Out of interest, how did you implement the 'informed user' requirement? ("When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs.")

And it's disabled by default, right?

The UI component of this feature is currently unimplemented. We did not see that as a blocker to enabling this on the trunk (development) builds of Firefox. I hope to test out Ian's suggestion of adding the pings to the status bar shortly.

The feature is currently enabled by default in Firefox, but disabled for Thunderbird.

Ohh dear no...

1) privacy concerns
2) it is non-standard. you MS wannabe

Do you need a WHATWG DTD (I assume there is such a thing) to make this work, or would it work in an HTML 4 document without other modifications?

Med, please keep it polite. If you have specific privacy concerns, let's here them.

Matthew, the answer is that it would work in a HTML4 document without other modification, but to be considered conformant to the HTML5 specification, it would need to start with an appropriate doctype.

From my point of view too many people will optout of this feature (why should I waste time pinging a server to let it know that I've clicked? and also the fear of being tracked (I laugh everytime that I see cookies labeled as "dangerous spyware")), and also taking into account that the most used browser problably won't add this option for the moment, I wonder how many websites out there will go this way instead of keeping their old trustful redirects.

There are some interesting parts done in WhatWG, but I don't think that this is one of them. If the webmaster can't trust that it will work even if the feature it's in theory supported by the browser I think that they can't trust it at all and so they need to keep their old workarounds.

Of course I don't have the data to know about those websites that you mention (but I absolutely trust you), but IMHO, there are other bigger problems for the webmasters that just some pinging.

med, actually I believe you are inventing your privacy concerns. such tracking can already be done today without any javascript or cookies, using very standard features. this will only make it easier to separate the server to ping and the link destination.

OK. The reason I ask is that such HTML extensions always used to be considered "bad" by the open-source and pro-standards community. I don't really see what's different now, just because there's a working group coming up with the documents.

Med, even if it's not in a W3C specification, it's still documented and thought-out in advance by WHATWG. The W3C doesn't have to be the only influence on the web.

If I understand this correctly, this removes the need for redirect servers. So for every link, a ping to another url (for tracking purposes, is there anohter purpose?) can occur.

If that's the case, I don't think you need to justify this feature. Further, I'm not sure what UI you would present. People don't get notified now when clicking on a link that it's being tracked.

Redirects are a waste of time and putting a pref to turn this feature off would discourage web sites to use it.

This is entirely behavioral and should be handled with the DOM (JavaScript), not HTML. The WHATWG has produced some interesting ideas, but this is not one of them.

No one has mentioned what I consider to be the crucial difference between redirects and this "ping" thing: namely that redirects can be seen by the user -- they are aware they are happening. This ping thing will not be visible unless one examines the source code of every site they visit before clicking on links. Furthermore, simply informing the user that something is about to occur is not satisfactory unless the user is given the option to opt out without denying them the ability to follow the link. If a user is denied the ability to follow a link because they do not want to share their browsing habits with a third party, I think that will drive people (myself included) to use IE, which will have instantly become the more privacy-respecting browser.

I do not think that a site admin's concern about the slowness of their links is a valid reason to hijack a user's networking stack to notify arbitrary servers of their activity. If the site's admin doesn't like the redirects making their links slow they can remove the redirects.

This has too much potential for abuse. It will be uniformly rejected by the user community.

Maybe this should be limited to the current host, as for XMLHttpRequest.
If this is the case, I see no potential for abuse.

And of course the user has to have the option to disable it at all.
If this is the case, I don't think it would drive anyone to use IE.

My comments as a user:

I do not like beeing tracked as I surf the web. I really do not see any advantage from my (the users) point of view if the "dirty work" is now done in the browser instead of the website!

If "some very popular websites" ask you to disable pop-up blocking will you do so as well???

med,Matthew Wilson: canvas is not a standard, XMLHTTPRequest is not a standard, and so on. Did you scream for those ones?
A standard is not a standard until it becomes a standard. The W3C has _totally_ dropped all evolutions of HTML 4, and XHTML 2 is probably one of the best definitions ever for 'stillborn'... The Web can't wait.

"This has too much potential for abuse. It will be uniformly rejected by the user community."

No it doesn't. It has exactly the same (or less) potential for abuse than redirects, since the links are less likely to be obscured.

Are you honestly saying that you think end-users notice redirect links, deliberately copy, paste, edit and then navigate to them? Nobody does this, it's inconvenient and slow. Being able to turn off a similar but more user-friendly mechanism should satisfy the tinfoil hat wearers (who presumably also disable referrers).

> No one has mentioned what I consider to be the crucial difference between redirects and this "ping" thing: namely that redirects can be seen by the user

No one that is except Darin in the original post and comments 1 and 3. Users will be notified of the site they are pinging.

> If the webmaster can't trust that it will work even if the feature it's in theory supported by the browser I think that they can't trust it at all and so they need to keep their old workarounds.

Yeah, this discussion happened on the WHATWG mailing list. Basically it amounted to this feature being a tool that sites can use to implement a common thing in a less user-hostile way, if they so choose. The theory, which apparently at least one large web marketing firm agrees with, is that being trasparent about collecting advertising data, even if users can disable the feature, is better than doing so in one of the confusing ways that people do it at the moment (e.g. by performing a redirect so the staus bar points to the redirect URL and not the infinitley more useful final destination).

Jerry: I think most people don't notice redirects - and even when they notice them, they don't consider them harmful. (header) Redirects can't be disabled, because this would break website functionality. They aren't reported because the user doesn't want to be bothered with it in the first place. Redirect urls can easily obfuscated, so the user can't figure out if he will be redirected when clicking on a link. Now, why complain about a new feature that has the same implications for end users, but a lot of advantages also?

This is about speeding up the users web experience, reducing server load and internet traffic on the whole. I'd rather see a well-thought standard that accomplishes this than redirect pages.

While I don't really see how this is any different from what's currently available, I can see that some people would be (and are) concerned.

I like the idea of it only being available for the originating host. It's a source of annoyance that I can't copy links from sites that use redirects (google, particularly) without manually stripping off the extra junk. It's also annoying that I don't know they're there without manually checking links, so this idea has a chance to do some real good.

There's a precarious balance here between the needs of users and the needs of website operators. Take too much away from either side and they just won't use the feature.

Matthew: The difference between WhatWG work and non-standard browser additions is that WhatWG features are discussed in public, in a place where anyone who wants to can watch and contribute, and that three of the four major browser manufacturers have said they will implement it and are involved in its discussion.

rebron: On the WhatWG mailing list, Hixie said Also, at least one of the biggest Web advertisement companies would rather let a user go to the target site without tracking them than track them against their wishes ... (I would consider my source on this matter reasonably authoritative.). I find that a bit odd myself, but if their data tells them that's the way to go, I can only be happy.

Herorev: I don't agree--I think it's correct being in markup--but you should bring it up on the WhatWG list.

Jerry: Users will be notified when clicking on a link pings other servers. That's in the spec as a SHOULD, and as Darin explained it just isn't implemented in Firefox yet. Furthermore, also as Darin explained, under the current system if a site wants to they can easily make it so the tracking is hidden. The end result is that anywhere this is used the user experience is improved, and nowhere is it degraded.

Dao: Limiting it to the current host would be impossible. Take for example google ads on websites: google is the one that needs to be notified, not the website hosting the ads.

I must agree with Jerry here. This is no better than what Google used a while ago. They used javascript to load an image in the background, effectively tracking all clicks on the results page. This is something you browser makers should protect us from, not make easier. If you decide to implement this I want to be asked with a popup every time someone wants to ping from my computer. And don't make it another one of those "Yeah, always allow this" options.

Just because websites are already using tracking mechanisms, it doesn't mean that the Mozilla Foundation should help them to do so.
Moreover, adding arbitrary attributes to the HTML doctype, sounds like Ms vs Netscape to me. Please don't repeat the mistakes of the past. If you don't like HTML, please come up with a completely different format, don't try to hijack an existing one.

Sounds interesting to me. Wouldn't expect an option that let me turn off pings. Also perhaps some visual indicator for ping links so no one has to install an extension.

In the interest of privacy, this function is user controlable right?

Mozilla has critical bugs open like this one:
https://bugzilla.mozilla.org/show_bug.cgi?id=242207
and they start adding more spyware in the meantime.
Konqueror/Safary is a pretty good alternative.

So how long until there's an extension or a greasemonkey script to strip this out of the link code in the pages?

I agree that it should be limited to the current host and or the host to whom one is being directed.

Also, how will this affect encrypted connections and requests?

I'm not at all sure i'll continue to use Firefox if this feature is a standard component...how is this disabled in an environment where we centrally administer hundreds of machines? User concerns over privacy and security were primary in our decision to make the switch from IE even though most casual users prefered it. Legit or not, the appearance of similar privacy issues with Firefox would be sufficient to erode user confidence in the product. If i can't disable it, I'll likely just let people go back to IE rather than try to explain the redirect thing. Users just won't get that and won't care.

Doesn't this bring up a potential misuse in DOS attacks?.

If this is enabled by default in Firefox, I will immediately stop using Firefox and go back to IE (already done it). Make it optional for users who actually desire the performance benefits.

"namely that redirects can be seen by the user -- they are aware they are happening."

In theory but certainly not in practice. Most are too quick to be seen.

Jerry, how are redirects visible to the user? They may see the URL in the location bar change for a fraction of a second, but very few real-world users notice, realize what is happening, or care.

This standard is similar to the wiretap features that router companies were adding to their routers to improve the ability of law enforcement to do wiretaps. People can already do these things today (clickstream tracking and wiretapping), but solutions to do it are poor, they break easily and have potential privacy issues (such as the difficulty of wiretapping a network connection without seeing a lot of traffic from 3rd parties you don't intend to monitor). Existing solutions perform poorly and are fairly kludgy. All this does is create a clean, performant and thought-out way of accomplishing what people are already doing.

Dao, why would it matter? I can use a standard link tag to send someone to a site/URL that is outside of my security context today without this standard. That's sort of fundamental to the web. So, today, the means exist for doing clickstream tracking like this across security boundaries. Why would someone want to use a technique like this crippled in such a way? There's no security benefit to doing what you're asking. It's just a hit, after all. The page doing the linking (or pinging) isn't actually fetching data across security boundaries. There's no security issue here.

P.S. Your website is about to be Slashdot'd.

Considering some (many?) organizations block ping at their border routers, such a feature would be rendered absolutely worthless.

Jerry:

Do you have the option to opt-out of current click tracking schemes? Perhaps if you're willing to copy and paste the URL, editing out the redirect script. That is, if you're lucky and the site uses the full URL in the link and not some ID number that doesn't tell you anything.

This sort of thing happens on the web. It's being used on lots of major sites, and I doubt anyone is taking steps to opt-out currently. A standard, declarative way to implement the feature will allow for user notification (and possibly an opt-out method) as well as remove some of the performance penalty incurred by current javascript or redirect script implementations.

I'm also concerned that this goes too far with regards to privacy, since as explained in previous postings "ordinary" redirects would still reveal themselves in the URL bar whereas in this case it would both be hidden and optionally even a multi-server ping.

The very least that should be done is to have a well-visible notification in the status bar or, alternatively, a very obvious hint directly at the hyperlink that this is a tracking link (a tinfoil hat candidate would imagine this e.g. being a nice "spying eyes" icon directly beside the link which would also display further explanation via tooltip if mouse hovers over the eyes).

This should NOT be enabled by default and IF it is enabled, it should ask the user if this behavior is actually wanted before the first ping attribute is actually processed. This has major privacy and performance issues. Why the hell did they implement this draft crap instead of getting the missing actual standard CSS features right, for instance?

Whenever I read WhatWG I'm horrified. Their ideas always include some junk that is not necessary, because the W3C specs already allow the desired functionality (I'm thinking of <canvas> here), but actually implement a clean separation of content, layout and functions. The WhatWG ideas seem to stumble back into the feature-wars of old every single fucking time...

I'm actually ashamed that both Mozilla & Opera are part of this. Please, implement full W3C first, and, if you really feel the need to include this era's <blink>, then at least give me the option to turn off any non-standard tags. Do not return to the painful days of "designed for", please?

When exactly will this release be available to the community? I need to know exactly when to stop recommending firefox to my users.

I hope you guys have implemented "pings" so that they can ONLY GO TO THE ORIGINATING SERVER. It least with redirects the user can have some assurance that the link is going to a site that they legitimately consented to viewing in the first place (and have agreed to privacy policies, etc.).

Great, all I need, DoSing attempting from my browser and the lovely privacy invasion that youve just compiled into code. Getting people to move to Firefox is hard enough and its going to decline once the media jump on the "Alternative to Insecure Browser trounces your privacy"

Rethink it, do yourself a favor

In order to get around the critical mass issue, a javascript could be created that detects whether or not the feature is available.

If available and on, the script would do nothing.

If unavailable, the script would process the document and transform <a href="blah" ping="ping?url=blah"/> into <a href="ping?url=blah&forward=true"/>.

If available and off, a respectful script would do nothing. Clearly, there is also the possibility to force the behaviour.

Perhaps the WHAT WG should develop this compatibility script themselves if they want to increase adoption rates.

I was wanting to create a personal bookmarking site and this would solve my problem(without using redirects) so all I need is access to the originating host. Block it from going to other websites sounds like a good idea.

There are two aspects of this feature that need to be addressed. Some have asked whether there will be a UI so that the feature might be turned off. The problem with this is that most users will opt to turn the feature off thereby forcing websites to continue their old way of using redirects rather than the ping backs. So you can't build in an option to turn the ping attribute off.

However, the other issue is making the web browser user aware of all the URL's that will be pinged when clicking on a link. There must be a way to list all the URL's that will get pinged. One possible way would be in a similar manner to the current way that all the RSS feeds are listed in a small pop down menu in the status bar. Not giving this information to web surfers is simply an invitation to spammers and phishers.

Good idea, Dao ... while that limitation of XMLHttpRequest is not impossible to work around, it does require the hosting site to support some sort of proxy service for requests. ... and lets face it ... once the data makes it to the hosting site, they can really do with it what they want.

As to a disable option, if it doesn't exist in the normal config options for Firefox, it will exist as an extension in ... 3 ... 2 ... 1 ...

In today's Firefox trunk build (about:config)

browser.send_pings is set to true by default.

Seems like yet another avenue for denial-of-service attacks, too. All I have to do is get a ping attribute on a reasonably popular web site to point to other places I want to bog down with network traffic.

And Just out of curiousity, how _would_ one disable this 'feature' if one _was_ concerned about privacy?

This feature is privacy-invasive and should be disabled by default. If the user clicks on a ping-equipped link, Firefox should inform him that a ping is desired and how to enable the feature (either generally or just this once). Privacy on the web is troublesome enough as it is. Please do not implement features like that without clear consent.

Richard, you are confusing "ping" in this context with an ICMP echo request (typically generated by command-line "ping" programs). This feature does not generate ICMP messages. It simply requests that the browser perform additional HTTP requests against the "ping" URLs. All traffic is standard HTTP traffic and there should be no new firewall implications.

I like the idea. And there should not be a user override. But the links should be restricted to the current host to prevent malicious behaviour. Very useful!

No web-browser on my desktop will ever honor such a "ping" attribute. If that means, I'll stop using Mozilla... so be it.

This is being touted as potentially reducing server load and improving the user's page load times. But user's also don't like to be tracked, and want to discourage servers from doing so.

From this perspective, it may be more desireable to make redirects even slower and more server-side intensive than they already are, so as to discourage servers from implementing such features. Such a policy would potentially improve user's page load times and bandwidth consumption as well, since servers would not do redirects as often.

The proposal's justifications seem a lot like saying "if you can't beat them, then just give them what they want."

browser.send_pings
There you go...

I use Firefox because I trusted the Mozilla team not to do this kind of thing. I do not want my surfing to be tracked and I do not like Mozilla making it easier for that to happen. A bad call by someone. Perhaps evidence that Mozilla is becoming more subject to commercial pressures.

Oh please, don't even try to use the inclusion of the non-W3C standard XMLHttpRequest as justification. XMLHttpRequest was there to allow mozilla to match ie's functionality in a lot of places, with a clear benefit to the user.

This "ping" extension has a clearer benefit to tracking sites, advertisers, and a somewhat stretched benefit to users of "well your destination page will load faster". I find it amusing you want to use faster page loading as an excuse, yet the already enabled preloading can of course slow down page loading due to strain on a server.

It's somewhat embarassing to read the claims that were made for Firefox with regards to privacy then to now look at this, enabled by default, and the lack of p3p support. How very Microsoft of you.

Please don't do this. This can already be done with Javascript, which is where behavior belongs.
Standards are meant to be agreed upon standards not "Hey, maybe if we add this feature everyone will think it's great and it will become standard."
Don't you see that this is what fueled the browser wars? You add 'ping' MS adds 'touch' and eventually somebody in the MozFound says "Wouldn't it be spiffy if we had a tag that would make text flash? Some major websites requested it!"
This is a very slippery slope. Please, let's just not do this.

It's in the DEVELOPMENT version of Firefox only. And it can be disabled by the user simply by changing the preference:

browser.send_pings

There is NO guaranty that it will even make it to the released version. This is just sensiationalism.

1. seems like this is yet another of a long chain of features being added to web browsers without due consideration of the privacy characteristics...going all the way back to cookies. just because a few people think that this is a good idea doesn't mean it is a good idea. it's fairly easy to identify something new that has a benefit; very difficult to understand exactly what implications that new something has for privacy.

2. even if there are already other ways to harm a user's privacy, this doesn't justify adding another one. that's like using a previous accidental error to justify deliberately making a new error.

Jerry, how is simply informing the user not satisfactory. As you mentioned, currently with redirects the user can see that it is a redirect, at least to some degree. Yet, the options are still either click on the link and go through the redirect or not click on the link.

Should this then not be enough in the case of the ping attribute - showing the user that some sort of tracking is going on, and that's it?

I personally think that while this does have the potential to be abused, in its current spec, the ping attribute is no different than redirects in terms of the user being tracked. It just seems to be more 'anti-privacy' because the tracking is more apparent to the user than in a redirect.

All I ask is that there be a way to turn it off. I don't care if there's a prefs UI or not, as long as I can go to about:config and disable it I'll be happy.

That said, I probably wouldn't actually disable it, but I want the knowledge that I can if the (perceived) need arises.

Add this feature and everyone will either:

1. Disable the feature if its possible.
2. Patch Mozilla to disable it (and suddenly, you are going to loose all the tech-savvy users).
3. Go back to MSIE or Opera.

I, for one, don't give a flying fuck on what "several big sites" want. If they are big, they can afford to add the infrastructure to solve the problem in their side. I'm not interested in notifing nobody of what I'm doing.

They are *NOT* your users, I am. And it will take me like..5 seconds to get rid of the firefox if you end up implementing this kind of crap.

> Doesn't this bring up a potential misuse in DOS attacks?.

Get at a few popular sites' index page (slashdot, digg) and introduce a few ping's to a site you don't like. ;)

I just can't grasp people that scream at spyware or anything else. There are plenty of cases where I can see abuse, but this is not just one. So I beg people that scream around here to give me an example of HOW this feature could have ANY drawback to the user than using javascript redirects.

