, have the option to use whatever methods available to you to protect the content and only reveal it after receiving the requested info from me. I, the user, should have the option to decide whether to visit a site that absolutely requires that I reveal personal information. No side should have an option to override the other side’s decision.

PS: Sorry if this is too long...

I say cut it. Why?

1. It's nonstandard HTML. -- As mentioned elsewhere, from a standards compliance perspective alone, this is a bad idea.

2. You can already accomplish this today with JavaScript, *without* redirects. -- Ironically, this is used as an argument in support of this feature. This is a red herring. If sites can already track me today (which raises legitimate privacy concerns) then why is it that I should *not* worry about a feature that only makes this easier? How about we focus on *addressing the privacy issues* first before exacerbating the problem in the name of efficiency?

3. It will hurt the credibility of Firefox as a safe alternative to IE. -- I think this is actually the most important reason of all to not pursue the development of this feature. Regardless of *actual* security/privacy threats, the responses in this thread alone (as well as the /. article) show that opinoins vary widely. Spin will occur on both sides and invaribly press will be generated (rightly or wrongly) describing this feature as a privacy threat. I fail to see how this can help Firefox under any circumstances.

I'm about to release a NoScript version that will remove the ping attribute on the fly from links clicked on untrusted sites and include a UI pref (not yet implemented in Firefox, don't know if planned) to disable ping globally.

The second this feature is in a relase build of firefox is the second that I uninstall it from my machine. Deal with that.

> My interest is in improving the page-load performance of Firefox.

And my interest is to protect my privacy. Therefore I do even download and install performance-lowering Firefox extensions.

Think about it.

That's my personal trade-off and I'm happy with it. I ask you not to force me to embrace your trade-off, i.e. less privacy but better performance. And I promise not to interfere with yours.

Simply make it opt-in.

I hope this doesn't end up being another one of those 'dirty fixes' that MS so love to use in their browser, which years down the line will once again present web designers with cross-browser developing headaches. I don't mean to say that W3C is perfect, but it just sucks for web developers that they can't pick one standard and stick to it.

What a terrible idea. HTML is a standard maintained by the W3C, not by WHATWG, Mozilla, Microsoft, or anyone else. Haven't we learned anything?

I personally don't like being tracked on the web regardless. I never signed anything giving anyone rights to do so. Re-directs are a pain (unless legitimate, but still should be notified). Pop-ups are annoying (and usually useless). I think it is best to stay away from Microsoft's trend. They have always left "doors wide open". When a need arose, (and alot of public attention) then they would release patches to close down certain aspects. I believe the best way is the exact opposite. Have everything shut down by default, and then 'open' up ports/features as needed. Defaulting to "on" takes away an individuals rights to choose. Open source has always appealed to me because I have just that, "the option to choose". Perhaps this feature would best be done by having that in your "preferences menu" with a description (disabled by default). Perhaps even as new features are put into the later browsers, it will launch a wizard on first initialization asking you to configure some of these settings.

When a browser implements stuff sneakily, arent the developers aware of the alarm bells it will create, specially among the technical folks ? And such privacy-oriented stuff should be well publicized and easily disabled if needed if you dont want to incur the wrath of the community.
Think of how many commends you would have got if you had gone about this the right way instead of bowing to some big web sites money and surreptiously inserting this change. This just might be Firefox's Waterloo.

I'm not sure I've seen any good reason for why this should go in. This isn't about what the developers want, but what makes sense in the spec. Ping does not in any sense, except to those wishing to exploit it.

>>I think the thing most of the people who are screaming that this is a bad idea are missing is that any information that is going to be collected by a ping, is already being collected.<<

I must have missed the part where I was asked to volunteer my browser's active participation in this new form of data collection. Most of the others you listed I can choose to opt out of, by one mechanism or another.

What an Appallingly Bad Idea this is. So isn't this just another example of an organization Selling Out. There is no benefit to the user for any of these tracking mechanisms. They all violate a basic tennent of openness, don't they??

The whole set of mechanisms that track users seem to be based on an unwarranted attempt to create value (read $) for what are otherwise valueless items. The value of the ad to a company is the resulting purchase, not the number of people who look in the store front window. The value of the number of people who look in the window is to the window creator who can then show they are deserving of a higher fee. So neither the product seller nor the shopper benefit from any of these mechanism.

Thus having shown that it is the store window designers that benefit from these user tracking mechanisms, it is not surprising that the world of online advertising wants to increase the value of their activities. What is very appaling is that Mozilla has decided to do yet another nefarious tracking scheme and they are doing it without even letting users opt out of it.

This whole process of user tracking is built on closed loop group mis-thinking. The need is rationalized because others do it or there is another way to do the same thing. Rationalizing a bad idea based on other bad ideas does not prove righteousness. This whole situation degrades FireFox and Mozilla. It certainly seems to demonstrate that there needs to be CHANGE in both the staff and management for Mozilla. Don't you all ever talk with regular people or do you only feel comfortable in your world of closed group think.

Now I haven't posted here before, so if this is too long, my apologies. But this new "feature" is another serious error being made by what was thought to be an upfront organization. Where can we go to get a browser built for users and not built as yet another exploit. It doesn't look like we can recommend FireFox anymore.

If Opera is also in WHATWG, isn't it logical to assume that future versions of Opera will also support this?

So, the only benefit to me as is a faster page load? Nope, not worth it, my internet is already fast enough, thanks.

Don't sell out and don't add it....Firefox doesn't need the bad publicity.

This is a no-no for mozilla

No need to stick your nose in the air and go to Opera or IE, just switch (back) to Mozilla Suite.

Gang,

From a privacy policy standpoint, there is a world of difference between exploiting "tricks" for user tracking vs. building them into browsers as standard features. In the current privacy-invasive environment, while we have to deal with the former case by case, there is really no excuse for the latter.

Given that most users stick with defaults, any policy other than disabling such a new "ping" feature by default would be unacceptable from a privacy standpoint. Efficiency and "golly, there are other ways to track people anyway" arguments are utterly specious.

As it stands now, turning off javascript and carefully noting URLs (I usually notice oddball redirect URLs when present) are indeed of some value in controlling certain classes of tracking abuses. We do not need an even more invisible mechanism built into what has been (up to now) an excellent browser.

Limiting the "pings" to the same server does not solve the problem -- abuses of this feature are just as possible (even more likely, actually) using the same server.

That the development team would even consider enabling such a feature by default suggests a tin ear when it comes to privacy issues that will be worthy of considerable ongoing concern (an earlier example is the page prefetch feature enabled by default which also carries significant privacy risks). A clue to fuzzy thinking in these regards is talk of setting the default differently in Firefox vs. Thunderbird -- creating a privacy policy variation with no obvious rationale.

I urge the parties involved to reconsider their support of this "URL ping" feature as described, a feature that I can guarantee will bring Firefox under intense public criticism.

--Lauren--
Lauren Weinstein
lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
- International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

Ben Basson wrote: "Are you honestly saying that you think end-users notice redirect links, deliberately copy, paste, edit and then navigate to them? Nobody does this, it's inconvenient and slow."

I notice them, and the redirects themselves are slow. I solve this with the RedirectRemover extension. There are also a couple of Greasemonkey scripts that do the same thing.

You can argue all day that users are tracked already. But from the comments here, it's clear that this would be a public relations disaster for Firefox. If you implement this feature, don't be surprised when the marketshare drops, alarmist news articles crop up all over, and people start talking about a fork.

It's not just about what makes sense technically. It's also about people asking whose side you're on. Firefox right now has a reputation of being on the side of the users and doing the best it can to protect their privacy. That's part of its brand. Screw with it at your peril.

It's a shame.......... just when Firefox was taking off, they go and shoot themselves in the foot.

It doesn't really matter if this is Privacy Invasive or not, the fact is 99.99% of users don't understand the web in the first place, and when told that Firefox now sends Pings somewhere when you click on a link, they see it as a Privacy issue.

If Firefox implements this as a standard feature without a easy way to disable it, then it will start losing market share, and once again IE will not have any competition for the end user.

I'm am very concerned about privacy implications of the new ping attribute. I don't think this has any place in Mozilla. And while we are at it, we should remove that pesky href attribute too.

Steve wrote: "The website you are on has every right to know what you are clicking"

That's fine by me - so as others have suggested this feature should restrict the ping URL to be at the same site as the current page.

If a site owner needs to notify third parties of links clicked on their site, put the onus on them to trigger a background GET to that third party from their own ping URL handling script, *not* from my browser!

One thing to think about here is Firefox is able to set the bar on this right now. If they implement this feature and set the privacy and user notification bars high. MS will be forced to meet that standard with IE7 -- they are playing catch up.