Sam Gentle, the thing is here, nobody takes away anything from any side. Webmasters ways are potentially easier, user clicks are potentially faster. It's a Win-Win.

And those screaming after privacy just are blind to see that this will induce no change whatsoever to what their browser do, but fasten clicks.

Well... Please don't tell me I'm wrong. Show me.
Posted by:

I like this idea. While I believe it's use won't be as widespread as it should be, I believe it will, at the very least, make the web a little faster from the user perspective.

It also sounds like this feature will actually help those with privacy concerns. If you can turn it off, then those 3rd party sites don't get notified. At the moment, you can't really turn off the redirects. Sure, for those that use the onmousedown event, turning off javascript can protect you from that, but other sites just plain redirect. And, of course, you can copy/paste the "real" url, but that's impractical for the normal surfer.

As for the notification, I think a notice on the status bar is more than enough. Perhaps have a popup the first time a ping link is clicked on. Allow the user to disable the popup notice (and give the user the ability to say no on the popup).. Similar to the secure popups that appear when you first install the browser. And the user can just disable the feature in the settings, why bother popping up every time?

First, I can totally see the value of this feature. It allows me to browse faster (assuming the ping is sent on a low priority background thread). Second, it seems the privacy issue boils down to two things; I should be able to disable anything that makes it difficult to know what my browser is doing (like JavaScript), and anything that is not easily disabled should clearly inform me of what it is doing. Add pings to the status bar (as you mention you intend) and I will like it. Do not and I will not.

I guess I have to switch to Opera now.

Folks, thanks for all the great feedback on this feature.

I want to point out an interesting detail that I left out of the original article: namely, that it is possible to implement something like in IE by exploiting a bug with the way "(new Image).src = ..." works. An image loaded that way actually runs to completion even if the user has navigated away from the website that initiated the image load. Websites use that trick today with IE for click-tracking.

I can't see this ever actually working, because it needs to be universally supported and never disabled.

An alternative might be to turn the idea on its head - instead of having a ping attribute have something like a redirect attribute and the href would be the page that is pinged.

If the browser doesn't support 'redirect', then the href will be loaded as happens now, and will then forward the user on. If the browser does support redirect, then it will load the redirect page to the user and silently ping the href.

It still relies on the browser being honest - it could just go to the redirect without touching the href - but it means that browsers without this feature are still tracked.

This is a bad feature. It should not be included in Mozilla or Firefox. If it must be included, it should be disabled by default. I will not use any version of Mozilla or Firefox in which this feature is included and enabled by default. I would support a fork of the Mozilla source if there is no other way to stop the adoption of this feature.

A commenter writes: I think most people don't notice redirects - and even when they notice them, they don't consider them harmful.

Some data.

There are at least two FF extensions to remove or notify the user of redirects. According to addons.mozilla.org, the one has been downloaded 51,346 times, the other 35,665 times.

a third extension, to de-obfuscate links, has been download 10113 times.

Ugh... people are so ignorant. This is not invasive. Every major website already tracks every link you click, this just makes it slightly cleaner and faster for you as an end user. The website you are on has every right to know what you are clicking, they are afterall providing a service to you, and often times for free. Currently such tracking is implemented with redirects, or javascript, or other ugly implementations. This will speed up your browsing experience and actually let you see where you are going when you click a link. There are so many methods implemented already that allow you to be tracked its not even funny. This is no different than putting 1x1 transparent pixels on a site, 1 pixel for every site you want pinged. Stop being ignorant people and stop being paranoid. If someone knowing what link you clicked is in any way detrimental to you then you've got far worse problems.

-Steve

"Are you honestly saying that you think end-users notice redirect links,"

The answer is YES. And frankly, if I'm not given the option to turn this off, Firefox will no longer be my browser. Period, end of story.

I started using Firefox specifically "because" the developers seemed concerned more about the end-users than the website developers (of which there are more who would abuse this feature, than those who would honorably use it in the spirit it is intended). I say politely, and with all due respect, that I think it is somewhat naive to act as though leaving this option in the hands of web site owners will not lead to abuse.

I think this will be a very useful feature.

That I as a user will have control over the ping's (even if its through an extension) is a whole lot better than having NOTHING now.

Is there a bugzilla somewhere where one could vote against this?

The way I see it, I would prefer 2 options, much like cookies: Enabling/Disabling a ping to the same site, and to a different site. I would have the same site enabled by default, because they're already tracking you with their own redirects, webbugs and cookies. Other sites can take a flying leap, and should be disabled by default.

When I use a browser on a clean operating system install, simply going a Google search alerts me with something along the lines of, "You are about to send plain text data. Do you want to be alert about this every time? [ Yes ] [ No ]" Seems so simple to me. Enable it by default, and the first time an offending link is clicked, have some sort of warning and/or option, which the user can change later if they so choose.

Of course, you won't get any warnings the first time you click on one of Google's search result links. I hope everyone who's getting ready to leave Firefox has already left Google, 'cause not only are they tracking your movements, but if you're logged in at the same time, they know who you are alongside where you're going =O

In other news, Pizza Hut locations across America may be tracking which of their locations you visit by tracking your vehicle's license plate number ;) [Never mind if you live outside the states, or don't own a vehicle.]

a very useful feature for all hackers and spyware fans eh? not for us the end-users though. lose it..

You say that "that this change is being considered with the utmost regard for user privacy," but it's clear that you're really trying to solve a performance problem: "The net result is that you end up waiting for the redirect to occur before your browser even begins to load the site that you want to go to."

Addressing performance is good. But nothing in your post suggests that you're considering privacy at all in the implementation of it. Just *stating* that you're maintaining users' privacy when you're actually doing something else is the way the Bush administration works, but not how open-source software should. "Hey, we informed Congress/developers/users what we were doing! Didn't you read the fine print/popup? It's *your* fault for not opting out/monitoring us/stopping us in the first place!"

It's almost as if you're suggesting there's a privacy improvement here so that you can get an appealing technical solution implemented.

Get used to it, the web tracks your personal info from the color of your eyebrows to the size of your toenails. If ping means Google, porn sites, etc, will do less javascript hacks and redirect trickery to track what they already track, then this feature is useful. However, the fact that Firefox will most likely be the only browser to implement it for a while means that websites will still have to employ all the javascript hacks as a backup, for that period of time. but hey, why not add a ping ?

If you're one of those people who won't use Gmail because you're weirded-out by ads that actually pertain to your interests then you should probably stop using the Internet :)

The reasoning some folks employ here seems to be that if other folks do bad things, they themselves should be able to introduce entirely new bad things. The famous arms manufacturer argument: Firefox doesn't hurt people, people hurt people. I hope I do not have to explain what's wrong with that argument. (In case I do: think BLINK.)

If you decide to implement a feature according to spec, one would expect you to implement the entire feature, which includes the GUI. People who click links may keep an eye on the status bar because they have gotten used to getting a raw deal on the web (this should provide you with a hint about the importance of knowing what a click means!), so the status bar seems the logical location for any feedback on the type of link you're clicking. But the address that typically appears in the status bar is situational knowledge; whereas the fact that a link leads to multiple addresses is functional knowledge, and should probably be part of the rendering of the link text or object itself.

Anyway, it is good to see that you are working on an advanced hypertext experience. Does this mean you are going to implement (or already have implemented) fat links too?

As a techincal user,(and commercial geek for rent) but NOT a developer, or fulltime website person, I can say I too will STOP installing firefox on ALL machines I service/sell/update/un-spamify
if this makes it to a formal release.
two reasons
1) Possible Privacy implications
1a) THE sense that mozilla.org NOW has sold out
1b) that they've coded a easy "idiot here" feature
2) Non-standard, ie designed for XXX again
2a) I still have to explain to people that firefox works for ONLY 90% of the websites due to the non-stand coding practices of Micro$quish. Now I have to recommmend a program that does this TOO?

End of user comments!
Putting this in, EVEN if there is a plug-in, will TOTALLY undermine the effort for foxfire to spread.
(and I've been using it before it was called foxfire too!)

I've been using Mozilla for years. I'll drop it like a hot potatoe if this is implemented.

More on the issue.
check out the slashdot discussion.

http://yro.slashdot.org/article.pl?sid=06/01/18/1427212&from=rss

important question.
If this CANNOT be disabled, users will NOT choose firefox any more

IF this feature CAN be disabled (or can be via a plug in, heavens forbit) then DEVELOPERS will NOT use this feature, except for the sleazy sites that want to trick users.
and will cause firefox Terrible publicity!

it's a catch-22 situation.

To all the people complaining about this new feature - this offers nothing new that's not already happening.
Most current tracking uses scripting but defaults to standard images (1x1 transparent gif) - thus unless you have disabled scripting AND image loading from sites other than the originating server, then your browsing will on many sites already be tracked.
The above doesn't even modify the URL in the status bar. Only in the (from my experience) few situations where tracking is done through server-side redirects, will this be visible in the statusbar (unless of.c. scripting is used to obfuscate this).

I am not convinced that this will be a useful new feature, considering the amount of features that current tracking captures (javascript support, screen resolution, operating system etc). It appears as if the "ping" will only capture the clickstream - unless combined with as much scripting as we currently have. However I do welcome the addition of new features as long as they come from an open debate and are thought through.

"I want to point out an interesting detail that I left out of the original article: namely, that it is possible to implement something like in IE by exploiting a bug with the way "(new Image).src = ..." works. An image loaded that way actually runs to completion even if the user has navigated away from the website that initiated the image load. Websites use that trick today with IE for click-tracking."

Are you saying you intentionally implemented an exploitable IE bug as a new Firefox feature?

A link is a link is a link. This 'feature' belongs firmly in the Javascript realm - not as a default browser behaviour. And as previously said, this would need to be universally supported to be of *any* value to the ones who need to need track outbound links.

I think the thing most of the people who are screaming that this is a bad idea are missing is that any information that is going to be collected by a ping, is already being collected.

I can literally think of a half dozen obvious ways to collect and share the information without resorting to a ping or a redirect:
1) log scan - I get the IP address and I can even pull the browser type if I want to.
2) use a scripting language to create the page - php, perl, whatever - all can record to some nice database somewhere.
3) Use Perl::Pg to create some bogus image and flag your information on the img src= request
4) use body onload= to open a dummy window that just loads a body onload="document.close()" statement.
5) Packet filtering on the firewall.
6) Include flash/java/activeX applet that has a 1X1 pixel size in some corner and have it report back.

In various scripts and for various reasons, I have used the first 4.

So if the browser people want to make my life as a designer easier by giving me a ping option, I'll use it if I need to track usage.

If the people with the tin hats decide that being notified that I am tracking them is too much, I'll go back to not telling them - it's that simple.

I say don't add it. From a developer standpoint, it doesn't belong in the HTML, and from a user standpoint I don't want it. Really, if it is included I don't think it will be adopted. Why would a site that already does click-tracking re-work it to use the ping attribute for Firefox when they already have a solution that works for all browsers? All this will do is hurt Firefox's credibility.

> Are you saying you intentionally implemented an exploitable IE bug as a new Firefox feature?

Of course not. I'm saying that due to a bug in IE, websites are able to make link clicks send pings. As a result, websites that employ click tracking perform better in IE from the user's perspective. My interest is in improving the page-load performance of Firefox.

It seems to me that the best way to implement something akin to this, whilst remaining user-focused (as in "good for the user") would be to extend the "Accept-Encoding:" mechanism, a la "gzip". Something like "Accept-Tracking:HTTPPing" seems workable.

That way, it can default to disabled, be enabled by the user if they're comfortable with it, be parsed by the server in order to decide which tracking mechanism the browser supports, allowing for the page to be dynamically crafted to use the old redirect-methods if needed, etc.

Very interesting.
I won't repeat the valid concerns others have expressed about privacy, the potential abuse of the feature to create DoS attacks, or the fact that it is a non-standard feature.
I will though, emphasize this. Having a third-party site track me (the "user") through the use of Javascript or whatever other means is not the same as having the very same website manipulate my browser (through the use of ping attributes).
I believe the latter has too much potential for abuse, and I do not understand why it seemed like a good idea to implement to the developers.

I built many web sites while working for a web design company. We always built our pages to be browser neutral. We checked them against IE, FF and Safari (tough to do sometimes!). I can't see myself ever coding this just for FF. I know it wouldn't bother the other clients, but all it would tell me is how many FF clients clicked a link, not how many visitors clicked a link. I use WebTrends & query parameters for analytics. This sounds like a "blink" or "marquee" tag...not very useful.

Nobody seems to be addressing what seems to me to be the most critical problem with this:

This is essentially making link tracking into a distributed application and shifting a content provider's bandwidth and CPU costs associated with link tracking to the end user without his/her permission. In essence, this amounts to donating the user's bandwidth to content providers without their explicit permission. I do not fancy subsidizing Goggle or Doubleclick by donating my bandwidth to their tracking efforts, and I'm disappointed that the Mozilla Team is so eager to have all Firefox users do just that unless they opt out (which assumes they know about it).

As far as this "feature" speeding up page loads, I don't think that's is a legitimate issue in this case. If a content provider loads up their links with redirects and their servers are too slow to deal with those redirects, then they need to upgrade their hardware rather than force me to do their link tracking for them. If they are unwilling to make that investment then their pages *should* be slow.

http://gemal.dk/browserspy/ping.php
will test to see if your browser supports the ping attribute

So I can control cookies, turn control javascript, turn off autoredirects, turn off images from 3rd party sites; and because these features can be turned off and are being abused by website tracking/marketing companies, you're implementing another way for websites to track us passively? Ridiculous.

Is explaining privacy on the internet too simple? Are we trying to make users so desparately out of their depth that they have no way to safeguard whatever privacy they may pretend to keep?

Its sad day when 'the good guys' go bad.

NO NO NO. Do _NOT_ do this. This is a privacy disaster, if implemented as described in a real product.

Yes, websites track IP addresses when someone queries THEM, but that's not what this does -- it lets SOMEONE ELSE track users, without consent of the user and possibly without consent of the website. A _vast_ number of sites are vulnerable to cross-site scripting, too, so making it easy to FAIL to filter this is a real problem in practice.

And yes, I _DO_ examine each URL before I click it. So do others. If Javascript allows information to leak out to another site (e.g., while hovering or onclick), then that's clearly a privacy defect and needs to be fixed.

Firefox is for USERS, not for MALICIOUS SITES. Please remember the difference.

Darin: Is there a special header sent with the ping request? like when doing link prefetch?

This is clearly a feature that needs strong clear definition and wide browser support in order to be useful to website creators in the least.

One vagueness that will need to be addressed is it's interaction with cookies. Are site/session cookies sent with the PING? If they are, I might consider that an intrusive invasion of privacy ... although this would be marginal at best. The site receiving the PING could still track a user's IP address ... although in this age of NAT that would be somewhat less useful to them. Alternatively, the site generating the HTML could simply add a parameter to the PING request which it could use to track users ... or build the user identifier into the base url and use mod-rewrite to do the needful. There are many ways to track a user ... which is why i say "marginal at best."

The ability to disable the PING feature would be a must. I would also suggest a configurable way to limit the number of PINGs possible out of one click event.

Clearly the goal of this feature is "improved user experience." If implemented in a site-limited way, like XMLHttpRequest, I can't see how it would add any new abilities to a malicious developer's toolbox.

Geez... It's like the great cookie debate of '96-'97 all over again.

Everyone who is promising to drop "Foxfire" unless it offers a way to turn it off need to read some of the comments already given...

I honestly don't see what the big deal is. Everytime you navigate to a page, you inform that page where you're coming from via a referrer. This includes potentially private information such as search strings used to find that page.

This allows for websites to track not where you're coming from, but where you're going to. Everyone already does it via referrers and JS image handling, so why not bring it out in the open?

I seriously doubt everyone who is complaining about privacy concerns here actually disables their referrer information. Doubt it. And if there are individuals who want to disable all of these features, they can. (If they can read...)

The standards process through which this emerged is an entirely separate topic...

Google already does this with a scrap of javascript on every single search result page.

It uses the image insert technique which works in IE and Firefox.

Why can't webmasters just mimic that - we don't need special features like that in Firefox.

Is it not obvious from the comments that >>everyone<< wants to have at least a dialog to opt out of the ping thing before the browser first attempts it? Even the specification mentions this! Pleeeeeease implement it, because otherwise I am starting to have strange feelings about the direction that Firefox is taking... which is sad, given the fact that I have been using it for so long...

So, how does starting several 'ping' connections while my page is loading... make my page load faster? This just generates more traffic on the wire during the time my page is loading.
Not a good idea in my opinion. At least add the option to disable this 'feature'.

I agree that this will be too widely abused.

The scenario that comes to mind is that someone sets up a shady web site, phishing brings them the users, then the users click the links and their "ping" (and let me know if I'm interpreting ping incorrectly) is sent to a server which contains their IPs.

They then have a giant list to feed into a vulnerability app to see what they may or may not be able to do to this user.

I agree this should be a javascript coding item, not HTML. HTML is for presentation.

I'm sure the Chinese government is going to thank you for this feature; but, not those dissidents who are going to now be more easily tracked using your “improvements.”

I’m sure those dissidents will think quite kindly of you as a Coke bottle is being shoved up their ass because they were tracked to a “non-government-approved” information site.

Please keep up the good work and go to the nearest Chinese consulate to collect your medal. Good job! Really!!

First Cisco IMPROVES their routers to work more “efficiently” with Chinese firewalls, and now this! You sure have come a long way baby! Although, I must say that I do not care much for your chosen direction of travel.

I like it. It will enable websites that do referer-tracking now to improve the user experience for browsers that support ping by using the same webpages as before with the addition of 10 lines Javascript that converts all links automagically to use the ping attribute therefore speeding up the page loading. All others will get the slower referer-type tracking.

Just my 2 cents after reading the whole lot of comments above:
(1) Some, or most, actually, people posting above need to check their assumptions. Tracking is NOT a good thing, unless the user has explicitly opted in. Tracking must be justified, the user must be aware of it and willing to pay the price (in cash as a subscription or in loading time).

(2) The justification in more than a few posts above is “it is already being done” is completely bogus. Please when considering whether to implement this in Firefox DO NOT ASSUME that everybody is happy with tracking, and nobody is doing anything about it. Several ways to circumvent existing tracking methods are outlined above, and I would argue that they are being used by people who care. Do not make life more difficult by providing yet another method of tracking.

(3) Regarding people who do not care whether they’re being tracked or not – the fact that they do not care (at the moment of actually clicking the link) IS NOT sufficient justification for tracking. They may start caring a second after, but it would be too late and the damage (real or perceived) is done.

(4) As far as my limited understanding goes, currently sites, big or small, must incur a penalty for tracking link clicks. It is a combination of increased server load, possibly increased investment in programming the tracking mechanism, and last but not least, increased load times for users, meaning increased chances of losing users to other sites offering the same content. Removing that penalty with no added benefit to the user (in addition to faster loading time) will only MAKE MORE SITES EMPLOY TRACKING. Which is not where I want to go.

Short version – No need to provide new ways to do an inherently bad thing. Especially if doing so would cost less to those actually doing it. Lower cost will mean more sites actually doing it. Tracking is just bad, and more of a bad thing cannot be a good thing. Period.

Edit: In response to a post (Posted by: at January 18, 2006 08:46 AM) which appeared while I was writing this – I absolutely DO NOT want to make life easier for a webmaster who want to follow my habits. Revealing my habits/preferences/etc. costs money, and I would very much to retain the option to be the one who decided whether the content of the web site is sufficient payment for that information. You, the webmaster, have no right in taking that option away, anytime. You, the webmaster, have the option to use whatever methods available to you to protect the content and only reveal it after receiving the requested info from me. I, the user, should have the option to decide whether to visit a site that absolutely requires that I reveal personal information. No side should have an option to override the other side’s decision.

PS: Sorry if this is too long...

I say cut it. Why?

1. It's nonstandard HTML. -- As mentioned elsewhere, from a standards compliance perspective alone, this is a bad idea.

2. You can already accomplish this today with JavaScript, *without* redirects. -- Ironically, this is used as an argument in support of this feature. This is a red herring. If sites can already track me today (which raises legitimate privacy concerns) then why is it that I should *not* worry about a feature that only makes this easier? How about we focus on *addressing the privacy issues* first before exacerbating the problem in the name of efficiency?

3. It will hurt the credibility of Firefox as a safe alternative to IE. -- I think this is actually the most important reason of all to not pursue the development of this feature. Regardless of *actual* security/privacy threats, the responses in this thread alone (as well as the /. article) show that opinoins vary widely. Spin will occur on both sides and invaribly press will be generated (rightly or wrongly) describing this feature as a privacy threat. I fail to see how this can help Firefox under any circumstances.

I'm about to release a NoScript version that will remove the ping attribute on the fly from links clicked on untrusted sites and include a UI pref (not yet implemented in Firefox, don't know if planned) to disable ping globally.

The second this feature is in a relase build of firefox is the second that I uninstall it from my machine. Deal with that.

> My interest is in improving the page-load performance of Firefox.

And my interest is to protect my privacy. Therefore I do even download and install performance-lowering Firefox extensions.

Think about it.

That's my personal trade-off and I'm happy with it. I ask you not to force me to embrace your trade-off, i.e. less privacy but better performance. And I promise not to interfere with yours.

Simply make it opt-in.

I hope this doesn't end up being another one of those 'dirty fixes' that MS so love to use in their browser, which years down the line will once again present web designers with cross-browser developing headaches. I don't mean to say that W3C is perfect, but it just sucks for web developers that they can't pick one standard and stick to it.

What a terrible idea. HTML is a standard maintained by the W3C, not by WHATWG, Mozilla, Microsoft, or anyone else. Haven't we learned anything?

I personally don't like being tracked on the web regardless. I never signed anything giving anyone rights to do so. Re-directs are a pain (unless legitimate, but still should be notified). Pop-ups are annoying (and usually useless). I think it is best to stay away from Microsoft's trend. They have always left "doors wide open". When a need arose, (and alot of public attention) then they would release patches to close down certain aspects. I believe the best way is the exact opposite. Have everything shut down by default, and then 'open' up ports/features as needed. Defaulting to "on" takes away an individuals rights to choose. Open source has always appealed to me because I have just that, "the option to choose". Perhaps this feature would best be done by having that in your "preferences menu" with a description (disabled by default). Perhaps even as new features are put into the later browsers, it will launch a wizard on first initialization asking you to configure some of these settings.

When a browser implements stuff sneakily, arent the developers aware of the alarm bells it will create, specially among the technical folks ? And such privacy-oriented stuff should be well publicized and easily disabled if needed if you dont want to incur the wrath of the community.
Think of how many commends you would have got if you had gone about this the right way instead of bowing to some big web sites money and surreptiously inserting this change. This just might be Firefox's Waterloo.

I'm not sure I've seen any good reason for why this should go in. This isn't about what the developers want, but what makes sense in the spec. Ping does not in any sense, except to those wishing to exploit it.

>>I think the thing most of the people who are screaming that this is a bad idea are missing is that any information that is going to be collected by a ping, is already being collected.<<

I must have missed the part where I was asked to volunteer my browser's active participation in this new form of data collection. Most of the others you listed I can choose to opt out of, by one mechanism or another.

What an Appallingly Bad Idea this is. So isn't this just another example of an organization Selling Out. There is no benefit to the user for any of these tracking mechanisms. They all violate a basic tennent of openness, don't they??

The whole set of mechanisms that track users seem to be based on an unwarranted attempt to create value (read $) for what are otherwise valueless items. The value of the ad to a company is the resulting purchase, not the number of people who look in the store front window. The value of the number of people who look in the window is to the window creator who can then show they are deserving of a higher fee. So neither the product seller nor the shopper benefit from any of these mechanism.

Thus having shown that it is the store window designers that benefit from these user tracking mechanisms, it is not surprising that the world of online advertising wants to increase the value of their activities. What is very appaling is that Mozilla has decided to do yet another nefarious tracking scheme and they are doing it without even letting users opt out of it.

This whole process of user tracking is built on closed loop group mis-thinking. The need is rationalized because others do it or there is another way to do the same thing. Rationalizing a bad idea based on other bad ideas does not prove righteousness. This whole situation degrades FireFox and Mozilla. It certainly seems to demonstrate that there needs to be CHANGE in both the staff and management for Mozilla. Don't you all ever talk with regular people or do you only feel comfortable in your world of closed group think.

Now I haven't posted here before, so if this is too long, my apologies. But this new "feature" is another serious error being made by what was thought to be an upfront organization. Where can we go to get a browser built for users and not built as yet another exploit. It doesn't look like we can recommend FireFox anymore.

If Opera is also in WHATWG, isn't it logical to assume that future versions of Opera will also support this?

So, the only benefit to me as is a faster page load? Nope, not worth it, my internet is already fast enough, thanks.

Don't sell out and don't add it....Firefox doesn't need the bad publicity.

This is a no-no for mozilla

No need to stick your nose in the air and go to Opera or IE, just switch (back) to Mozilla Suite.

Gang,

From a privacy policy standpoint, there is a world of difference between exploiting "tricks" for user tracking vs. building them into browsers as standard features. In the current privacy-invasive environment, while we have to deal with the former case by case, there is really no excuse for the latter.

Given that most users stick with defaults, any policy other than disabling such a new "ping" feature by default would be unacceptable from a privacy standpoint. Efficiency and "golly, there are other ways to track people anyway" arguments are utterly specious.

As it stands now, turning off javascript and carefully noting URLs (I usually notice oddball redirect URLs when present) are indeed of some value in controlling certain classes of tracking abuses. We do not need an even more invisible mechanism built into what has been (up to now) an excellent browser.

Limiting the "pings" to the same server does not solve the problem -- abuses of this feature are just as possible (even more likely, actually) using the same server.

That the development team would even consider enabling such a feature by default suggests a tin ear when it comes to privacy issues that will be worthy of considerable ongoing concern (an earlier example is the page prefetch feature enabled by default which also carries significant privacy risks). A clue to fuzzy thinking in these regards is talk of setting the default differently in Firefox vs. Thunderbird -- creating a privacy policy variation with no obvious rationale.

I urge the parties involved to reconsider their support of this "URL ping" feature as described, a feature that I can guarantee will bring Firefox under intense public criticism.

--Lauren--
Lauren Weinstein
lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
- International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

Ben Basson wrote: "Are you honestly saying that you think end-users notice redirect links, deliberately copy, paste, edit and then navigate to them? Nobody does this, it's inconvenient and slow."

I notice them, and the redirects themselves are slow. I solve this with the RedirectRemover extension. There are also a couple of Greasemonkey scripts that do the same thing.

You can argue all day that users are tracked already. But from the comments here, it's clear that this would be a public relations disaster for Firefox. If you implement this feature, don't be surprised when the marketshare drops, alarmist news articles crop up all over, and people start talking about a fork.

It's not just about what makes sense technically. It's also about people asking whose side you're on. Firefox right now has a reputation of being on the side of the users and doing the best it can to protect their privacy. That's part of its brand. Screw with it at your peril.

It's a shame.......... just when Firefox was taking off, they go and shoot themselves in the foot.

It doesn't really matter if this is Privacy Invasive or not, the fact is 99.99% of users don't understand the web in the first place, and when told that Firefox now sends Pings somewhere when you click on a link, they see it as a Privacy issue.

If Firefox implements this as a standard feature without a easy way to disable it, then it will start losing market share, and once again IE will not have any competition for the end user.

I'm am very concerned about privacy implications of the new ping attribute. I don't think this has any place in Mozilla. And while we are at it, we should remove that pesky href attribute too.

Steve wrote: "The website you are on has every right to know what you are clicking"

That's fine by me - so as others have suggested this feature should restrict the ping URL to be at the same site as the current page.

If a site owner needs to notify third parties of links clicked on their site, put the onus on them to trigger a background GET to that third party from their own ping URL handling script, *not* from my browser!

One thing to think about here is Firefox is able to set the bar on this right now. If they implement this feature and set the privacy and user notification bars high. MS will be forced to meet that standard with IE7 -- they are playing catch up.

Pings are not "bad" for end users -- if anything it would be nice to have one way across all browsers that work. Sites will do this some other way if this feature is not added. They are right now. With the new feature we can restrict the pings to the source site or have many differnt options for security.

From a previous post:
"And, of course, you can
copy/paste the "real" url, but that's impractical for the normal surfer"
So, why not give us an option to do that automagically instead of this ping-shit?
Most of the dirty tricks in use, I can already filter out with something like Proxomitron/privoxy etc. I guess I can filter this shit to, but why should I have to in the first place?
Fuck this, Firefox goes the way of the browsersauri. When will somebody start a new project to build a browser for the USERS???

"My interest is in improving the page-load performance of Firefox."

Yeah because *everyone* is bitching and moaning about that.

It really doesn't matter what technical merits this may or may not have. If Microsoft can get the media to spin this in a bad light, and they have done this several times before, then all of the hard work done to get IE users will fail.

Not to mention as a web developer, I never had to worry about Firefox in terms of standards implementation. When I develop a site, I want to be able to have one authoritative source for a format, whether it's HTML, CSS or anything else. I do not wnat to see "the core standard is available from W3C, the extended standard from WhatWG, and the new extensive standard for Mozilla browsers ..."

Also, prepare for people to claim that this is driven by Google, the world's largest web advertising company, which just happens to employ a number of full-time Firefox contributors.

Not saying that's so, I have no knowledge either way, but I'm sure I'm not the first to think of it.

I am opposed to this ping technology for multiple reasons:

1) Bandwidth usage when surfing over 3G connections to the Internet. Pings are low bandwidth cost, not free.

2) Impact on proxying. If my pings travel a different path than my actual web traffic, the computed redirection for efficiency may actually make things worse.

3) Impact on relocation. If I am travelling in Europe and want to continue watch my online movies (think www.starz.com), their servers may very well decide I am one of those icky Europeans and outside their service area. My workarounds via an ssh tunnel to a squid proxy will no longer work without adaption.

4) Growth in DNS queries and cache sizes as presumably different hostnames will be used in the listing of ping targets. If IP addresses are used instead, trackability suffers.

"The W3C doesn't have to be the only influence on the web."

Spoken like a retard.

My 2 cents: it's possible to do the same tracking without support from the browser and without using a redirect (redirect == bad).
It's an interesting idea to add support to the browser for this, but I'd first check with the people who actually use tracking to see what they really need. My suspicion is that they'd want to pass all sorts of parameters to the "ping".

We've noticed that the Nazis are using REALLY inefficient methods to kill all you troublesome Jews, so (since they asked nicely) we've worked out a much more *practical* way, which involves no work on their part -- you kill yourselves instead. Don't worry though, because we'll be adding an "opt-out" feature, REAL SOON NOW. This opt-out feature is really SPIFFY too, because once you enable it, it forces them to fall back to their old, inefficient methods! Isn't that neat! Aren't you SOOOOO glad we've spent our time enabling them to do something MORE EFFICIENTLY that you would probably have expected (and hoped) we would be working on preventing them from doing ENTIRELY? Crazy world, huh?

Ummm, guys, you're missing the point (largely because no-one has expressed it very well, but missing non-the-less). You've just removed the COST associated with doing something the USERS DON'T LIKE. Previously, yes, websites could track visitors (even across sites), but their websites were SLOWER than those of COMPETITORS who DIDN'T. There was a COST, you see. Now there is not, and a LOT MORE websites will be doing this invasive, intrusive thing, because it will no longer HIT THEIR BOTTOM LINE to do so. Most obnoxiously, you now force ME to do their dirty work FOR THEM, and take what was previously THEIR OVERHEAD upon myself!?!. Folks, just because slavery in China is "going to happen whether we want it to or not" does NOT justify us helping them make it MORE EFFICIENT...

Mozilla USED to be the browser for (and BY) users -- apparently this has changed, as the OLD Mozilla team would have spent it's time figuring out ways to allow BLOCKING the EXISTING methods of tracking, rather than making it easier and more efficient. Might it be time for a "User's Coalition" fork, to get us back to our roots? It happened with XFree86, no reason it can't happen here...

Cheers,
t.

I am troubled by the proposed ping feature/plan. I want to be able to opt out. I don't like the idea of pinging an indeterminate list of URLs, if I understand that correctly. I would seriously considering switching browsers if this were implemented in a no-opt-out way.

Maybe tracking can already be done. I don't quite understand all that about redirections. I don't think browsers should facilitate tracking, even in the interest of speeding up websites. Browsers should focus on users' interests not web sites' interests.

If a site does a lot of redirecting to track users (and then is slow), some users will go some place else quicker (that isn't slow because they are being tracked).

I firmly believe that any feature that tracks users should be obvious and apparent to the users and require opt-in.

Well so much for one opinion.
--Fr0g

Bye bye Firefox. Honeymoon is over.

I also think that this is a bug, not a feature.
By all means add it, but please turn it off by default.

On another note, what *would* be useful is to have a attribute to disable the HTTP_REFERRER. So that, if on my site, I have had to fall back to PHPSESSIDs, and I provide an external link, the external site can't steal the session. (Shouldn't target="_blank" do this too?)

Well, you've done it. Finally. What was looming in the dark now comes to light - this once beloved software is doomed and will hopefully burn painfully in hell for getting between the sheets with the wrong guys.

This is a horrid feature. I had previously appreciated the fact that the Firefox development team had the appearance of caring about end-user privacy and the end-user experience.

Sadly, this appears to no longer be the case.

I will wait and see if a mighty loud retraction is made (which, hopefully it will) and this 'feature' is yanked back out, shot, killed, and buried where it belongs, before deciding what my future browser suggestions will be.

Microsoft, et. al. WILL jump all over this, and have their cronies in Big Media do the same.
The more technical people, which have been to-date Firefox's biggest support base, will leave in droves over this.
Why is the Firefox team wanting to shoot themselves in both feet like this?

Did we learn nothing from the browser wars?

Foisting yet another browser-specific tag on the HTML-usin world is irresponsible, impolite and, well, just sooo 1997...

WHATWG had some interesting ideas for patching up the ageing remains of pre-XHTML HTML, but this attribute is ill-considered. Worse - Mozilla deploying it without cross-browser consensus (yes, IE does count there, whatever you think of Microsoft) is an act that shows no respect for the poor developers, webmasters, web designers, managers and others who will have to add this to the list of partially implemented "bright ideas" that browser engineers have lumbered them with.

What's the point of a user-tracking mechanism that the majority of browsers don't support?

Someone please tell me that Google is not behind this push. What other 'BIG' sites support FF?

Either way this is bad. If the site needs a ping back do it in Javascript, not some silly HTML tag.

I really hope this feature doesn't make it to the mainline releases, this is not a good idea at all just because Google wants it.

This feature would be a huge step *forward* for privacy, if sites implemented it, which they won't.

As people have noted, you could always strip "ping" attributes with Greasemonkey. Right now, redirects can have opaque URLs such that the real target is hard to strip out. By having a standard API---which can be completely circumvented---you can get rid of tracking consistently without losing functionality. Of course, this would be so good for privacy that chances are no site would abandon the existing method. So for that reason, this feature is probably not worth pursuing.

147 comments? Ouch.

Can anyone else commenting please consider:

1. This will not be in any public Firefox build until Firefox 3.0. You have at least 18 months to make your point, you really don't have to flood poor Darin with abuse and nonsense.

2. Try actually *reading* about this feature before commenting, you'll see that it _encourages_ privacy because you can turn it off. The current method employed by websites is entirely unavoidable.

3. This *is* opt-out. There is a preference to control it and there will be UI as well, as per the WHATWG recommendations.

4. This is nothing like the browser wars. At worst, this won't get used. At best, everyone will implement it and users win in two ways:

i. A more responsive web.
ii. The ability to turn off one form of tracking.

5. There isn't a way to block the current methods of tracking at all, because there's no way to tell that a link such as http://www.myserver.com/tracking.php?link=132453 actually redirects to http://www.mozilla.com or whatever.

Darin, I think it'd be worth your while posting a follow-up explaining this stuff in more detail... that might cut out some of the completely unfounded responses you're getting.

I think maybe I've had a change of heart.

Please remove this ping, because I don't want to be tracked easily.

Please remove HTTP referrer headers, because I don't want to be tracked easily.

Please remove cookies, because I don't want to be tracked easily.

Okay, seriously: I do agree that this should be in the function (Javascript) rather than the markup (HTML). Then again, the Javascript may use a class attribute on links to be modified by the Javascript, or use onclick-like attributes, which is still adding an attribute.

I would prefer if this only worked with an HTML 5 DTD or higher. Other parts of the WHATWG's HTML, as far as I know [with my feeble memory], replace various Javascript with HTML+browser implementation. Sadly, XHTML 2 won't even be ready for implementation until 3082, and I'm not sure if I'll still be interested in web development by then.

I believe this should give the same kind of warning as sending unencrypted form data and setting cookies should have, and if it doesn't have this warning as well an option in the preferences to disable it, it should be disabled by default in the *official releases*. Beta releases are for testing, so I would expect them to have it on. Also, I would prefer to see it disabled by default until the WHATWG's HTML 5 is close to finalization, and Firefox supports a lot more of HTML 5.

I do like all the straw men lifted in the comments here. Everyone hates the Bush Administration spying on Americans, and everyone hates the freedom-of-speech squashing Chinese government. So, let's suggest that the proposed technology, which is available today through Javascript and referrers and even cookies, would suddenly cause Chinese fighting for the right to speak out to have soda bottles used against them.

For what it's worth, I use NoScript, so I allow Javascript only for certain sites. I allow cookies only for certain sites. I do let them check out my referrers, but it's not like I visit objectionable sites, and as a web developer, I know how fun it is to see where visitors are coming from, especially when you find a page on your web site's gotten attention from a foreign language web site. (Also, I have blink and marquee disabled. But I'm a bonefide computer geek, so tinkering with software configurations and such is my thing.)