Pings are not "bad" for end users -- if anything it would be nice to have one way across all browsers that work. Sites will do this some other way if this feature is not added. They are right now. With the new feature we can restrict the pings to the source site or have many differnt options for security.

From a previous post:
"And, of course, you can
copy/paste the "real" url, but that's impractical for the normal surfer"
So, why not give us an option to do that automagically instead of this ping-shit?
Most of the dirty tricks in use, I can already filter out with something like Proxomitron/privoxy etc. I guess I can filter this shit to, but why should I have to in the first place?
Fuck this, Firefox goes the way of the browsersauri. When will somebody start a new project to build a browser for the USERS???

"My interest is in improving the page-load performance of Firefox."

Yeah because *everyone* is bitching and moaning about that.

It really doesn't matter what technical merits this may or may not have. If Microsoft can get the media to spin this in a bad light, and they have done this several times before, then all of the hard work done to get IE users will fail.

Not to mention as a web developer, I never had to worry about Firefox in terms of standards implementation. When I develop a site, I want to be able to have one authoritative source for a format, whether it's HTML, CSS or anything else. I do not wnat to see "the core standard is available from W3C, the extended standard from WhatWG, and the new extensive standard for Mozilla browsers ..."

Also, prepare for people to claim that this is driven by Google, the world's largest web advertising company, which just happens to employ a number of full-time Firefox contributors.

Not saying that's so, I have no knowledge either way, but I'm sure I'm not the first to think of it.

I am opposed to this ping technology for multiple reasons:

1) Bandwidth usage when surfing over 3G connections to the Internet. Pings are low bandwidth cost, not free.

2) Impact on proxying. If my pings travel a different path than my actual web traffic, the computed redirection for efficiency may actually make things worse.

3) Impact on relocation. If I am travelling in Europe and want to continue watch my online movies (think www.starz.com), their servers may very well decide I am one of those icky Europeans and outside their service area. My workarounds via an ssh tunnel to a squid proxy will no longer work without adaption.

4) Growth in DNS queries and cache sizes as presumably different hostnames will be used in the listing of ping targets. If IP addresses are used instead, trackability suffers.

"The W3C doesn't have to be the only influence on the web."

Spoken like a retard.

My 2 cents: it's possible to do the same tracking without support from the browser and without using a redirect (redirect == bad).
It's an interesting idea to add support to the browser for this, but I'd first check with the people who actually use tracking to see what they really need. My suspicion is that they'd want to pass all sorts of parameters to the "ping".

We've noticed that the Nazis are using REALLY inefficient methods to kill all you troublesome Jews, so (since they asked nicely) we've worked out a much more *practical* way, which involves no work on their part -- you kill yourselves instead. Don't worry though, because we'll be adding an "opt-out" feature, REAL SOON NOW. This opt-out feature is really SPIFFY too, because once you enable it, it forces them to fall back to their old, inefficient methods! Isn't that neat! Aren't you SOOOOO glad we've spent our time enabling them to do something MORE EFFICIENTLY that you would probably have expected (and hoped) we would be working on preventing them from doing ENTIRELY? Crazy world, huh?

Ummm, guys, you're missing the point (largely because no-one has expressed it very well, but missing non-the-less). You've just removed the COST associated with doing something the USERS DON'T LIKE. Previously, yes, websites could track visitors (even across sites), but their websites were SLOWER than those of COMPETITORS who DIDN'T. There was a COST, you see. Now there is not, and a LOT MORE websites will be doing this invasive, intrusive thing, because it will no longer HIT THEIR BOTTOM LINE to do so. Most obnoxiously, you now force ME to do their dirty work FOR THEM, and take what was previously THEIR OVERHEAD upon myself!?!. Folks, just because slavery in China is "going to happen whether we want it to or not" does NOT justify us helping them make it MORE EFFICIENT...

Mozilla USED to be the browser for (and BY) users -- apparently this has changed, as the OLD Mozilla team would have spent it's time figuring out ways to allow BLOCKING the EXISTING methods of tracking, rather than making it easier and more efficient. Might it be time for a "User's Coalition" fork, to get us back to our roots? It happened with XFree86, no reason it can't happen here...

Cheers,
t.

I am troubled by the proposed ping feature/plan. I want to be able to opt out. I don't like the idea of pinging an indeterminate list of URLs, if I understand that correctly. I would seriously considering switching browsers if this were implemented in a no-opt-out way.

Maybe tracking can already be done. I don't quite understand all that about redirections. I don't think browsers should facilitate tracking, even in the interest of speeding up websites. Browsers should focus on users' interests not web sites' interests.

If a site does a lot of redirecting to track users (and then is slow), some users will go some place else quicker (that isn't slow because they are being tracked).

I firmly believe that any feature that tracks users should be obvious and apparent to the users and require opt-in.

Well so much for one opinion.
--Fr0g

Bye bye Firefox. Honeymoon is over.

I also think that this is a bug, not a feature.
By all means add it, but please turn it off by default.

On another note, what *would* be useful is to have a attribute to disable the HTTP_REFERRER. So that, if on my site, I have had to fall back to PHPSESSIDs, and I provide an external link, the external site can't steal the session. (Shouldn't target="_blank" do this too?)

Well, you've done it. Finally. What was looming in the dark now comes to light - this once beloved software is doomed and will hopefully burn painfully in hell for getting between the sheets with the wrong guys.

This is a horrid feature. I had previously appreciated the fact that the Firefox development team had the appearance of caring about end-user privacy and the end-user experience.

Sadly, this appears to no longer be the case.

I will wait and see if a mighty loud retraction is made (which, hopefully it will) and this 'feature' is yanked back out, shot, killed, and buried where it belongs, before deciding what my future browser suggestions will be.

Microsoft, et. al. WILL jump all over this, and have their cronies in Big Media do the same.
The more technical people, which have been to-date Firefox's biggest support base, will leave in droves over this.
Why is the Firefox team wanting to shoot themselves in both feet like this?

Did we learn nothing from the browser wars?

Foisting yet another browser-specific tag on the HTML-usin world is irresponsible, impolite and, well, just sooo 1997...

WHATWG had some interesting ideas for patching up the ageing remains of pre-XHTML HTML, but this attribute is ill-considered. Worse - Mozilla deploying it without cross-browser consensus (yes, IE does count there, whatever you think of Microsoft) is an act that shows no respect for the poor developers, webmasters, web designers, managers and others who will have to add this to the list of partially implemented "bright ideas" that browser engineers have lumbered them with.

What's the point of a user-tracking mechanism that the majority of browsers don't support?

Someone please tell me that Google is not behind this push. What other 'BIG' sites support FF?

Either way this is bad. If the site needs a ping back do it in Javascript, not some silly HTML tag.

I really hope this feature doesn't make it to the mainline releases, this is not a good idea at all just because Google wants it.

This feature would be a huge step *forward* for privacy, if sites implemented it, which they won't.

As people have noted, you could always strip "ping" attributes with Greasemonkey. Right now, redirects can have opaque URLs such that the real target is hard to strip out. By having a standard API---which can be completely circumvented---you can get rid of tracking consistently without losing functionality. Of course, this would be so good for privacy that chances are no site would abandon the existing method. So for that reason, this feature is probably not worth pursuing.

147 comments? Ouch.

Can anyone else commenting please consider:

1. This will not be in any public Firefox build until Firefox 3.0. You have at least 18 months to make your point, you really don't have to flood poor Darin with abuse and nonsense.

2. Try actually *reading* about this feature before commenting, you'll see that it _encourages_ privacy because you can turn it off. The current method employed by websites is entirely unavoidable.

3. This *is* opt-out. There is a preference to control it and there will be UI as well, as per the WHATWG recommendations.

4. This is nothing like the browser wars. At worst, this won't get used. At best, everyone will implement it and users win in two ways:

i. A more responsive web.
ii. The ability to turn off one form of tracking.

5. There isn't a way to block the current methods of tracking at all, because there's no way to tell that a link such as http://www.myserver.com/tracking.php?link=132453 actually redirects to http://www.mozilla.com or whatever.

Darin, I think it'd be worth your while posting a follow-up explaining this stuff in more detail... that might cut out some of the completely unfounded responses you're getting.

I think maybe I've had a change of heart.

Please remove this ping, because I don't want to be tracked easily.

Please remove HTTP referrer headers, because I don't want to be tracked easily.

Please remove cookies, because I don't want to be tracked easily.

Okay, seriously: I do agree that this should be in the function (Javascript) rather than the markup (HTML). Then again, the Javascript may use a class attribute on links to be modified by the Javascript, or use onclick-like attributes, which is still adding an attribute.