Do I believe there are people who believe they have valid privacy concerns? Yes. And some of them may very well be valid. Unfortunately, there are also the hysterical ones who may wish to switch to a web browser such as Lynx (and be sure to say "No" to cookies there).

If you're going to leave Firefox over this, try out Opera. If you plan on leaving Foxfire over this, might I suggest Seamonkey? ;) If this ping is a proposed part of HTML 5, when will Opera and Safari (and Konqueror) implement it?

*sigh* I don't even know why I'm bothering posting this comment, because the people who would actually be affected by it are the ones who have "privacy!" so firmly entrenched in their minds that they'll just ignore me. But for the small minority who will actually heed my words..

I, for one, am a developer and a user. I understand both sides of this debate, and from both sides of this debate I support this as a feature. (It's going to need careful consideration in implementation to prevent its use in DDoS attacks.)

For those of you concerned about privacy, realize that this behavior is not a privacy violation. It is bringing functionality that web developers normally go through great lengths to hide or obfuscate out into the open. This attribute will make it easy for developers to make tracking links, yes, but consider this: If it's THAT EASY to make the tracking link, developers are going to prefer it over the more-secret, more-invasive approaches that they already use, because it's less work for them.

You may see any form of tracking as "evil," but consider that this is the least "evil" of any tracking option currently available. It's visible to the user, compliant to a documented standard, and easily and effectively disabled. Denying this feature will simply continue to feed the existing methods of tracking.

If you don't want to be tracked, you've only got a few choices available to you. Disable scripting, disable images, disable redirects... and have fun browsing the Internet through Lynx. Few end users are going to cripple their browsers in order to protect themselves from a slight breach of perceived privacy. A standardized method for this would effectively and conveniently allow users the freedom of choice in the matter without requiring them to cripple their browsers.

Only the truly paranoid will jettison a browser because of this, especially if a disable option is conveniently available. Some of the other suggestions made -- attaching an HTTP header to the ping request -- will allow corporate control over this behavior, as well, through the use of firewalls.

Limiting pings to the same server is an idea with some merits and some flaws. Server-side scripts can relay the ping to the ultimate destination while still forcing that server to use resources -- deterring abuse of the feature -- and it also prevents arbitrary attackers from embedding links in pages without the ability to add such a server-side script... but at the same time it prevents the end-user from knowing WHAT the ultimate destination is and makes implementation for the web developer more complex, defeating the attraction of the simpler, better solution.

And yes, Firefox's page-load performance is currently its greatest weakness; IE's greatest weapon against Firefox is its speed.

"Ah, I see you have the browser that goes PING!"

Sorry, couldn't resist a Monty Python reference, especially since tracking consumer behavior has become the Meaning of Life on the web.

If anyone complaining would read where is coming from, what prompted it, they'd realize that a non-disable-able version of this feature is a Good Thing. Not having it is more of a nuisance than having it. Disabling it will create (or re-introduce) more of a nuisance than making it non-disable-able. Hacks that disable it for you against browser-developer designs will do the same.

Your lives are not individually interesting to marketers who collect this sort of data. Only in aggregate are they interesting. You will not lose your privacy here -- you'll lose it on that form you fill out and submit without looking closely enough at the T's and C's. Your paranoia is misdirected if something like this is your target.

Who cares if IE or any other browser already does it? We can still not like it. Forgive the American public for being a little paranoid about privacy these days (wiretaps, anyone?) and give the people what they want! Firefox should be sensitive to this. I fear this will harm your reputation-- the regular press is going to be all over this in seconds. Fix it now!

This is clearly undesirable. A Greasemonkey script can neutralize it.

http://diveintomark.org/projects/greasemonkey/unping.user.js

Who wrote the spec of using ping? This approach is bad-looking and making people feel it's a new privacy concern while it is not!

Now how about this:

Show both on the status bar. (How to show them both is another problem.) Tell people that it is a privacy improvement because we can now opt-out the tracking and be fast if we want to!

The IE image exploit still respects the P3P by showing a red-icon on the status bar. I hope that the wonderful firefox browser will also respect P3P compliance when using these "ping tags".
http://www.w3.org/P3P/

I'm against this, not because of privacy concerns, but because one of two things will happen:
1. It will not be possible to disable this feature, and lots of ignorant people will abandon Firefox, thinking this somehow invades their privacy (which does not).
2. It will be possible to disable this feature, so it will be unreliable, so servers will not use it, and its only function will be to add bloat to Firefox.

I Agree with most of the people on here, I moved away from IE because firefox was better, more secure, and less invasive. Just because there are a million ways to track a person, does not make it right to make it a million and one. tracking is a bad thing, just like jumping off a bridge. and you don't see anyone else jumping off that bridge just because everyone else is doing it.

Do the right thing, Disable this feature by default or DON'T have this feature at all.

Actually, now that I actually read the spec on ping, I'm left asking myself, "Would a list of URLs to ping when this link is follow not be metadata for the link?" Perhaps it would properly be in the HTML.

Eh, not like it would get much use with so many people still using older browsers for a long time yet. I could imagine this ping attribute being quite popular with blogs if it was already supported in all major browsers.

Oh, and if you're pinging five URLs with a click, is that really speeding things up compared to existing solutions? Seriously?

This is a case of serving the site operators' interests or the users' interests. They are in conflict here. Site owners would control every detail of browser operation if they could get away with it. Knowledgable browser users who care about privacy want, not this or that feature, but rather *control* over what their software does.

There was a similar debate about whether users should be allowed to prevent hijacking of the context menu, and Moz devs just barely came down on the side of users. Now it looks like they are starting to "sell out" users again.

Well, you have to decide who your customers are. If it's the site owners then betrayed users will migrate again. If it's the users then let's keep them in charge of what their client software does, as it should be. The fact that other sneaky tricks are used for tracking is not an excuse for another one. Instead it shows the need to turn off the sneaky tricks. There should be more user control of Javascript and remote images too, like being able to selectively turn off xhlHttpRequest, etc.

Thanks for all the fish Firefox. And now let's go to the Opera and watch that fat lady sing.

From my point of view, this tracking crap is not acceptable and as someone already wrote: If this means that I will stop using Firefox, well, then so be it.

Beware crying over this in the name of privacy. If this works as intended, (and yes, its potential success is open to much technical debate), this could shift more power from the websites/ad companies and towards the users.

Yes, if this not implemented, it will fail, but then it also wont be a privacy risk. If it IS implemented, then we, the users, now have EXPLICIT control over whether or not our clickthroughs are tracked. Right now we do NOT have such control--we can hack it with url mangling and extensions, but we dont really have it.

Don't just scream "waa i'm gonna switch to whatever" because a tracking feature might be added. Consider first if this will play out to our advantage.

I believe that it will--or at least do no harm, based on my experiences with the current redirecting methods.

And please stop insinuating that mozilla is turning to the dark side. Where microsoft takes clandestine measures to hide their potential privacy violations and writes buggy software that allows other companies to do the same, mozilla is making a bid to put it all out in the open and under our control.

All that being said, why not have limiting to local sites part of the configuration? Instead of just turning the pings on off of, allow them to be set to off, local sites only, and on.

Today, they are making use of redirects, and it cannot be noticed easily, and we cannot turn it off. That´s true.

But, just make it easier for the sites are plain stupid.

If anything will be made about that, that should be giving users more control about it, not using an excuse like "they are making it anyway" to implement PING like they say it is now.

Implement it, with DEFAULT DISABLED, and give option for people to turn it on. Nobody will complain about this.

But then, the adoption will be smal... but isn´t this a sign if it´s badness anyway?!?!?

Can there be a user option that only pings same-domain sites? --just like cookies. Otherwise, this seems to get around the javascript domain security model.

As for me this 'feature' (as well-meant as it may be) would be enough reason to make use of another browser.

Its sad to see something like this on news, even though Firefox has been my only one since the early days of development... I have had enough of this user trackings, same thing with any kind of spying everywhere with software. Makes my eyes look towards Opera, which I hope wont stabb me in back for couple years...

To sit there and tell me that this ping thing is justified because people are already doing it is the same arguement that dope-smoking teens use.

PING == My uninstalling FF

nuff said...

NO!!!!!!!

1. Tell me where in the W3C standard this exists?

2. Tell me why since I disable all of the tracking style cookies you feel you have the right to do this, just so your happy kester knows where I went.

3. I can assure you the community will fight you on this.

A redirect is very obvious and users will stop and go elsewhere if it uses too much bandwidth. These pings will allow the web site you're visiting to load quickly so you don't notice them, but will cost you real money. That's one of the big problems. It costs *us* the web user *our* money, just to help a web site operator make more money.

It should be possible for me to disable, it should be possible for me to make it ask me first, it should be possible for me to put various limitations on the uri's - eg, http only, referer only, trusted sites list only, exclude non-trusted sites, ask unless it is a trusted site, only the first uri and only if it is below a certain length, etc... Otherwise I'm sure I will be abused. Security is about thinking about these things before the bad guys do.

If it has those features, then sure, its just about acceptable, but if a site wants to track me, they should look in their logs. If they want to use information about me to make more money then it should be at their cost, with the potential security or privacy risks being their own. If a third party needs the information, they can jolly well arrange it between themselves. The only reason they want this new feature is so they can breach the UK data protection act by claiming it was *me* who gave my personal data (embedded in a ping attribute) to a third party.

Overall, I think Mozilla shouldn't be a party to this. It *will* be abused, and it *will* be hard to undo.

Some refinement of my last comment:
is better than in two ways.
1. Nice degradation
When "href" can be still the original redirect_link, the web developer don't have to write any extra javascript into webpages.
2. No more complaints
What is the privacy problem of "redirect"? It is just a shortcut.

"...Are you honestly saying that you think end-users notice redirect links, deliberately copy, paste, edit and then navigate to them? Nobody does this..." Nobody, huh? Wrong.

And Darin, "...it is possible to implement something like in IE by exploiting a bug with the way..." You're using this as justification? Isn't this the _exact_ reason we are using Firefox instead of IE?

Welcome to the world of politics, Firefox. It just doesn't matter that you're entirely correct that this is trivial to do in DHTML, you're now going to get slammed because you're giving the ~impression~ that you're supporting site owners ahead of users.

You've entered political hell. Say hi to Microsoft.

***The sites are not your customers - users are***

This is a terrible idea. the only thing you will garner from this is bad press and loss of market share. Just because 'popular sites" are asking you to add this feature does not mean you should.

Lots of comments already, so I'll be surprised if anybody sees this one, but here goes, because I have a solution. I'll ignore the fact that integrating non-standards into the browser at an HTML level fragments the web and assume that FF is going to do this no matter what, so at least they should do it properly.

Mistake 1: Calling this a "ping" is the first big mistake here. It obfuscates the purpose and gets everybody reaching for their tinfoil hats and disablement extensions.

*** Solution 1: This feature should be called (to the user) "Click-Track Accelerator" and CLEARLY and openly explain that you are being click-tracked anyway, but by using this feature (enabled by default, but see #2), your browsing experience will be faster. This is a fact.

Mistake 2: Allowing any site to do this is asking for abuse including DDOS attacks on competitors and any number of other things that were possible before but even easier now (and all look bad for Firefox).

*** Solution 2: Include in the preferences a "Click-Track Accelerator Whitelist" which by default contains "adwords.google.com" (or whoever else donates to the Mozilla foundation [just kidding]). When a new click-track ping is attempted, prompt the user to allow, deny, or add to whitelist. Also have a checkbox for "Always allow for same server" (which is on by default and lets servers do what they can do anyway, but quicker).

Mistake 3: There is no facility defined for servers to identify this capability in the client so no servers will even use this! (Mozilla -- you're not Microsoft, so get over yourselves)

*** Solution 3: Some kind of HTTP header to identify this feature should be used. See GrangerX's post on this page.

The more I think about this the more angry I get.

There should be an investigation into who profitted from this! Then they should be publically burn on the Alter of Privacy as a sacrifice to apease the Great User Gods that have been so offend at the blantant defiling of their sacrid grounds.

Glad to see that you are all waking up to the fact that the current Web has (God-forbid) shortcomings and flaws. This has as much to do with the beloved, glorified W3C as it does with M$ or Mozilla. USE AT YOUR OWN RISK.

Does this mean we scrap the Net? Stop using it? Yell profanities at Bill Gates? No. It just means that you should be aware that using the Web has risks associated with it; maybe it's time to break through the illusion of privacy. (Enough people here have already described what stealthy web developers are doing--and it's not just pr0n operators and MP3 sites, a lot of well-reputed companies are watching you too).

If the thought of being watched scares you, stop using the Web. I, for one, will be clicking on those links without any hesitation because I'm not holding my breath for a better, safer, more secure Web anytime soon.

This feature absolutely MUST indicate to the target server that the request is a ClickTrack.

Otherwise, you're basically going to wipe out the pay-per-click ad model, as bloggers and everyone else start faking ad-clicks.

Bye bye FF!

I would not touch this with a 10 foot pole.

1. I dislike the privacy concerns. While it may not be technically worse than redircets, then I still hate it.

Multiple servers and no cross site security??, hello spyware :-\ Perhaps i can use it on my site to auto-click banners and adds. woohoo my adsense income will skyrocket :)

I could go into a lengthy talk but Lauren Weinstein actually said it very well in her comment.

@Glazman: I actually avoid canvas i canvas and other non-standard stuff if I can. Yes I do use gmail, but canvas I have managed to avoid. Personally I have stopped screaming about such things, as it appears GBrowser does what they want anyway

2. WhatWG is not a standard organisation. It is a bunch of people submitting ideas..

Their website only list the members by name, not which company they work and thus monetary interests they have.

- So how can I know what their agenda for certain proposals are ?
- How can I know which browsers this IMO crap will end up in?

My second concern with WhatWG is that while some may argument that they are a standard organisation, then HTML is not THEIR standard. Thus it is not theirs to change....

I don't go writing a GPL v3b license just because even if I think stallman dropped the ball...

Thirdly WhatWG has afaik no members from Microsoft which is really bad. Have they even been invited?

Man, WTF is wrong with all of you people. Talk about a bunch of paranoid self-important privacy freaks!

Web sites ALREADY TRACK WHERE YOU GO by sending you via redirect pages that track what you clicked.

This new PING attribute just speeds up the process by allowing the notification of your click to be sent ASYNCRONOUSLY while you're redirected straight to the actual page.

If anything, this is better than the current situation as you can disable these notifications altogether (send_pings = no), something you can't do right now with the 'click-thru' method.

So what is the difference? Somebody please explain to me why this is ANY WORSE THAN WHAT SITES DO NOW??

"You may see any form of tracking as 'evil,' but consider that this is the least 'evil' of any tracking option currently available."

How about this? "Don't be evil."

Greater evils do not excuse lesser ones.

Well well. Sites are not giving up their redirects because of Internet Explorer not supporting it. Sites will not give up their redirects because they want their redirects. Sites will not give up their redirects because users could filter out these pings (with a firefox extension or a privoxy rule) and remove the trackability of their clicks. So why even have it? I can't see the reason, really.

I paid money into Firefox, and I'd pay money for a fork away from this bad idea. I no longer trust the developers. I think Google and Doubleclick and whoever else (you didn't name them) have co-opted our team.

I want Firefox to be on the side of the users, not the abusers.

One of the reasons I switched from IE to FF in the first place was privacy concerns. Another was standards compliance. Sorry folks, that's a double-time screwup in my eyes. I seriously hope this "feature" doesn't make it into the release.

Looking this over I can see 3 things immediately.

1. The PTB at Mozilla have already decided to go with this idea. The concept of "discussion in the open" is a spin tactic designed to look good while this item from a marketing company is forced down the users throat.

2. Mozilla is barely interested in the user. Sorry but having watched this and a number of security bugs that are posted ... people want fixed, and are relatively easy to fix. (cough - storing credit card numbers - cough) and the solution is "Turn it off by default in Linux and on by default in Windows" After all you all know that windows users are idiots right?

3. Up until now, like so many open source projects, this was a public trust. This concept of "shut up we know what is best", and "who cares about standards groups" is a betrayal of that trust. As others have stated you have asked for the community to deny you. And we shall comply.

Perhaps it's time that we re-examine if we even want to continue using Firefox.

You say: "Websites already do something similar in IE by exploiting a bug with the way images load."

Just because IE has enabled web-bugs doesn't mean that Firefox should follow suit. We use Forefox, amongst other things, to get away from big business and they way they scratch each others back and make deals in the bedroom.

I see you use POST to implement this. This means it shows up in my schools proxy logs (very heavily policed). What is stop someone at a popular site putting in a ping URL that pings some child pornography or goatse just for fun.

This is a huge privacy concern. It must be removed and never allowed to make stable.

Current trackbacks via onmousedown are easily guarded against with NoScript. Server-side redirects may often be thwarted by "copy link location" and extracting the payload. A last resort is to view source. Let's hope someone makes an extension to squash this real soon.

It beggars belief that Mozilla, after having achieved a stellar growth in market share in a little over a year, is considering such a mean-spirited slap in the face to the users who came on board.

As a web dev I have returned to old cross-browser coding habits in the hope that my end users will convert. Yesterday I was a Firefox zealot. Today I'm not so sure. I don't give a stuff what standards body dreamed up this nightmare, I will no longer be a FF evangelist if this goes forward.

Looks like Bill just got a free kick. Damn!

dolphinling, I believe the originating host limit meant that if the current page were on google, then google could be pinged. The target host can already see who the referrer is via the referer header or some tracking parameter in the query string.

Let's step through what happens with and without this feature.

Without:
1) You initiate a click on a link.
2) The site uses some mechanism to track that click, which involves some round trips between your computer and their server, followed by the redirect
3) The page loads

With:
1) You initiate a click on a link.
2) The page loads, while the PING list is parsed. If enabled fully, multiple sites could be contacted, involving in lots of round trips. On dial-up, the extra bandwidth could really slow down your destination page load. On broadband, there's no significant difference in speed between the methods.

So what I'm saying is... because PING offers an easier way to let MULTIPLE sites track the click, the potentional is there to hurt performance, and simplify anti-privacy tracking.

Now... if the option to disable it existed, but most people didn't disabled it, and it became a commonly used web site feature, then disabling it would be effective for maintaining privacy.

However, the 3rd party potentional sounds useless to the user and beneficial to the 3rd party. Allowing ping just to the original server would be great, but because we're talking about the static HTML already sitting on the user's computer, how can the browser really be sure that it's only sending the PING to the correct originating server?

Overall, I think it's neat to think of ideas and "features" like this, but I don't think the benefits, particularly in performance, can be realized.

As a webmaster, I don't mind this. It could make my click tracking much much easier (but then, it wouldn't work for MSIE users). It's nothing I can't already do with a HTTP redirect.

As a user, I can see some cause for concern. I think this could be eliminated by allowing the pings only to go to the domain of the current site in question (so www.mysite.com can ping clicktrack.mysite.com).

In terms of user notification, put an icon of some kind in the status bar to the left of the link URL when the link has a ping attribute (and, ensure that it stays there through Javascript window.status overwriting).

I've never seen so many stupid misinformed comments in my life.

People, the only way to stop a web server from knowing your IP, what page you viewed on their site and what links you clicked is to stop using the Web!