I would prefer if this only worked with an HTML 5 DTD or higher. Other parts of the WHATWG's HTML, as far as I know [with my feeble memory], replace various Javascript with HTML+browser implementation. Sadly, XHTML 2 won't even be ready for implementation until 3082, and I'm not sure if I'll still be interested in web development by then.

I believe this should give the same kind of warning as sending unencrypted form data and setting cookies should have, and if it doesn't have this warning as well an option in the preferences to disable it, it should be disabled by default in the *official releases*. Beta releases are for testing, so I would expect them to have it on. Also, I would prefer to see it disabled by default until the WHATWG's HTML 5 is close to finalization, and Firefox supports a lot more of HTML 5.

I do like all the straw men lifted in the comments here. Everyone hates the Bush Administration spying on Americans, and everyone hates the freedom-of-speech squashing Chinese government. So, let's suggest that the proposed technology, which is available today through Javascript and referrers and even cookies, would suddenly cause Chinese fighting for the right to speak out to have soda bottles used against them.

For what it's worth, I use NoScript, so I allow Javascript only for certain sites. I allow cookies only for certain sites. I do let them check out my referrers, but it's not like I visit objectionable sites, and as a web developer, I know how fun it is to see where visitors are coming from, especially when you find a page on your web site's gotten attention from a foreign language web site. (Also, I have blink and marquee disabled. But I'm a bonefide computer geek, so tinkering with software configurations and such is my thing.)

Do I believe there are people who believe they have valid privacy concerns? Yes. And some of them may very well be valid. Unfortunately, there are also the hysterical ones who may wish to switch to a web browser such as Lynx (and be sure to say "No" to cookies there).

If you're going to leave Firefox over this, try out Opera. If you plan on leaving Foxfire over this, might I suggest Seamonkey? ;) If this ping is a proposed part of HTML 5, when will Opera and Safari (and Konqueror) implement it?

*sigh* I don't even know why I'm bothering posting this comment, because the people who would actually be affected by it are the ones who have "privacy!" so firmly entrenched in their minds that they'll just ignore me. But for the small minority who will actually heed my words..

I, for one, am a developer and a user. I understand both sides of this debate, and from both sides of this debate I support this as a feature. (It's going to need careful consideration in implementation to prevent its use in DDoS attacks.)

For those of you concerned about privacy, realize that this behavior is not a privacy violation. It is bringing functionality that web developers normally go through great lengths to hide or obfuscate out into the open. This attribute will make it easy for developers to make tracking links, yes, but consider this: If it's THAT EASY to make the tracking link, developers are going to prefer it over the more-secret, more-invasive approaches that they already use, because it's less work for them.

You may see any form of tracking as "evil," but consider that this is the least "evil" of any tracking option currently available. It's visible to the user, compliant to a documented standard, and easily and effectively disabled. Denying this feature will simply continue to feed the existing methods of tracking.

If you don't want to be tracked, you've only got a few choices available to you. Disable scripting, disable images, disable redirects... and have fun browsing the Internet through Lynx. Few end users are going to cripple their browsers in order to protect themselves from a slight breach of perceived privacy. A standardized method for this would effectively and conveniently allow users the freedom of choice in the matter without requiring them to cripple their browsers.

Only the truly paranoid will jettison a browser because of this, especially if a disable option is conveniently available. Some of the other suggestions made -- attaching an HTTP header to the ping request -- will allow corporate control over this behavior, as well, through the use of firewalls.

Limiting pings to the same server is an idea with some merits and some flaws. Server-side scripts can relay the ping to the ultimate destination while still forcing that server to use resources -- deterring abuse of the feature -- and it also prevents arbitrary attackers from embedding links in pages without the ability to add such a server-side script... but at the same time it prevents the end-user from knowing WHAT the ultimate destination is and makes implementation for the web developer more complex, defeating the attraction of the simpler, better solution.

And yes, Firefox's page-load performance is currently its greatest weakness; IE's greatest weapon against Firefox is its speed.

"Ah, I see you have the browser that goes PING!"

Sorry, couldn't resist a Monty Python reference, especially since tracking consumer behavior has become the Meaning of Life on the web.

If anyone complaining would read where is coming from, what prompted it, they'd realize that a non-disable-able version of this feature is a Good Thing. Not having it is more of a nuisance than having it. Disabling it will create (or re-introduce) more of a nuisance than making it non-disable-able. Hacks that disable it for you against browser-developer designs will do the same.