Shame on you, you arrogant BLINKing Mozilla developers.

All options should be opt-in whenever possible. The opt-out model is a spammer's mindset.

My Proxomitron proxy setup already kills 90% of all javascript. Flash is a no no. Cookies are session only.

Pity the slob who can't keep track of his own logon and password.

and I already deal with redirects as well.

I don't think I'll be opting-in for this one.

It's been said before, but I must reiterate this:

1) This feature can be disabled.

2) This feature allows the user to see both the URL that he or she is visiting and the URL of the tracking site. The alternative, which is in use today, is just to obfuscate the link or use hidden Javascript to accomplish the same thing without alerting the user.

3) I realize that some people think it's "selling out" to include such a feature at all, because it seems to be encouraging tracking. They would prefer that nobody acknowledge that tracking existed in the browser. This is really more of a philosophical argument, so there's no one answer to this; all I can say is that cookies encourage tracking a lot more than this does, and are an actual RFC (you can't get too much more standard, or in this case widely implemented, than that). Cookies, in fact, have no function whatsoever other than tracking in its various forms. Tracking has been part of the browser for a long time.

4) There is a related argument that goes, "Just because it's possible to do already doesn't mean we should implement it." True enough, but, practically speaking, the fact that there are other ways to do it means that this is unlikely to be widely used for a long time, if it's implemented at all. This is still an unfinished draft; the reason Darin posted this is because he wanted to know what users thought about it. WhatWG may not be the W3C, but it is a standards organization (there are plenty of others), and its chief goal with HTML 5 is to make it as backwards-compatible as possible with HTML 4. However, technically, I believe that the ping element is supposed to require the HTML 5 DOCTYPE anyway. This isn't even against the W3C, for those of you concerned about standards.

5) Threatening developers ("I'll never use Firefox if this goes in!") has traditionally not been a good way to get them to change their minds. Constructive criticism is slightly more effective, and, more importantly, doesn't irritate people quite as much.

If, in light of all these facts, people still have serious concerns about the issue, I would very much like to hear them.

"The problem with this is that most users will opt to turn the feature off thereby forcing websites to continue their old way of using redirects rather than the ping backs. So you can't build in an option to turn the ping attribute off."

Yes you can. And the user should have the right to enable/disable any "feature." The needs/rights of the user should be considered above all else.

Let us not forget that the more things you let webmasters do, the more security issues you have.

That is Internet Explorers problem. At one point, someone must have thought active x was a good idea too. lol

Assume all webmasters are a security threat. Assume all web masters want to take over your machine; then re-think this "feature."

Insanely bad idea.

Issues:
1) Privacy.
2) Argument that 'people are already doing it so why not do it too', doesn't hold weight, as many others have explained.
3) Making it easier to do 'evil' is not good.
4) It seems to be behaviour-oriented and not structure-oriented (as HTML should be targeted to). I'm willing to hear arguments on this.
5) I'm concerned that the WhatWG group is going to cause the same splinter in the web that IE and others did. This is an off-shoot 'standard'. It seems more that you should continue to push at the W3C to increase the speed of their work, once doing that does not compromise the work's integrity.

Mozilla Foundation has been doing good work. Keep it up guys. I don't agree with this feature but so far you have done good work in pushing standards and creating and awesome browser and email application. Waiting to see how your calendar work fairs.

> This is clearly undesirable. A Greasemonkey script can neutralize it.

Really Mark! I expected better. A little light reading of the spec that's being implemented and you would have noticed:

"User agents should allow the user to adjust this behaviour, for example in conjunction with a setting that disables the sending of HTTP Referrer headers. Based on the user's preferences, UAs may either ignore the ping attribute altogether, or selectively ignore URIs in the list (e.g. ignoring any third-party URIs)."

Guess what? The spec has been followed and setting browser.send_pings to false in your config file (i.e. via about:config) makes your Greasemonkey script to strip the pings obsolete.

Second, I'm still oh so very confused about why a transparent, disableble, method of tracking clicks is "clearly undesirable" given the number of sites that use opaque, hard to circumvent measures to achieve the same thing. Privacy advocates should be _thrilled_ about the idea of sites using this mechanism rather than something based on HTTP redirects, tiny images, CSS, or whatever else they currently do. If I were a privacy advocate I hope I would be clearminded enough to realise that rather than stop at the few ms of thought it requires to get "Link tracking mechanism == bad" and no further.

Add one more vote to kill this "feature." Tracking users should be hard to do, not easy.

I strongly agree that such features (and the some of these responses make me wonder if there may be others with similar impact, which we are currently not aware of) must be user configurable and disabled by default. I think it is clear that Mozilla/Firefox will start loosing market share because of this issue. Probably not so much because this one issue "slipped in" but more because of the way the it is being handled. The _users_ choice (privacy) is being seen as subordinate to the the publishers desires. (If there website is slow due to their tracking code then that should reflect upon them.) Arguing that there are other technical means to achieve the same effect indicate that there is a lack of interest in suppling an application in the users interest. Instead one should focus in fixing this issue, which seems trival, making a followup security fix release and then looking at fixing other security issues... and yes I do view privacy as a part of security and I won't mention better security as a Firefox feature it this isn't fixed with prejudice. Browsers have no obligation to foster flawed business models, yet I believe community applications do have some obligation to their community. If this doesn't happen then I think the time has come to sponsor a fork.

I really don't care what you do. I'm like a lot of people who are turning away from the internet now. Have fun!

I just tried reading all of these comments, and gave up somewhere 1/3 down the page out of disgust.
Honestly, the amount of FUD, trolling and downright _lying_ people are doing in this thread is just disturbing.

I apologise in advance to those with a clue, but I'm not just going to sit here and let these mindless drones parade their scaremongering around.
-----------

To all accusing this of being "spyware":
Would you care to explain to the audience why you think the Web's current methods of JS redirects, invisible images, tracking cookies, onclick traps, and obfuscated mystery meat referrer URL are better than this well-defined one?
Or even better, where's the prefs in mozilla to turn off all of the above list? How about in IE? Or any other browser?

To those complaining about it being "non-standard":
In case you're blind, the second link leads to the HTML 5 Working Draft. Yeah, it's not a W3C spec yet.
Got a problem with non-W3C standards? Let's see how long you last without GIF, JPEG, ASCII or Unicode.

And for the numerous posts screaming "OMG I WILL DUMP YOU FOR OPERA IF YOU DO THIS":
Opera are going to implement HTML 5 at some point in the future (unless they want to be the next IE6). What will you do then? Demand they cripple their HTML 5 support (just like IE does for HTML 2-4)? Or are you going to stick your head in the sand and never upgrade from Opera 8/9?

Viva la Smurf Attack!

I have to wonder if the Mozilla developers have fully considered the implications of this feature. With browser redirect tracking, the company providing the content bears the burden of processing; with the track back mechanism implemented in the client, no such limitiation exists. This by itself would not necessarily be a problem, except for the fact that the developers appear to be supporting MULTIPLE track back locations.

This is Bad.

Consider for a moment what kind of havoc that could be reaped by compromising a banner ad server to include a list of track back urls that all resolve to a single, unsuspecting, network. Someone just got a free army of DDoS clients, all courtesy of your friendly web browser. If one considers the implications of this feature being implemented in an html rendering engine, then the consequences of a spammer taking advantage of this "feature" become truly frightening.

Fortunately, all is not lost for this technology. If the track back ping implementation is limited to a single non-broadcast destination address, then its potential for abuse is dramatically decreased; in fact, it would prove to be a less effective DDoS vector than listing the potential target directly in the HREF tag.

No No No. Do not do this or firefox will die out.

Have people learnt NOTHING from the recent SONY security farce. While the Sony issue was far more serious it shows how quickly a tech savy user base can kick up a media storm. Many Firefox users are tech users who understand the net otherwise they would not know why they needed to move away from IE in the first place.

I am sure Sony thought there was no problem with DRM until their customers told them there was very publicly.

People HATE tracking, adverts etc. Just look at how many tools there are to block them.

DO NOT BE SO STUPID, drop this idea now before its too late to recover from the bad press it WILL cause.

"I'm sure this may raise some eye-brows among privacy conscious folks, but please know that this change is being considered with the utmost regard for user privacy."

To add to my previous post, so far the majority of comments would see to show that this hasn't been considered "with the utmost regard for user privacy".

what a terrible, terrible idea.

Rather than add a feature to make it easier
to sneak information out of a hyperlink,
how about a user option to offer to strip these redirects out of links too?

I see things all the time that have a url with
a hook redirct to the link target. I can choose
to copy and paste and edit the url, but it would
sure be nice to right click and see "click through
to target" emphasizing privacy instead of revenue.

It's clear that nearly nobody who has commented actually knows what they're talking about.

The ping feature replaces an existing, and crappy method of tracking with one that works better for the end user and can be disabled. This is a performance and privacy win. Stop crying.

You guys should be thanking Darin instead of freaking out over something you clearly haven't researched and therefore don't understand at all.

This reminds of a while back when a VP at Coca-Cola suggested that intellegent soda machines could raise the price of sodas on hot days. His comment set off a firestorm that could have been avoided had he just rephrased his statement to say that prices could be lowered on cold days.

That said, I agree with Ian Thomas:
"An alternative might be to turn the idea on its head - instead of having a ping attribute have something like a redirect attribute and the href would be the page that is pinged.

"If the browser doesn't support 'redirect', then the href will be loaded as happens now, and will then forward the user on. If the browser does support redirect, then it will load the redirect page to the user and silently ping the href."

As a Firefox 'convert' I find the proposal to be most disturbing. I for one have recommended Firefox to many people. If this is implemented I will drop Firefox like a shot. Any recommends for an alternative welcome!

I love it. Oh, people already abuse a flaw in IE, blah blah blah. Who cares? People who use Firefox most likely don't use IE except in the rarest of circumstance, so continuing to bring this up serves no purpose. In addition, there's been nothing yet to indicate this is being considered with the "utmost concern" for user privacy - the only thing mentioned constantly is speed.

If this is implemented, I'll be dropping Firefox (or supporting a fork) just like I dropped IE as soon as I was old enough to know better.

Cutting through all the bs in the prior messages... my take is this. Explain the feature, defend why it is non threatening and give the users the options to use or not use it.

If you don't the news, bloggers, odd posters, and wacko techno wannabe's will make enough noise to give the browser a very bad reputation...real fast.

None of the negative has to be proven..just repeated over and over again...

AH

I agree, this idea is terrible. As was mentioned before, how bout developing something that protects the user from issues like this rather than encouraging their use at all?

Horrible idea guys.

Firefox the new spyware.

I try to NEVER click though a redirect. Now you give them a tool that prevents me from knowing, a bury it into a useful product.

And have you solved anything? NO. They well now be using both methods, or worst you now add more bulk to the servers and increase traffic...

GOD, MAN THINK!!!!!!

I would post a comment, but some Very Popular Websites have asked that I don't.

Personally I think it's a really crap idea, but the main question that keeps coming to the front of my mind is "what benefit would this be to _me_?". The only answer I can conceive is a hollow "none". This is purely a greedy commercial marketing tool that would all to easily be corrupted by the scum of the earth, just like so much else.

Firefox should stay close to it's roots, and shy away from this kind of thing...

"It's clear that nearly nobody who has commented actually knows what they're talking about."

Thanks, Ben. Of course, you're absolutely right. None of us peons has the wherewithal to understand this high-falootin' technical jargon and none of us have been around the web for longer than an hour after taking one of them there AOL lessons.

"The ping feature replaces an existing, and crappy method of tracking with one that works better for the end user and can be disabled. This is a performance and privacy win. Stop crying."

No, it certainly doesn't. It forces me - the user - to bear the cost of what is now borne by the site. This is not what I want. I don't want to wait while right different pings are processed by me. And right now, I can choose to block all sorts of things I don't want, using a variety of plugins and with proper setting of options. Enabling something like this BY DEFAULT shows zero concern for the end user. Neither you nor anyone else has shown why this is a "privacy win" when this function is enabled by default. What about corporate users who will have to explain why a malicious webmaster sent off a ping to a porn site or to goatse or somewhere else that would raise eyebrows by the admins? What about people like me who do actually notice those redirects that Darrin claimed no one ever notices?

"You guys should be thanking Darin instead of freaking out over something you clearly haven't researched and therefore don't understand at all."

And you should learn some better PR lessons. The ones you've taken thus far clearly have not held any value.

And now for a serious, on-topic comment:

This feature should use robots.txt, and should not have unlimited ping URLs, instead it should be capped (as a default) at 1 per pinged domain and 4 in each link. The absolute maximum should be 16 or something, or else you end up flooding the client.
That fixes 99% of DDoS problems.

For whom was Firefox created? The users who despised IE or was it for the websites and to make spying on us easier? Take heed, dont do this!!! or it will be the begining of your undioing.

Okay, firstly, I think Darin's edit should probably be changed to one that actually addresses the situation, rather than trying to blame IE for something in a way that doesn't even make sense, and secondly I think the name 'ping' is unfortunate.

But all the arguments about how much easier this is to do are fallacious. The previous post by Darin is about prefetching (the web page author can request a page to load before the client tries to go to it), which was a feature that attracted approximately the same amount of outrage as this one did awhile back. Nobody uses it, because it's a Mozilla-specific feature, and even if it weren't there's nothing it can do that an image can't.

This does even LESS than prefetching. This is TELLING you, the user, when you are about to be sent to a page that will track your usage. Currently the UI for that is not checked in, but that is in fact the point of the whole thing. Yes, there are page load optimizations, but primarily its purpose is to show the user what's going on. It is not really a privacy issue. The redirects that have been used thus far are much more of a privacy issue.

In conclusion, I'm guessing that approximately 0.2% of the people who are commenting would have even known about this feature if Darin hadn't blogged about it, asking whether it was okay. This feature, if it ever is enabled, will be enabled a looooong way away. Please stop threatening to abandon Firefox or whatever, and think for a bit about what this is actually doing.

"Thanks, Ben. Of course, you're absolutely right. None of us peons has the wherewithal to understand this high-falootin' technical jargon and none of us have been around the web for longer than an hour after taking one of them there AOL lessons."

Yeah, you make a fair point, I should be more polite. I know that I'm tired and abrasive, but look at some of these comments. Most people are jumping to conclusions without researching anything and it's driving me mad! If that isn't you, you probably should ignore that part of my reply.

"No, it certainly doesn't. It forces me - the user - to bear the cost of what is now borne by the site. This is not what I want. I don't want to wait while right different pings are processed by me. And right now, I can choose to block all sorts of things I don't want, using a variety of plugins and with proper setting of options."

The pinging is done asynchronously, which means you don't wait, it happens in the background. That's one of the points for this to exist.

There is also no extra bandwidth overhead, since:

i. Loading a site and sending a ping = 2 requests
ii. Loading a redirect then loading a site = 2 requests.

Also, since the ping request will likely have far fewer headers, this is probably a bandwidth win, but this is being incredibly pedantic. There'll be no visible difference in this respect.

"Enabling something like this BY DEFAULT shows zero concern for the end user. Neither you nor anyone else has shown why this is a "privacy win" when this function is enabled by default."

You can't block obfuscated redirects at all, your choice is "don't follow the link" or "follow the link and get tracked". If people use ping instead of such redirects, you *can* block them AND still visit the site.

I don't know about you, but it's certainly what I'd call a privacy win. Especially if the UA is required to notify the user that this is happening.

"What about corporate users who will have to explain why a malicious webmaster sent off a ping to a porn site or to goatse or somewhere else that would raise eyebrows by the admins?"

This is a valid point, but no more so than other existing features like prefetching.

"What about people like me who do actually notice those redirects that Darrin claimed no one ever notices?"

Well, as I said above, what are your options? Don't go to the site? Go to the site and get tracked? Try to strip out the tracking part of the URL (if possible)? Wouldn't you rather just block it from the start and click the darn link? I know I would.

i, too, will drop firefox like a hot potato if and when this happens. a truly terrible idea.

and PLEASE don't try to sell this as something that benefits the user - it clearly only benefits websites, the rest ist FUD.

> The previous post by Darin is about prefetching
> ... Nobody uses it, because it's a
> Mozilla-specific feature, and even if it weren't
> there's nothing it can do that an image can't.

By "nobody", do you include google.com?
http://www.google.com/webmasters/faq.html

I'm not worried about the big websites being more able to track us. They can already do that. I don't like redirects, but most big companies force it on their users as a condition for using the site, so I give in. What worries me more are the small potatos.

The problem I see with this is that it lowers the threshold of effort, although as mentioned above, if it's as simple as (new Image).src= then it doesn't lower it much. Also, you have to have Javascript enabled for the above to work. This needs a configuration option. An extension will be written anyway to add one if it's not there.

I also want a feature which will let me set an upper bound on the number of pings that can be attached to my click on a hyperlink. Right now URL redirects are limited by the fact that they don't want me to have to wait forever to actually get to the page, but give them this, and website designers will have no such concern, since it's in parallel, and feel free to do anything they want. If we're going to make this easy to do, we're going to implement it on our terms, which might differ slightly from the status quo or the desures of "several big sites."

This should also only work for the referring host, I don't like third-party pings for the same reasons I don't like third party cookies. This would take the teeth off the DDoS-by-ping argument.

I am removing the link to Mozilla on all my web pages today.

A complicate issue. BAD idea because of the invasion of privacy. The potential for abuse. Definitely change the Firefox into some fancy feature browser.
GOOD idea - the geek thing to resolve problems. Reduce redirect time and hassle. The ability to gather information without inconveniening the user. A cool new feature that might drive webmaster away from IE.
There are points on both sides of the scale, but to stand true of original Firefox spirit - Browse the Web with confidence. How can a user do that when the privacy is being compromised?! A suggestion is to develop feature to protect user from being tracked, instead of making it easier to be tracked.

That which is more objectionable *should* be slower.

"BAD idea because of the invasion of privacy"

It's not an invasion of privacy since this is a replacement feature. I don't understand why there are around 200 comments arguing against something that is better for _everyone_ (end user included) and adds nothing extra in terms of "tracking".

Would you people say no if tracking links were automatically detected, loaded, the redirect url retrieved and then inserted back into the original document? This would be distinctly less practical, but ultimately similar in nature.

> By "nobody", do you include google.com?
> http://www.google.com/webmasters/faq.html

Okay, I'll bite. Yes, I do, and I know about Google's use of it, as it's pretty much the only high-profile site that does. I personally think that the privacy issues associated with prefetching are considerably higher than those associated with ping. Which certainly doesn't stop me from using any Gecko-based browsers.

And I do think you should try to clarify what the whole thing is about, since people are clearly not reading the specification, and those that do seem to be misinterpreting it. The way you have it now, emphasizing speed, may be what you envision the purpose to be, but mentioning the UI would help alleviate a lot of this gut-reaction commentary.

I would say something to everyone else, but I don't think most of the people commenting are bothering to read most of the other comments (understandably, given the number), so I won't.

Duh! I think most people simply dont get the benefits of such a feature. There are tons and tons of websites that are using redirecting. Lets see what this does to you now..

- You're browsing slower, because every time you click on a redirected link you have to load the redirector page first instead of directly going to the site you wanted.

- Often you cant see where the redirection links to because, it f*cks up the URL. Something like http://nicesite.com often becomes http://mysite.com/redirect.php?id=123781nio1n23oi4n12io3n41io2p3n4io1n234io1n23io. You wont really know where the link leads you until you have clicked the link.. this is also often the case with Google Ads where you cant know where the ad will lead you until you have clicked.

- Nearly worse are sites that show you the real URL, but change the link to something like above in the moment you want to click the link. A normal user wont even know that he got redirected and tracked.

--

Okay, now lets see, how this ping attribute could help..

- You browse faster, because you directly go to the requested site, not having to make a detour over the redirector page.

- You always see the real URL. You will know the target URL before clicking a link and not afterwards.

- In contrary to the current systems, you can disable the tracking by setting the user preferences to not use pinging.

- Pinging is more transparent, because the attribute could be used to provide additional visual hints, like a small icon that shows up in the status bar and gives a nice explanation about what pinging is, when hovering about it. Currently novice users wont even note that they are being tracked.

--

I think there are some valid pros and cons to this new feature, but a lot of comments just seems to come from people who just dont have any clue about what they are actually talking.

To the people that are threatening going back to IE because of privacy issues. Go back and visit all those redirects, getting tracked all the time, while I'll be laughing about you and bypassing most tracking because I'll have the option to disable tracking, which you wont have.

THIS WOULD MAKE SURFING AND TRACKING MORE TRANSPARENT - AND NOT WORSE LIKE SOME YOU SEEM TO THINK!

Give it up folks. Why not actually think before posting?

Demographic tracking isn't going away. Period. Its not like you're being ask to pay postage on a mail-in rebate.

I'd rather have this tracking go on in a way that impacts me the least - which means no stupid server-side redirects that are so poorly implemented you can't even get to where the redirect is supposed to go.

It would, however, be nice for a dialog to pop up when there are multiple pings requested for a URL - say with an option to filter with a blacklist.

For those complaining this should remain in the javascript layer: it is natural for software to pull in popular extensions - consider MacOS Dashboard and Konfabulator.

And surely this new "feature" will default to activated. Beyond collection of marketing data there is no reasonably need to notify a third party site that someone followed a link. I'm disgusted and disappointed all at the same time.

Instead you should work on SVG. A lot more work (and testing!!) has to go into this.

I hate to follow-up my own post, but I need to ammend my previous comment as I had smurfs on the brain when I wrote it. The last paragraph makes a lot more sense when stated as follows:

Fortunately, all is not lost for the technology. If the track back ping implementation is limited to a single URI, then its potential for DDoS abuse becomes equivalent to that of the IMG SRC tag.

Wow, alot of responses...

Now I understand why the idea is there and it is being concidered, but everyone that is talking about the greatness of opt'ing out of it, why even add it if, websites don't HAVE to use it? Now if you block the current ways of tracking and THEN implement an open way of click tracking, maybe it'd work better, but for now even if it is implemented, everyone is just going to continue to use the old ways cuz they still work!

Personally I've used both IE and FF alot, currently using IE though after FF decided to erase all my settings and bookmarks when I restarted one day o_0. Lol, either way, fix the problems of today, and then implement better ways to do the bad things :)

Why don't you pull your hand out of big brother's pocket? So its ok to track where people go online just because websites exploit a bug in IE. Thats why I don't use that brock piece of crap anymore. Sounds like firefox is starting to go the same route. Boy, I can't wait to battle pop-ups once more.

To answer some of the fallacies above:

1. "If people use ping instead of such redirects, you *can* block them AND still visit the site" (Ben Basson) - and all the other posters who make comparisons with existing methods

ANswer: The idea that this "feature" would be an alternative to other tracking tricks in practice is unrealistic to say the least. Obviously webmasters will use it *in addition to*, not instead of, the existing methods. Anyone who is claiming "this is less evil", explain how it will somehow prevent webmasters from using the other deceptive tricks in addition.

2. (paraphrasing many comments above): "You can't defeat the other tracking methods, so just give up on all demands for privacy and let them do whatever they want".

When phrased like this, the illogic and contempt for the reader is obvious - yet this is what many comments above logically amount to.

In fact, lots of users can and do opt out of tracking. When sites try to redirect my link-click through their advertising "partner" site it goes to localhost on my machine like all the garbage sites. So I end up pasting the link, and avoiding clicks on that site. Similarly I don't run Javascript from sites that try to falsify the status line or other hostile tricks.

The claim that "nobody" observes these precautions is trolling at best. The popularity of adblock and similar extensions, custom hosts files, and so on is evidence to the contrary. I don't want to accuse people of deliberately trying to sell this "ping" feature on the basis of deceitful rhetoric but it is hard to avoid that impression when reading some of the excuses above.

And what about those who are not so knowledgable? Either (a) you admit that many of them would object to tracking if they knew what was going on, and respect this presumable preference; or (b) you reason "they don't know, therefore it is fine" (like the Sony exec saying "most don't know what a rootkit is, therefore no security breach"). The latter view reflects a deplorable contempt for the user.

3. The idea that if it can be limited to the current site then it's fine - well, no. What users expect when they click on a link is that the linked-to site will get a request and the site where the link is will know nothing about it. Naive users expect this because it is natural and reasonable, and techies who care about privacy demand it because it's a requirement they make for acceptable behavior.

Having said all this, as long as it can be reliably and totally turned off I will still use the browser. What scares me is the attitude of some (like James above) that if letting users turn it off would prevent it from serving corporate purposes, then users must be prevented from turning it off. That is real evil.

So you think building spyware features directly into the browser is an improvement over the current hacks? Sites using hacks _should_ be slowed and have their customers discouraged by the costs of their hacks. It's not a fault, it's a useful feature to have that effect.

What's the secure browser alternative when this sort of attack on the end users is being added into Firefox?

I think it's just about time I started writing my own browser. Firefox is no longer suitable with such silly "options" as this ping crap. I expect to be able to use my browser of choice without having to fight with it over privacy and security. Good bye Firefox. I'm not interested in any more drama from you.

Personally, I think whomever came up with this idea should be taken out and shot at dawn, without a blindfold, and no cigarette option either.

If this is implemented, I will a) no longer use firefox, or b) compile my own version that does not use this feature.

It's interesting how Google isn't mentioned at all in the post. Darin is employed by Google. I'm willing to bet this is coming straight from Google, who has been trying to implement this for a while with onmousedown and other ugly hacks.

Wow. My question is this: what group of people wrote all of the comments about "dropping FireFox" and "switching back to IE"? Crazy people, no doubt? Certainly it was nobody that has an IT degree, and I'd suspect nobody who understands how the internet (more specifically URL redirects and traffic analysis) works.

There is nothing in this code that's bad. Could there be a security issue somehow related to it? Probably - someday. But right now it simply helps to standardize a feature that is used all of the time. If it isn't standardized across the board, the chances are very slim that many sites will ever use this.

Absolutely dumb idea. It won't work. There are two possible scenarios...

1) People *WILL* turn it off, using Greasemonkey or an extension, if need be. What will hurt even more is an extension that *LIES* to the web-server and claims that the browser is pinging, when it isn't. This will make the ping "feature" so untrusted that web developers won't use it. So you may as well not bother.

2) Assuming that the Firefox developers somehow stick the code in, and make it totally unstoppable, and mandatory for Firefox's operation... do you remember XFree? Whatever happened to them? With apologies to Country Joe McDonald...

Gimmee an "F"
FFFFFFFFFFFFFFFFFF

Gimme an "O"
OOOOOOOOOOOOOOOOO

Gimmee an "R"
RRRRRRRRRRRRRRRRR

Gimmee a "K"
KKKKKKKKKKKKKKKKK

What does that spell?
FFFFFOOOOORRRRRKKKKK

What does that spell?
FFFFFOOOOORRRRRKKKKK

What does that spell?
FFFFFOOOOORRRRRKKKKK

Yeah, No. This isn't a smart move.

Contentless HTTP requests used for some weird tracking thing? Even if you wanted to do tracking, firing additional HTTP requests is a horrible hack.

What information and cookies will be sent with this response?

Just because you can do it as a hack today with some IE vulnerability or some horrid javascript garbage doesn't mean that the feature is privacy-conscious. Every boy scout learned that you should leave the internet better than you found it. Let's think for a minute about what will IMPROVE the lives of users out there.

This feature should be aborted. Weird popups asking the user to agree to strange ping protocols is not going to help, there's no way you can explain that feature to my grandmother on a popup.

It's time to say, you know it was a good idea, but it's a better idea to can it.

Who the fuck asked for this "feature?" This is 1000 times worse than cookie tracking.
What next? The firefox mouse tracker? Tracks all the mouse movements on the web page.

I bet than NSA-owned company, Google, is behind this stunt.

bad move firefox :(
So far firefox meant security and user privacy respect... is that about to change ?

The last I looked, features were added to Web browsers for the benefit of the users, not the benefit of website developers. Has the whole Mozilla project forgotten who they're working for? Or, worse, have they just remembered, and it's not who we thought all along?

What you are doing is very little different from saying "People who distribute spyware have lots of ways to get their spyware onto your computer, but those are inconvenient for the spyware distributors, so we've put in a more efficient way to load their spyware" or "Spammers have lots of ways to get around your filters, but those are a nuisance to the spammers, so we've put in a "nofilter" tag that will allow the spam to bypass filters and go straight to your inbox." Or, for that matter, "Burglars have lots of ways to break into your house, but they're difficult and the burglar might get hurt, so we're distributing master keys." Ludicrous? Yes, and so is the argument that since people already have ways of tracking clicks, but those ways are inconvenient to the people doing the tracking, our browsers should be suborned to help them out.

Pull this whole concept out NOW with a huge apology and a promise to never even think of anything like it again, or the resulting public relations disaster is going to destroy Firefox. It's already hard enough to convince IE users to switch. Once they start hearing (with a little spin from Microsoft) that Firefox has built-in spyware, it's going to be impossible. Because no matter what you tell us techies, even if you somehow manage to convince us otherwise, that is what the non-tech user is going to think, or is going to be told to think by the agents of the Evil Empire.

Aren't you supposed to be on our side?

There is a lot of ignorance and misinformation flying in this thread. I think Darin has presented a concise response in his most recent blog entry.

Darin has been a Mozilla contributor for many years, for several employers and I have never known him to do anything but the best thing for Mozilla, even when those around him less encumbered by the "responsibilities" of employment would have compromised.

Before you hurl abuse, make demands or threats remember that real people work on this software. No one owes you a living.

Firefox has made it this far because of the quality contributions of folk like Darin. Either offer something constructive, or take your bile elsewhere.

Wouldn't I with this feature be able to inflate hits to other pages? Lets say I had exchanged links with a small company, now I could make it seem like my site gave them more referals than what was the case.

This may cause Search Engines now finding links going to sites never being seen by end users? Who knows if Google would see it as link-spam and penalize my site?

How would this read out in current Web-statistics software? Would it be easy to separate this hits from other hits, or will this end up as noice making it harder to read my statistics?

IMHO, not a good idea - in regards to privacy as well as efficient use of resources. Two very simple points:

- If it can be turned off, users will turn it off.
- If users can turn it off, those who (think they) need the tracking won't use it.

Ergo, the "feature" will never gain traction - and lots of resources and/or good-will will have been wasted.

Try as I might to rationalize this new feature by focusing on the potential for increased visibility into and control over click tracking and sped up page loads, I just can't seem to do it. I can't get past the fact that this feature is, by definition and design, something which when used would have a negative impact on one's privacy.

There shouldn't be a fuss at all people. For goodness sake, you are already clicking on a link. That "click" generates a request to the server that is logged already.

The ping attribute is a good thing. It is going to speed up browsing considerably as I understand it's implementation. Now instead of having tracking code intermingled on a url request, we can have nice clean urls, which are easier to index.

Irregardless, this flame throwing, wailing and gnashing of teeth is all very premature at best. The SWAG of doom to come is non-sense at this point.

I thank Darin and the rest of the FF team for their hardwork, their innovation and their dedication. Who knows if this feature will make the cut? However, the idea has merit.

-J

NOBODY needs to know where I surf or what links I click or what I look at the webpage or do I take a pee while I read this "ping"-thing! Every day privacy is falling a bit more. Good old text-only browsers! and not so old..

And just how much did said "large websites" pay you to implement this feature? I think that is the real motivation behind this ping tracker...

If you don't disable this by default, then you are a very bad person. 99% of users do not change their settings, especially when it's hidden in the technical looking about:config.

Time to write some junkbuster/proxy patches and firewall rules. Perhaps even create some up-to-date firefox builds with this "feature" removed.

darin, while people here have said "why would anyone want to enable such a features", there are some web apps that would benefit massively from this feature. (e.g. a site like del.icio.us can give you valuable information if it knows when you clicked which of your bookmarks and of course not having to wait for the redirect makes this even better.) thus, i suggest that users should be able to en-/disable this feature on a per-site basis. i'd certainly want to allow pings for //localhost/cgi-bin/my-bookmarks.app and disallow them for //www.shove-ads-down-yours.com/.

Having read _every_ comment on this page (though there have doubtless been many more that have come in the time it took me to read this through) I'm astounded that *no one* has offered a single reasonable argument in favor of this idea, not even the original poster.

The only real argument anyone's given in it's favor (other than that it makes it easier to track the user, which is in my opinion an argument _against_ it) is that it _might_ make the user's browser experience mildly faster. But no one's offered any evidence to support this assertion, and the fact that Darin's idea is to support an indefinite number of ping targets would certainly argue that it could well slow the user experience significantly.

(That it could possibly protect users' privacy in some way is patently ludicrous, as even those espousing the idea obviously realize, since all the arguments for that perspective must be qualified with statements that such a feature could be beneficial were it universally used and supported.)

I really would expect this sort of thoughtless design (and especially the user-hostile attitude) from Microsoft or Apple, and increasingly from Opera as well, but not from _any_ open source project much less from Firefox.

-robin

You should consider allowing the browser user to restrict the URL's to which ping's can be posted to one of the following:

1) Same host
2) Same domain (any host at the same domain)
3) unrestricted (any host at any domain)
4) Do not allow any ping to be sent

This allows the user to have some control. I, for one, would probably select option 2, since I typically only visit sites at domains that I trust, yet I understand that they may need to use several hosts to achieve a sophisticated web site, so I don't need to restrict to option 1. In fact, I think it would be fine to have this feature on by default with option 2 selected as the default. Also, I think that the user should be able to select as a preference what the behavior should be for ping URL's that are blocked due to the above settings:

a) ask for each blocked ping URL
b) ask for the group of blocked ping URL's
c) silently ignore all blocked ping URL's

This would give the most flexibility while providing reasonable security for the user. I would choose options 2 and b, allowing me to restrict to same domain to avoid tracking that I don't want, yet still allowing me to say 'OK' in some situations that might be required to actually let a desirable effect to take place.

Now, since this Attribute will only be supported by Gecko-Browsers and there most of the users will turn it off websites that want to do this tracking stuff will not use the PING but will continue to use whatever they use now (handled by adblock here).

So, no need to be worried about that PING stuff since it will never get used - except somebody manages to exploit that PING and create security risks.

And now we have a reason: the only possible use of this PING might be introducing security risks - so better stop working on that now and spend the time and resources on stuff like improved CSS conformance, memory consumption etc. etc.

:)

Unlike most people here, I (as both a web user and site developer) actually think this is a good idea. I also think you should be given an option to limit pings to the current site only, whitelisting as mentioned somewhere above also seems like a good idea.

I like the idea mostly because clickflow-tracking is actually GOOD for the end user. Good since it can be (and is being) used to find among others the most visited links on a site as well as problems in site navigation and layout. The latter is admittedly more difficult to do in an automated fashion.. Anyway what this leads to is that sites can with relative ease be made more user friendly. And with the ping-attribute this will be easier and won't bother the user as much as redirecting.

Even though the IP-address (and hostname) from the ping request could be (to some extent) used to identify individual site visitors and their online behaviour, most websites are just not interested in wasting effort on this. It is generally MUCH more useful for a site operator to know general usage trends than the behaviour of every single visitor.

Really, the only privacy issue with the ping-attribute itself is the ability to ping 3rd parties, and this should will most likely be optional anyway.

Simple, if youre being pressured it include this crarp, have it off by default and those people that want to have their banwidth increased and privacy violated, can turn it on.

Dont give us "well, a bug in IE can do this" - Its a bug and its a bug with someone elses software, its NOT justification for this crap.

A lot of people seem to be getting worked up over this, from what i have read all it will do is notify the server a link was clicked, not what link was clicked or what page it was on, or anything like that, just the simple fact a link was clicked (could be changed by including the target URI in the ping attribute though).

But, nobody seems to care about the fact that at the moment the browser sends your user agent with every request made, such as for included ad's and such, and depending on how the string is configured will tell the target site what browser your using, what OS your running, what engine it uses, and with IE, what version of .NET you have installed, and if you are running Media Center and such), never mind the fact that they can get your IP with every request.

Some people need to realise this is no big deal (since the WG says the behaviour should be controllable via the UI, and it should list every URI the request is sent to), also some people need to read what the WG says, cause they keep seem to be asking the same questions, or things that are answered in the documentation on it.

I haven't read all the posts (they are too much for one morning) but I want to post my opinion:

The advantage of this feature is that it can be turned off. Nearly all other types of tracking can't be.
But I really want one thing: The ability, like it is done for cookies, to only allow pings to the original site and not to the whole universe besides the ability to turn it completely off.
And a warning before you ping for the first time with the ability to deny this feature, like the cookies, for a site and allow it for other sites.

Then this could be a really nice thing for the server-admins AND for the user.

BUT it has to be noticeale for the user!

When this isn't done by the mozilla developers, it will be done by a extension developer or there will be some patches arround! Even if this means I have to write my own patch ;)

What happens if I want to use Firefox for anonymous browsing via Tor or I2P? the Ping will Bypass the networks and I am not anonymous anymore. I will disable pinging as fast as possible. This is what happens. One more guy whos pc does not accept sending and receiving of pings anymore. Because I heard now that IE is doing it by using a bug allready I have disabled pings at once.

LOL

Greetings.

What happens if I want to use Firefox for anonymous browsing via Tor or I2P? the Ping will Bypass the networks and I am not anonymous anymore. I will disable pinging as fast as possible. This is what happens. One more guy whos pc does not accept sending and receiving of pings anymore. Because I heard now that IE is doing it by using a bug allready I have disabled pings at once.

LOL

Greetings.

This is really a shame since firefox is a nice browser in many ways.
This feature reminds me of the debate about printing from the context (rightclick) menu (https://bugzilla.mozilla.org/show_bug.cgi?id=204519).
I suspect I won't have to deal with this nonsense since Debian's package manager will disable it by default.
I wonder how many letters/responses need to be posted before this is squashed. Judging by the print debate above, it won't happen.