Your lives are not individually interesting to marketers who collect this sort of data. Only in aggregate are they interesting. You will not lose your privacy here -- you'll lose it on that form you fill out and submit without looking closely enough at the T's and C's. Your paranoia is misdirected if something like this is your target.

Who cares if IE or any other browser already does it? We can still not like it. Forgive the American public for being a little paranoid about privacy these days (wiretaps, anyone?) and give the people what they want! Firefox should be sensitive to this. I fear this will harm your reputation-- the regular press is going to be all over this in seconds. Fix it now!

This is clearly undesirable. A Greasemonkey script can neutralize it.

http://diveintomark.org/projects/greasemonkey/unping.user.js

Who wrote the spec of using ping? This approach is bad-looking and making people feel it's a new privacy concern while it is not!

Now how about this:

Show both on the status bar. (How to show them both is another problem.) Tell people that it is a privacy improvement because we can now opt-out the tracking and be fast if we want to!

The IE image exploit still respects the P3P by showing a red-icon on the status bar. I hope that the wonderful firefox browser will also respect P3P compliance when using these "ping tags".
http://www.w3.org/P3P/

I'm against this, not because of privacy concerns, but because one of two things will happen:
1. It will not be possible to disable this feature, and lots of ignorant people will abandon Firefox, thinking this somehow invades their privacy (which does not).
2. It will be possible to disable this feature, so it will be unreliable, so servers will not use it, and its only function will be to add bloat to Firefox.

I Agree with most of the people on here, I moved away from IE because firefox was better, more secure, and less invasive. Just because there are a million ways to track a person, does not make it right to make it a million and one. tracking is a bad thing, just like jumping off a bridge. and you don't see anyone else jumping off that bridge just because everyone else is doing it.

Do the right thing, Disable this feature by default or DON'T have this feature at all.

Actually, now that I actually read the spec on ping, I'm left asking myself, "Would a list of URLs to ping when this link is follow not be metadata for the link?" Perhaps it would properly be in the HTML.

Eh, not like it would get much use with so many people still using older browsers for a long time yet. I could imagine this ping attribute being quite popular with blogs if it was already supported in all major browsers.

Oh, and if you're pinging five URLs with a click, is that really speeding things up compared to existing solutions? Seriously?

This is a case of serving the site operators' interests or the users' interests. They are in conflict here. Site owners would control every detail of browser operation if they could get away with it. Knowledgable browser users who care about privacy want, not this or that feature, but rather *control* over what their software does.

There was a similar debate about whether users should be allowed to prevent hijacking of the context menu, and Moz devs just barely came down on the side of users. Now it looks like they are starting to "sell out" users again.

Well, you have to decide who your customers are. If it's the site owners then betrayed users will migrate again. If it's the users then let's keep them in charge of what their client software does, as it should be. The fact that other sneaky tricks are used for tracking is not an excuse for another one. Instead it shows the need to turn off the sneaky tricks. There should be more user control of Javascript and remote images too, like being able to selectively turn off xhlHttpRequest, etc.

Thanks for all the fish Firefox. And now let's go to the Opera and watch that fat lady sing.

From my point of view, this tracking crap is not acceptable and as someone already wrote: If this means that I will stop using Firefox, well, then so be it.

Beware crying over this in the name of privacy. If this works as intended, (and yes, its potential success is open to much technical debate), this could shift more power from the websites/ad companies and towards the users.

Yes, if this not implemented, it will fail, but then it also wont be a privacy risk. If it IS implemented, then we, the users, now have EXPLICIT control over whether or not our clickthroughs are tracked. Right now we do NOT have such control--we can hack it with url mangling and extensions, but we dont really have it.

Don't just scream "waa i'm gonna switch to whatever" because a tracking feature might be added. Consider first if this will play out to our advantage.

I believe that it will--or at least do no harm, based on my experiences with the current redirecting methods.

And please stop insinuating that mozilla is turning to the dark side. Where microsoft takes clandestine measures to hide their potential privacy violations and writes buggy software that allows other companies to do the same, mozilla is making a bid to put it all out in the open and under our control.

All that being said, why not have limiting to local sites part of the configuration? Instead of just turning the pings on off of, allow them to be set to off, local sites only, and on.

Today, they are making use of redirects, and it cannot be noticed easily, and we cannot turn it off. That´s true.