I tried to be openminded about it and read the spec but I still don't see much use for it and it doesn't address several concerns IMO :

1 possibilities of a DoS everytime a news site links a small site are important I think
2 the spec says "When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs." I don't know how you will implement this without making the UI a big mess while surfing, this is going to make Firefox' user experience probably unpleasant
3 So far the project has always focused on pleasing the end-user as well as the web-developper. I know that the web-developer job has evolved in the last years, but tracking user habits is not really a coder concern, it is a web-marketer concern. It may be legitimate in lots of cases and I am not against pleasing these people as well, but I don't think that pleasing them should mean deteriorate the end-users surfing experience and trust in the product.

If, I, as a mozilla user, beta tester since mozilla0.6 times and amateur web-developper am very concerned about the possible breach of privacy, overall usefulness and general good of this feature for me, what will joe-user think about it ?

@eff: You can also turn off JavaScript, so tell me, do you have JavaScript turned off?

Actually, if this becomes more widely spread, I think it could only improve privacy.
The way I see it, people now have less control over their privacy, since this is something that can be done with JavaScript/redirects already. Sure, you COULD turn off JavaScript, but hey, I want to be able to use the internet the way it's intended to be used: interactive. Disabling JavaScript takes it just a step too far.

Now, if I could be able to disable a certain non-privacy-respecting function of JavaScript (depends off course how paranoid one is), that would be awesome! But since computers can't completely interprete what "privacy" is, it would be neat to have a whole different attribute which can be seperately switched on or off. And there you have it, the ping attribute as a privacy-protector; and I can still continue to have my JavaScript enabled...

>It's interesting how Google isn't mentioned at
>all in the post. Darin is employed by Google.
>I'm willing to bet this is coming straight from
>Google,

Mathew, you're being unfair, this is from the WHAT-WG not Darin, the WHAT-WG are of course under the complete control of Ian Hickson, who's employer is Google, erm, hm yeah maybe you have point.

Rather than technological or privacy issues, I fear that "public image" issues will hit Mozilla/Firefox worst in this. While some people (like myself) will withhold judgement and read the arguments, the majority will understand the short message, which is "Firefox enables clandestine tracking". The better punchline is likely to win the public debate, if not the argument, the balanced and well-argued position is likely to lose just because it requires long and calm consideration of the arguments. I speak from painful experience.

Rather than debate whether the feature should be turned off by default, a proactive response by developers would be to tackle the tracking issue as a whole. (Forgive me for speaking Firefox 1.0.7 now, I have not switched to 1.5.) Make "Tracking" an item in Tools > Privacy and include several anti-tracking options there, such as javascript changing link targets in onClick handlers, the ping feature, and more. Make it easy (and the default probably) to disable tracking features and market the result as Firefox working against tracking.

I know that this will probably prevent the ping feature from being used by developers, but I doubt it will get off the ground anyway. And more importantly, I believe that by the time something like my suggestion is implemented, Firefox will badly need it to weather a storm of bad press about the ping feature.

Well, I guess I can follow that replacing slow complicated non-standard malicious techniques with faster standardized malicious techniques can be viewed as an improvement...

But still a 'feature' must be a _user_ 'feature' and it seems that the user 'feature' has't been implemented. That feature would be disabling the tracking by a user preference (a documented and accessible one), just like disabling cookies, potentially on a site by site basis.

I would also consider it a feature if a user could disable redirects on a site by site basis.

As an example, I will translate for you the message by which heise.de, probably Germany's most popular and respected source of IT news, reports this feature. It is the message that brought me here. Quite balanced reporting, still the message is alarming, I'd say.

http://www.heise.de/newsticker/meldung/68508

According to the blog of Firefox developer Darin Fisher, a new function for logging user clicks has been built into current development versions of the browser. The ping attribute specified by WhatWG for hyperlinks sends a ping to one or more URLs as a link is clicked. Preview version of Firefox 1.6a1 (code name "Deer Park 2") do indeed send a ping to the heise server when the link

  <a href="#" ping="http://heise.de">Link</a>

is clicked. The ping mechanism is to simplify tracking mechanisms which web servers employ to observe user behaviour. Initial response from the user community has voiced concerns, speaking of spyware. Currently, commercial site developers mostly use special redirects or JavaScript to log clicks on links.

Against a recommendation in the WhatWG specification, the mechanism can not be switched off. It is not known at the moment whether other browsers support the ping attribute or an implementation is planned.

WhatWG is a loose grouping of browser makers such as Mozilla, Opera and Apple, which wants to supplement the W3C web standards. The ping attribute originates from the draft specification for web applications 1.0, which is also billed as "HTML 5". Browsers such as Firefox 1.5, Opera 8.5 or Apple Safari already implement parts of the specification, such as vector graphics with <canvas>.

[Update]: The feature can not be turned off with the regular configuration menus. Via about:config the variable browser.send_pings can however be edited to make Firefox give up this behaviour. But the function is enabled by default in current development versions.

I forgot to add my name to the translation of the heise.de article, sorry.

I do not like this idea, because nobody doesn't have to know where I keep my mouse cursor. And it's too automatic - if I want go to the next page I'll clik the link, no keep cursor on it.. so next page should be downloaded only when it's clicked to.

I really hope that this 'ping'-option never sees daylight.

Wouldnt it be more comfortable and W3C-orientated to leave this attribute out and use a JavaScript function instead ? So there's no need for special DTD's and such a (IMHO stupid) Link-List-Counter-something functionality can be done the smarter AJAX way. But there are enough solutions out on the net which are available for every developer. So just tell us more: Why should a functionality like this should be implemented ? A bug in IE isn't a good reason. And changing link-destinations with event handlers is also possible when this functionality is implemented.

Just a thought (and I see that you already have plenty, so hopefully you get to read them all)... The firefox browser is on the verge of critical mass, and Microsoft is diligently working to push IE7. As these two "things" barrel towards each other, there is inevitably going to be a point in time where the crash happens. Microsoft has shown itself to be impressivley good at being the one still standing after the dust settles.

Look at the bad press Firefox got for the security issues that arose a little while back. There is no redemption in IE having more or the bug being quickly fixed.

In my opinion, this feature has the possibility of generating a lot of bad press (think of the dumbed down Yahoo News headline that this feature could have) This coming at a point in time where you don't need to be sticking your neck out into uncharted territory.

Just a thought

After I read the various back-and-forth on this last night, I gave it some thought before falling asleep.

The government has slipped code into printers to print a pattern of almost-invisible dots to identify what printer was used to print a page.

I wonder if the 'large sites' that have requested this feature have any connection with the US Government? I'm sure some in the government would like places like the FBI, CIA, and NSA to be notified whenever someone clicked on a link to a terrorist/porn/Democratic website...

Methinks that is why this was going in without discussion (until someone stumbled onto it), and is non-standard functionality to boot. Not to mention the push back 'this is only useful if all browsers use it' and the desire to *not* allow someone to turn it off.

Me, I'm voting Democratic for the next few elections.

-- Bill

I don't see the benefit to the end user. Sure one can claim that it will speed things up - but by how much? 5%, 10%, 15%? I think what the Mozilla folks should do is set up a test environment available to the public - a page with the ping, and a page with redirect. Put the ping feature default on as an alpha. Collect your statistics and challenge your end users to finds ways to abuse ping. If after a few weeks serious problems come up, drop the feature entirely, thank the users who participated, and be grateful that you consulted and worked with your end users. If you put this feature in and an unforseen disaster results, you have only yourselves to blame. Take the time to really look HARD at this, and test it well with your end users.

Could you please post an URL pointing to the specification of the "ping" attribute?

I can judge if it is okay or not ony after reading:
* a complete explanation of what it is intended to do
* example scenario of intended usage
* explanation of what precautions are taken to prevent abuse

Without a specification this discussion is just an emotional core dump of frustration about phishing and concerns about personal privacy on the net.

So, where's the spec???

Wiktor,

There is a link to the spec in my original blog post. There is also a link to the original WhatWG message thread where many of the issues related to were hashed out.

Over my dead body :-(

Can Open. Worms Everywhere.

so what you are saying is that because there's an ie bug that allow sites to do it anyway, you should make it a browser feature?

doesn't make much sense if you are trying to convince people.

It doubt having this "feature" can be of any help to anybody. It for sure will not prevent redirects. It will not help users, web developers, content providers or even surfer trackers.

My vote is for avoiding it althogether, at least until it is incorporated to the (X)HTML standard.

I don't want this enabled by default. I want to enable it if and when I so desire and I want the ability to control it by individual site.

I want this for the same reasons that I want that level of control for JavaScript or cookies, etc. I and I alone should be able to determine my own destiny with regard to what information I want to allow to be released or not.

Anyone not giving me that level of control will lose my confidence and business. People moved to Firefox/Tbird en masse because we, the People, wanted this level of control and it was given to us with these programs. So grow a brain, get a clue, and leave us with the level of control we desire.

Damit schaufelt Ihr euch das eigene Grab. Lasst den Blödsinn!

Fucking psychos! Take this out immediately!

Firefox has fallen! Alas!

You know, if I were a webmaster I would be very afraid of this so-called feature. Why, you ask?

Well, let's just say I happen to run a site with a forum, where news stories are posted, and users can post comments about these stories.

And for the sake of example let's also say that my site happens to be very popular, with lots of traffic. So popular, in fact, that a term of Internet jargon was created to describe the "effect" on sites that are linked to from my site.

Let's also say that my site has a lot of visitors who are...less than altruistic when they post links - so much so that a few years ago I had to write code into my CGI scripts to show what site they really are linking to (say, a site with a disturbing picture of a biological improbability) when they create a link in their comments.

Further, my site is known as a worldwide bastion of anti-Internet-Explorer, pro-Open-Source-Software sentiment, so my visitors are far more likely to be using Firefox than the average Amazon.com or Yahoo user.

Now, since anyone can post comments to my site, users Joe Script-Kiddie and Bob L33t-Hax0r start posting random links with labels in in their comments like "Microsoft Exec Admits Linux Is Better Than Windows".

"Attention shoppers! Now having a two-for-one sale on the Slashdot Effect in Aisle FF! Kill two sites for the price of one or double-bone your favorite site!"

Get with it, people. Any feature that can be abused, will be abused. Heavily. By people who sit up nights and think of new ways to fsck people over for fraudulent purposes or just for giggles. I offer the recent hoopla over UTF-8 URLs and fake-URL@password:real-URL being used for phishing as supporting evidence that what I just said is true.

browser.send_pings=false out-of-the-box. Ask for it by name.

If this 'feature' goes live with default-enabled, every single piece of forum and content-management software that allows the <a> tag, from Slash to MediaWiki to LiveJournal to Blogger and back, will have to have a security update to allow site owners to strip this "ping=" attribute from user-submitted HTML tags.

I'm not going to be like a lot of others posting comments have been and say "OMGWTF GOING BACK2 IE RIGHTNOW KTHXBYE." But I am certainly going to stop promoting Firefox to my friends, coworkers, and family as "a better, safer way to browse." And I don't expect I'll be alone in feeling that way, if the other posts here are any judgement. Firefox will get an extremely bloody nose in the tech press and maybe even the mainstream press.

And where would Firefox be without word-of-mouth promotion by satisfied users?

There is a fairly simple and rational method for figuring out the right answer in cases like this. Just look at the natural free market forces. Assume that all possible variations already exist, and figure out what features self-interested end users would generally select. This is particularly true with an open source project here any user or group of users can produce their own varient at will.

The goal is to short-circuit the fork and free market competition step and cut right to the stable end result that ultimately must win. Imagine that FireFox has already forked, and there there is a competing version called UserFox. Imagine that UserFox has on offer every possible variation that does anything the end user might like it to do.

So in this case, what does the end user what? What is their ideal self interested product design? Well end users generally do not want to be tracked if they can avoid it. That means two things. One, that their choice software would not comply and would not send these pings. Two, it means that their choice software would falsely claim that it was ping-tracking-compliant... it would do so in in the hope that the website will attempt to rely on the ping method and deactivate their other methods.

Trying to implement and push this ping system is irrational and unstable. When (not *if*, but *when*) this competing UseFox fork is available, whether it is a full FireFox source code fork or a GreaseMonkey script or an add-on extention, many people will get it and their browsers will selfinterestedly lie that they are ping-compliant and they will refuse to send these pings. And then of course websites will not rely on the new ping tracking method... or even worse websites will start doubling up on tracking methods and do *both* ping tracking and redirect tracking. And many sites will do double tracking to try to capture whatever percentage of clicks that slip past just one method or the other. Users will end up with worse performance from code bloat and and bandwidth bloat from websites using dubble tracking methods. It all becomes wasted effort and a pointless arms race, with everyone losing.

Just produce UserFox in the first place. Bypass the need for a fork and/or GreaseMonkey scripts and/or extentions that *will* ultimately be be produced. Bypass the pointless arms race between users and websites. You can't fight natural free market forces. You cannot *prevent* people from getting the product they want. This isn't some Microsoft Monopoly where you can shove undesired behaviour into a product and force it onto users, where they have no ability to change it and they have no alternative. You can't force undesired behaviour into the product even if you *do* think people would overall be better off if you could somehow force everyone to use it. You can't force everyone to opt-in, and it will simply fall apart.

Notwithstanding privacy concerns, relying on the client for behavior is stupid on the part of server operators. There is nothing to stop the clients from turning this "ping" feature off, in which case the servers must redirect to retain the functionality anyhow.

Moral of the story? Don't trust the client. Ever.

The ONLY people who stand to benefit from such a completely-user-UNfriendly "feature" are the money-grubbing marketing bastards. Their intrusive, bandwidth-sucking shit, plastered throughout many websites already massively bloats webpages - 80% of most commercial websites' pages are javascript crap whose only goal is to track your every move online. Mozilla should be actively working to DISable and UNsupport all of this shit instead of adding yet another layer of marketing-driven insanity to a browser that once *HAD* the potential to be something actually useful by real-world users (mozilla/firefox's alignment with corporate greed appears to be just around the corner).

As a security professional, I will most certainly be advising my clients to drop firefox should this "feature" be incorporated - particularly if enabled/supported by default - and will work very aggressively to denounce firefox to all of my corporate business collegues.

And yes, I'm one of those security-conscious users who *DOES* cut and edit and paste redirect urls, AND in the interests of security I *DO* disable javascript for ALL sites I visit until such time as they have reliably and consistently demonstrated that their javascript poses no threat to my system. I also use my "hosts" file to bitbucket all known ad-tracking urls, and I firewall their IP addresses to ensure no traffic from my network will ever reach their servers.

Security is not just a word - it requires a conscious effort and commitment. I used to think Mozilla agreed with this philosophy.

How to disable this crap?!

Hmmm...
How can community protect firefox code from spyware?
How can we cut off access to official source for such "developers" with shit in the head instead of brain?

Will Opera also implement this "feature"? Maybe I should move to Lynx.

>"Websites already do something similar in IE by exploiting a bug with the way images load."

For that reason we use Firefox!

Another reason to stop using future Firefox-Versions.

- Tracking/Spyware-feature-free Firefox alternative available ?
Hope some developers will leave Mozilla/Firefox team and start another OpenSource browser-project with the Firefox-Source.

The goal is 100% tracking-/adaware-/spyware-/rootkit-feature-free browser-alternative.

So Firefox was sold out for the corporate gain of Google. Darin, it's time to step down as a Firefox developer. You cannot serve both Google and the community.

You have taken your 30 pieces of silver, step down!

If "pings" are enabled by default in the next stable release, I will definitely stop recommending Firefox as the best browser out there.

We never asked for this feature to be implemented! BTW, what does "some very popular websites" mean? Google? MSN? or perhaps the NSA? :-(

People seem to have forgotten that some sites can only afford to exist through advertising revenues brought in through link tracking. If everyone could disable redirects, undoubtedly they would - but we'd probably lose a lot of great websites in doing so.

> So Firefox was sold out for the corporate gain
> of Google. Darin, it's time to step down as a
> Firefox developer. You cannot serve both Google
> and the community.

Uhm, do you have any idea how opensource development works? Perhaps you should read my more recent blog entry. My employer doesn't have any power to strong arm such a feature into Firefox. That's ridiculous. Look at the bug. Look how the feature was developed. Look how the feature made its way into the development tree. Stop being so paranoid.

I did this work in my spare time because I think it makes the browser better for users. That's all there is to this. Geeze.

Darin,

I think it is clear by now that a vocal group of users is strongly opposed to this. Your own justifications, especially the "big websites requested it", seem rather pro-corporate and, by association, pro-advertising. I think it is thus clear that your positioning on the user-side is strongly in question.

When reading the WhatWG discussion thread it is immediately evident that the original proponent and most of the early positive commenters are marketing people (They say so themselves), perhaps that should have been a warning sign.

Since the slashdot-mob has apparently moved away, maybe a more rational discussion is now possible. My concerns with this thing are:

1. (philosophical) I dislike any website doing anything but answering my HTTP-Request and, opposed to what an earlier commenter said, I do not thinks they have any "rights" to know about my clicks other than to serve those requests. I specifically use FF to modify the execution of sites that try to do something I dislike. Including the ping attribute looks like an invitation. I don't want to tell sites "look here, do your stuff with this, I like it better", because I don't. I like to give them the finger instead, which is using GM, AdBlock, etc.

2. (zealotry) While I strongly appreciate trying to be current in feature development, implementing features a group wishes to discuss for future suggesting to the standards body is pre-mature (Especially since the WhatWG seems to be interested in breaking the existing standards, why else add canvas where object is sufficient?). This willingness to implement anything that looks even remotely interesting can lead back into the browser-wars very quickly. This might very well be the "blink" of this decade. I'd strongly prefer FF to adhere to _all_ W3C specs before including "an idea from here and one from there" (Ever asked why the W3C is so slow? 1. They tend to think things trough. 2. Since noone currently supports XHTML 1.0, let alone 1.1 fully, why hurry?). This situation looks like saying goodbye to the W3C, which is both risky and unnecessary.

3. (practical) I consider it possible for Microsoft to include this attribute in IE, so I don't think adoption is necessarily such a big deal, but I'm rather sure that a few famous Extensions used by the majority of FF users will include an option to turn this off, if means to do so are not comfortably provided/off by default. Which leads to the question: Why should a browser with a userbase technical-minded enough to consider turning this thing off even implement it? For IE it makes sense, but most FF-users have already done the step and started learning about setting things up the way they want.

How about you and whomever else might be involved in including this take some time and answer to these, without excuses (no "someone big requested it", give names; no "IE has a flaw that allows this" or "It is already possible", those don't make it right, I hate that, too)? Certainly there are steps that need to be taken before any feature would actually end up in a release, but neither I nor most of the commenters here know them. For you it is unfortunate that this thing became known before any serious discussion seems to have taken place, for "us" it is vital to understand that FF is not going to be a corporate sell-out, which it clearly looks like at the moment. I think a reasonable, calm and well thought-through answer can provide us with that.

Darin writes:
> I did this work in my spare time because I think it makes the browser better for users. That's all there is to this. Geeze.

Ok, but this feature has been described/advertised in a wrong way. Read that again: announced in a wrong way.