But, just make it easier for the sites are plain stupid.

If anything will be made about that, that should be giving users more control about it, not using an excuse like "they are making it anyway" to implement PING like they say it is now.

Implement it, with DEFAULT DISABLED, and give option for people to turn it on. Nobody will complain about this.

But then, the adoption will be smal... but isn´t this a sign if it´s badness anyway?!?!?

Can there be a user option that only pings same-domain sites? --just like cookies. Otherwise, this seems to get around the javascript domain security model.

As for me this 'feature' (as well-meant as it may be) would be enough reason to make use of another browser.

Its sad to see something like this on news, even though Firefox has been my only one since the early days of development... I have had enough of this user trackings, same thing with any kind of spying everywhere with software. Makes my eyes look towards Opera, which I hope wont stabb me in back for couple years...

To sit there and tell me that this ping thing is justified because people are already doing it is the same arguement that dope-smoking teens use.

PING == My uninstalling FF

nuff said...

NO!!!!!!!

1. Tell me where in the W3C standard this exists?

2. Tell me why since I disable all of the tracking style cookies you feel you have the right to do this, just so your happy kester knows where I went.

3. I can assure you the community will fight you on this.

A redirect is very obvious and users will stop and go elsewhere if it uses too much bandwidth. These pings will allow the web site you're visiting to load quickly so you don't notice them, but will cost you real money. That's one of the big problems. It costs *us* the web user *our* money, just to help a web site operator make more money.

It should be possible for me to disable, it should be possible for me to make it ask me first, it should be possible for me to put various limitations on the uri's - eg, http only, referer only, trusted sites list only, exclude non-trusted sites, ask unless it is a trusted site, only the first uri and only if it is below a certain length, etc... Otherwise I'm sure I will be abused. Security is about thinking about these things before the bad guys do.

If it has those features, then sure, its just about acceptable, but if a site wants to track me, they should look in their logs. If they want to use information about me to make more money then it should be at their cost, with the potential security or privacy risks being their own. If a third party needs the information, they can jolly well arrange it between themselves. The only reason they want this new feature is so they can breach the UK data protection act by claiming it was *me* who gave my personal data (embedded in a ping attribute) to a third party.

Overall, I think Mozilla shouldn't be a party to this. It *will* be abused, and it *will* be hard to undo.

Some refinement of my last comment:
is better than in two ways.
1. Nice degradation
When "href" can be still the original redirect_link, the web developer don't have to write any extra javascript into webpages.
2. No more complaints
What is the privacy problem of "redirect"? It is just a shortcut.

"...Are you honestly saying that you think end-users notice redirect links, deliberately copy, paste, edit and then navigate to them? Nobody does this..." Nobody, huh? Wrong.

And Darin, "...it is possible to implement something like in IE by exploiting a bug with the way..." You're using this as justification? Isn't this the _exact_ reason we are using Firefox instead of IE?

Welcome to the world of politics, Firefox. It just doesn't matter that you're entirely correct that this is trivial to do in DHTML, you're now going to get slammed because you're giving the ~impression~ that you're supporting site owners ahead of users.

You've entered political hell. Say hi to Microsoft.

***The sites are not your customers - users are***

This is a terrible idea. the only thing you will garner from this is bad press and loss of market share. Just because 'popular sites" are asking you to add this feature does not mean you should.

Lots of comments already, so I'll be surprised if anybody sees this one, but here goes, because I have a solution. I'll ignore the fact that integrating non-standards into the browser at an HTML level fragments the web and assume that FF is going to do this no matter what, so at least they should do it properly.

Mistake 1: Calling this a "ping" is the first big mistake here. It obfuscates the purpose and gets everybody reaching for their tinfoil hats and disablement extensions.

*** Solution 1: This feature should be called (to the user) "Click-Track Accelerator" and CLEARLY and openly explain that you are being click-tracked anyway, but by using this feature (enabled by default, but see #2), your browsing experience will be faster. This is a fact.

Mistake 2: Allowing any site to do this is asking for abuse including DDOS attacks on competitors and any number of other things that were possible before but even easier now (and all look bad for Firefox).

*** Solution 2: Include in the preferences a "Click-Track Accelerator Whitelist" which by default contains "adwords.google.com" (or whoever else donates to the Mozilla foundation [just kidding]). When a new click-track ping is attempted, prompt the user to allow, deny, or add to whitelist. Also have a checkbox for "Always allow for same server" (which is on by default and lets servers do what they can do anyway, but quicker).

Mistake 3: There is no facility defined for servers to identify this capability in the client so no servers will even use this! (Mozilla -- you're not Microsoft, so get over yourselves)

*** Solution 3: Some kind of HTTP header to identify this feature should be used. See GrangerX's post on this page.

The more I think about this the more angry I get.

There should be an investigation into who profitted from this! Then they should be publically burn on the Alter of Privacy as a sacrifice to apease the Great User Gods that have been so offend at the blantant defiling of their sacrid grounds.

Glad to see that you are all waking up to the fact that the current Web has (God-forbid) shortcomings and flaws. This has as much to do with the beloved, glorified W3C as it does with M$ or Mozilla. USE AT YOUR OWN RISK.

Does this mean we scrap the Net? Stop using it? Yell profanities at Bill Gates? No. It just means that you should be aware that using the Web has risks associated with it; maybe it's time to break through the illusion of privacy. (Enough people here have already described what stealthy web developers are doing--and it's not just pr0n operators and MP3 sites, a lot of well-reputed companies are watching you too).

If the thought of being watched scares you, stop using the Web. I, for one, will be clicking on those links without any hesitation because I'm not holding my breath for a better, safer, more secure Web anytime soon.

This feature absolutely MUST indicate to the target server that the request is a ClickTrack.

Otherwise, you're basically going to wipe out the pay-per-click ad model, as bloggers and everyone else start faking ad-clicks.

Bye bye FF!

I would not touch this with a 10 foot pole.

1. I dislike the privacy concerns. While it may not be technically worse than redircets, then I still hate it.

Multiple servers and no cross site security??, hello spyware :-\ Perhaps i can use it on my site to auto-click banners and adds. woohoo my adsense income will skyrocket :)

I could go into a lengthy talk but Lauren Weinstein actually said it very well in her comment.

@Glazman: I actually avoid canvas i canvas and other non-standard stuff if I can. Yes I do use gmail, but canvas I have managed to avoid. Personally I have stopped screaming about such things, as it appears GBrowser does what they want anyway

2. WhatWG is not a standard organisation. It is a bunch of people submitting ideas..

Their website only list the members by name, not which company they work and thus monetary interests they have.

- So how can I know what their agenda for certain proposals are ?
- How can I know which browsers this IMO crap will end up in?

My second concern with WhatWG is that while some may argument that they are a standard organisation, then HTML is not THEIR standard. Thus it is not theirs to change....

I don't go writing a GPL v3b license just because even if I think stallman dropped the ball...

Thirdly WhatWG has afaik no members from Microsoft which is really bad. Have they even been invited?

Man, WTF is wrong with all of you people. Talk about a bunch of paranoid self-important privacy freaks!

Web sites ALREADY TRACK WHERE YOU GO by sending you via redirect pages that track what you clicked.

This new PING attribute just speeds up the process by allowing the notification of your click to be sent ASYNCRONOUSLY while you're redirected straight to the actual page.

If anything, this is better than the current situation as you can disable these notifications altogether (send_pings = no), something you can't do right now with the 'click-thru' method.

So what is the difference? Somebody please explain to me why this is ANY WORSE THAN WHAT SITES DO NOW??

"You may see any form of tracking as 'evil,' but consider that this is the least 'evil' of any tracking option currently available."

How about this? "Don't be evil."

Greater evils do not excuse lesser ones.

Well well. Sites are not giving up their redirects because of Internet Explorer not supporting it. Sites will not give up their redirects because they want their redirects. Sites will not give up their redirects because users could filter out these pings (with a firefox extension or a privoxy rule) and remove the trackability of their clicks. So why even have it? I can't see the reason, really.

I paid money into Firefox, and I'd pay money for a fork away from this bad idea. I no longer trust the developers. I think Google and Doubleclick and whoever else (you didn't name them) have co-opted our team.

I want Firefox to be on the side of the users, not the abusers.

One of the reasons I switched from IE to FF in the first place was privacy concerns. Another was standards compliance. Sorry folks, that's a double-time screwup in my eyes. I seriously hope this "feature" doesn't make it into the release.

Looking this over I can see 3 things immediately.

1. The PTB at Mozilla have already decided to go with this idea. The concept of "discussion in the open" is a spin tactic designed