I've thought about it and my opinion is that this feature alone may in fact be harmless (most of the time). But the introductory text of yours explicitly compared this to the IE bug and discussed (poorly) security issues. Without proper discussion it quickly led to the nervous comments.

Given the fact that the users gave the Mozilla/Firefox lots of their trust, even mentioning of a slightly unsecure and non-standard extension (at the time of writing) makes them feel like this trust is abused. I did feel the same for some time, but eventually emotions fell down and now I think more reasonable.

Users demand respect for their privacy. That's the point that Firefox stepped on very strongly. If you ever do something new and exciting again, please weigh your announcements more. Even if it's in your private blog, you're still a voice to hear and respect as you're a Mozilla developer. To fail with recognizing the importance of assuring the users that their privacy is the most important thing for the developers, means to loose the user base as quickly as it recently grew.

Just like one of the previous posters wrote, if the "ping" attribute can be abused, it will be. That's the sound of inevitable. And as a final thought, maybe you should post an "I'm sorry" entry with "I'd like to explain once again from the beginning" in your blog?

If this is representative of the great ideas that "WhatWG" is going to be coming up with, then they really ought to consider changing their name to "WhatTF".

Folks, please get a grip and start thinking objectively. Don't you realize that you are being tracked today without any means of subverting it or without much chance of even knowing when it is happening? You can't disable HTTP redirects without disabling large portions of the web.

If this feature makes it into Firefox, then you (the user) will be more informed about people who are tracking your link clicks. Moreover, if you are bothered by having people track your link clicks, then you can use Firefox to actually disable such tracking. Don't you want to have that power?

1) Of course I know about redirect links. I have a Proxomitron filter that deals with them most of the time.

2) Existence of these does not excuse addition of more tracking methods. Your spare time is worth more than that!

3) I hope the arrival of this quote feature unquote will be well-signalled so I can warm up my turning-off finger.

Darin, you just aren't getting it.

You say that tracking happens now and that this will give you control over it....but only on sites that use and abide by the new rules. Are you really naive enough to think that once this makes it into "the standard" that advertisers are going to abandon their proven methods of generating revenue for an unproven and completely defeatable method that will impact their bottom line? If you truly believe that, I have a bridge I'd like to sell you in Brooklyn.

Tim,

What makes you think that Proxomitron filters out these redirects? That's just not possible to put it frankly without preventing you from reaching the final destination of the link click. Are you saying that Proxomitron makes it so that link clicks don't go anywhere for you? If so, then that doesn't sound like much of a web to surf.

More tracking mechanisms does not in itself impair your privacy. Tracking mechanisms that are transparent to you impair your privacy. Are you saying that you prefer being in the dark?

Anonymous,

I don't know what advertizers are going to do, frankly, but I do know that the default configuration of the browser matters a lot. If a feature is disabled by default then it might as well not exist. On the other hand, if it is enabled by default, then it will be enabled in the browsers of more than 99.99% of the user base. So, you tell me... compare that to the cost of maintaining a redirect server?

Even if advertizers choose not to use this feature, there are still plenty of other sites that could make good use of it. Suppose, for example, that you are running a news site, and you would like to know how many people notice a particular portion of your website. This feature gives you a cheap way to collect usage stats on your website without impairing the browsing of users. Is that really malicious? It helps the news site present better content to users, and by using <a ping> they are being very up-front with users about what they are doing because users will be able to see the pings. If some percentage of users don't want to allow such pings, then by all means, let them. The news site will still get a lot of useful pings to help them improve their site.

To the average user, any website that adopts <a ping> is actually giving the user the ability to see what is going on. Why shouldn't we encourage that?

Darin wrote ...
"So, you tell me... compare that to the cost of maintaining a redirect server?"

Frankly, I don't give a FLYING FUCK what it costs the marketing arsebags to maintaining a redirect server.

You can proclaim all you want that you're not catering to corporate interests, but it's extremely obvious to the vast majority commenting here that you have zero interest in protecting users' personal privacy.

Do the rest of the monkey-fuckers at mozilla think along the same lines as you that this feature is a good idea?

quicksilver,

How about we keep this conversation clean, eh? I think you missed the entire point when I brought up the cost of maintaining redirect servers. I'm not trying to ease the costs of maintaining a redirect server just for the sake of making life better for bad guys; rather, I am saying that money directs change. If it costs a bad guy less money to do something good that still achieves his end result, then he is more inclined to so. Get it? That's not so hard to understand is it? Encourage the bad guy to do good by the user. Seems like a win-win situation to me.

> it's extremely obvious to the vast majority commenting here that you have zero interest in protecting users' personal privacy.

I think you mis-interpret people's comments. Yes, the vast majority of people care about privacy. So, do I, and that's why I worked on this feature because I believe that it will help improve the privacy of users on the web. I think it would help if people took some time to actually study this feature and think objectively about it instead of reacting with such snap judgement. This feature is about empowering users. It gives them the ability to see what is going on (and if they are so inclined to disable click tracking). Why is that bad?

Cookies weren't bad, until advertisers found out they could make money by placing zillons of them on your hard drive.

Pop ups weren't bad, until advertisers found out they could make money by opening zillions of them on your screen.

Redirecting wasn't bad, until advertisers found out they could make money by sending you to zillions of URLS in just a few seconds.

JavaScript wasn't bad, until advertisers found out they could make money by making zillions of windows move around and dance to get your attention.

Flash wasn't bad, until advertisers found out they could make money by opening zillions of ads directly on top of the webpage without the need for a pop up window.

Ping wasn't bad, until advertisers found out they could make money...

Darin, please consider answering my questions above. I'm not interested in advertisers using this method, because frankly I don't want them to do anything at all, under all circumstances. Is that clear enough? Work on breaking redirects, if you feel the need to, but adding yet another vector for them is bad, even it is cheaper to them and gives me "greater" control. To use the time-honored method of mataphor: When someones trying to shoot me, giving him a cheaper laser-gun that I can turn off remotely will only make sure he either shoots me with that or pulls out his trusty revolver should I disable his new toy. What about giving me a bullet-proof vest instead?

Darin,

What advantages does this offer to websites and web advertisers? Why would they want to use this over redirects?

Introducing this feature looks like a bad idea, even though I think it is an elegant solution, technically. Two reasons:

1. You will need to provide an option to disable this feature, or even disable it by default. In consequence, even if everyone was using Firefox, this feature won't be used by people who want to do link tracking (I wouldn't).

2. Much of the popularity of Firefox seems to be based not on it's technical excellence, but on the perception that Firefox is a "good" browser (standards, security, privacy etc) rather than an "evil" browser (microsoft, pop-ups, yadda yadda). From the reactions on this page it should be clear how this feature will be perceived -- no matter how you put it.

Darin wrote:

Encourage the bad guy to do good by the user. Seems like a win-win situation to me.

Um, how about you encourage the bad guy to not do bad things at all? That would be a bigger and more meaningful win that this "feature".

Just released NoScript 1.1.3.6, disabling this ping feature either globally or for untrusted sites only, so you can still "support" sites you trust, if you want: http://noscript.net

That feature merely allows easy and fast *collective* data gathering.

Clicking a link could cause a notification to be sent to X number of locations.

Further more that allows cheap and hidden DoS attacks.

> Um, how about you encourage the bad guy to not do bad things at all? That would be a bigger and more meaningful win that this "feature".

I agree. Do you have any suggestions?

> That feature merely allows easy and fast *collective* data gathering.
>
> Clicking a link could cause a notification to be sent to X number of locations.

You've just described things that are possible to do today without <a ping>. What's your point?

> Further more that allows cheap and hidden DoS attacks.

"cheap and hidden DoS attacks" are possible by any number of other means today. What makes you think that <a ping> is special?

Apparently you won't take the time to answer, so I'll make another attempt to reason with you, based on what you ARE willing to answer.

> I agree. Do you have any suggestions?
How about stopping to hand them yet another tool first, then see what you can do against redirects (When a second URL is embedded in a link, for example, FF could offer to go there directly) and malicious JavaScript (Maybe an interface that allows extensions to monitor and change/block external connections through it?) Finding a way to let Greasemonkey work through a file before any <script>s and onload or optionally work despite NoScript.net might help, too (I can then offer a highly configurable user.js that will remove any scripts from a page, but it is useless at the moment).

> You've just described things that are possible to do today without . What's your point?
"It is (already) possible" is _not_ a good reason to do something, in this case it's very bad, since it means "bad guys" can always fall back on another, older, proven method. Nothing gained.

> "cheap and hidden DoS attacks" are possible by any number of other means today. What makes you think that is special?
Same as above, of course. "ping" is special, because in contrast to JavaScript, Redirects and even bugs, it is _built_into_the_browser_for_the_sole_and_express_purpose_of_helping_marketing_. those other things don't get rejected, because they have legitimate applications, ping doesn't.

Lean back and try to think about it from a new perspective, without prejudice, maybe you'll see that you've grooved yourself into a pattern of "I _know_ it's good"-thought, while you may have simply missed some aspects initially. Don't be too proud to admit such an error, should you conclude you made it.

An, yes, I tried really hard to see it your way, but for me "less worse" is "still bad", and, frankly, the "but it should make the privacy crowd happy"-type defense it got only shows that none of the defenders honestly count themselves into that crowd. Apparently because the don't share some of its most basic premises, like the above "less worse = still bad".

Robert,

My apologies for not answers your questions directly until now. As you can see, there are a lot of comments on this thread, and I just haven't had a chance to respond directly to each question asked. I had hoped my other comments would help address the questions that I had not answered directly.

> How about stopping to hand them yet another tool first, then see what you can do against
> redirects (When a second URL is embedded in a link, for example, FF could offer to go there
> directly)

I don't understand the solution that you are proposing here. Can you elaborate?

> ...and malicious JavaScript (Maybe an interface that allows extensions to monitor and
> change/block external connections through it?)

This already exists. See nsIContentPolicy.

> ... Finding a way to let Greasemonkey work through a
> file before any s and onload or optionally work despite NoScript.net might help,
> too (I can then offer a highly configurable user.js that will remove any scripts from a page,
> but it is useless at the moment).

Well, greasemonkey isn't part of the default version of Firefox, and most users wouldn't know what to do with it if it were included, so let's try to focus on things we can do to the improve user privacy that doesn't require much from them. For example, <a ping> if adopted by sites would inform users of the sites that are going to track their link clicks. That sounds like an improvement over the status quo to me since ordinarily users have little chance of knowing when they are being tracked.

> "It is (already) possible" is _not_ a good reason to do something, in this case it's very
> bad, since it means "bad guys" can always fall back on another, older, proven method. Nothing gained.

You've taken my comments completely out of context. I never said that we should accept additional threats to our privacy just because "it's already possible." I was merely explaining why <a ping> is not the only way to achieve "easy and fast *collective* data gathering", etc. If you have a counter-argument to that, then by all means, let's hear it.

> Same as above, of course. "ping" is special, because in contrast to JavaScript, Redirects and even bugs, it is
> _built_into_the_browser_for_the_sole_and_express_purpose_of_helping_marketing_.
> those other things don't get rejected, because they have legitimate applications, ping doesn't.

Again, how does that pertain to my comments? I was talking about the DoS threat.

Yes, <a ping> is designed to inform the browser that a site is planning to track the fact that a user clicked on a link. You seem to see that as pure evil while I see that as an opportunity to inform the user about the tracking that is being done when they click the link. In my opinion, <a ping> gives the user more information than they had before.

Moreover, since there are plenty of "legitimate uses" for <a ping> besides just advertizing purposes, this gives websites the ability to track clicks in a way that is more beneficial to users (the browser can inform the user about pings, pings are low-priority, users who don't want to play can disable pings, etc.).

We all love Firefox because its purity simplicity and safety. Please dont bother us your a-ping stuff, it kills us. If you implement this i will be the first who write an article how can everybody hack this off form their cool browser. Or just simply wont use it.

Lezuzius,

Would you mind telling me why you are so against <a ping>? What makes you feel like this is a feature that is bad for users?

> What makes you feel like this is a feature that is bad for users?
Because there are no good for USERS. Just that!

Darin,

thanks for answering, I was getting the feeling you tried to only answer to the more emotional posts, since they're easier to refute (from your POV). I'll try and give you my answers as honest and rational as I can.

> I don't understand the solution that you are proposing here. Can you elaborate?
When a redirect is in this form http://www.example.com/index.php?http://www.example.org, FF could offer to link directly to the .org one. Of course this may injure a few legitimate uses, but they're rare. I actually use a user.js that does this. If the redirectors don't want to customize sites for every site they're tracking they need to identify the target somehow in the link. This can be a levering point IMO.

> This already exists. See nsIContentPolicy.
I wasn't aware of that, I guess someone needs to develop an extension that uses this.

> Well, greasemonkey isn't part of the default version of Firefox, and most users wouldn't know what to do with it if it were included, so let's try to focus on things we can do to the improve user privacy that doesn't require much from them.
I'll have to accept that, though I have to say that a lot of people use GM to overcome shortcommings of FF, specifically some on the privacy side of things, maybe some of those scripts should be in FF natively...

> For example, if adopted by sites would inform users of the sites that are going to track their link clicks. That sounds like an improvement over the status quo to me since ordinarily users have little chance of knowing when they are being tracked.
Correct, it _sounds_ like one, but A) any site may still track the user, so this only creates false security and B) I still don't want my browser to aid the marketing people in any way. It's "bad" and I don't care if it's "less bad", that doesn't make it "good" or "better". If you could guarantee that every website would only use ping from now on and that I could always turn it off (better yet, turned off by default), then I would still not feel too comfortable with it (but could accept it). However, that is simply impossible, since the means of tracking are way too numerous at this point.

> You've taken my comments completely out of context. I never said that we should accept additional threats to our privacy just because "it's already possible." I was merely explaining why is not the only way to achieve "easy and fast *collective* data gathering", etc. If you have a counter-argument to that, then by all means, let's hear it.
Maybe I simply don't get what argument you're trying to make. You're saying "ping is not the only way to achieve 'easy and fast *collective* data gathering'", so for me that means "it's already possible", which is not an argument, but simply adding another vector. Maybe you can clarify?
And, for the sake of correctness, I might be mixing in a few other's comments by mistake, please point it out should I accidentaly ascribe something to you that you don't agree with as well.

> Again, how does that pertain to my comments? I was talking about the DoS threat.
And, same as above, maybe I simply don't see you making any argument besides "it's already possible", sometimes mixed with "it's less bad, so it's better", which are a non-argument (An "Appeal to Common Practice", to be precise) and one I consider to be simply a false conclusion (Yes it's "less bad", no that doesn't make it "better" or even "desireable").

> Yes, is designed to inform the browser that a site is planning to track the fact that a user clicked on a link. You seem to see that as pure evil while I see that as an opportunity to inform the user about the tracking that is being done when they click the link. In my opinion, gives the user more information than they had before.
"pure evil" is not something I'd say, way too religious for my atheistic taste, but "bad", yes. And if something is "less bad" that doesn't make it in any way "more right" (Seen "Donnie Darko"? For me, privacy is not something that can be placed on the life-line...).
"ping" only gives more information if the site owner chooses to use it, but that's besides the point. I find the sole fact that my browser may aid any marketing person unpleasant, no matter by which means this is achieved. If it is tricked into doing so, then I'll have to live with that until a fix can be found, but if it's designed-in, I'm against it. For me that's like building a house with a second key to the lock for any burglars to use instead of trying to secure the building. If the burglars were nice and respected that option I could simply put that key in a melting pot and never be bothered by burglaring again, but the whole concept is _still_ appalling.

> Moreover, since there are plenty of "legitimate uses" for besides just advertizing purposes, this gives websites the ability to track clicks in a way that is more beneficial to users (the browser can inform the user about pings, pings are low-priority, users who don't want to play can disable pings, etc.)
Which? I can't think of any. Every single scenario that I can think of includes finding a way to influence the user to follow a certain path with higher probability. Unless I want to sell something, what would be the point?

FataL,

> Because there are no good for USERS. Just that!

Why do you believe that? Wouldn't you rather have the browser tell you when link clicks are going to be tracked? Are you saying that you prefer not knowing when you are being tracked?

I want to apologize for the "piss-poor", that was personal and uncalled for. I was surprised and lost my composure. Please accept my sincerest apologies.

Darin said:

Have you ever uses personalized search (or search history) on google? It tracks your clicks so that it can show you a historical record of all of the searches you did and the search results you chose. Google does not do this by default of course.

Exactly. Google does not do this by default. The user makes a informed decision to enable it. They understand their search results are being stored when they agree to the service. Downloading and installing Firefox should not automatically mean that any type of client side tracking device is turned on by default. Even if you include information in the agreement notice, how many people really read and understand that legalese?

Using your example above, I should have to "turn on" such a feature after I have read and understand the implications of enabling such thing. Personally, I would like to see Firefox distributed with cookies turned off and the Permit Cookies extension and NoScript installed by default. This would give the user alot more control, BY DEFAULT, over what their web broswer should and shouldn't be able to do, out of the box...so to speak.

You once said that web developers count on 99.99% of the people on the web not changing their browser settings. This is true...this is also what the "bad guys" count on as well. Hence viruses, worms, script kiddies, et al. are all over the place. I grant you, the ping tag might be useful to news sites that rank headlines by the number of clicks it's recieved, but if history is any teacher, it will be abused at the first opportunity.

As it is right now, you can only do so many redirects before users would get tired of waiting for the page to load and go somewhere else. With 'ping', an unlimited number of servers could be notified by a single click, since I read in the design discussion you mentioned in the original post, that the spec is not going to have an upper limit of URIs. That pretty much benefits only an advertiser. If your target was really to help news, blog or personal sites have the ability to track clicks for ranking purposes and allow control over adveristers, you would design in some means of preventing it from being used for "super bad" purposes.

You say that Google wouldn't be able to "strongarm" this kind of thing into the Firefox browser. Two months ago, in your own blog you post about a job opening at Google for "software engineers to join us in our collaborative development efforts with the Mozilla Foundation on the Firefox browser". And then someone who works for Google and has been working on the Firefox project comes out with "(sic)..the point of this feature is to enable link tracking mechanisms commonly employed on the web...(sic)", I think that would raise the suspicions. Granted they may be unfounded, but kinda of difficult to ignore.

And in closing, I think fixing the memory and caching problems in the past few releases of the software would be a better use of your time, drive and desire to make the browser better. I've put up with Firefox's tendency to suck up RAM and then start flooding my swap file with 300MB of data and bring my system to it's knees until I can get to the task manager I now keep in the systray and kill the process. However, this new "feature", makes me think that I've reached the end of the official Firefox development project. I'll wait for a version that will give me real tools to help keep the advertisers, spammers & virus writers from knowing anything and everything about where I've been and where I'm going to.

Seems there is pretty dismal support for this feature, good idea or not. The simple reality is that we techies can debate this until we're blue in the face, but the VAST majority of the people who make the product succeed have no idea what we're talking about. Ultimately THEY decide what's right for the product and what isn't

What they will hear (given my 25 yrs in this business dealing with users) is..."If I use Firefox, it lets people know where i go on the Internet." That's it guys, that's all detail they can handle. The more you explain it the worse it will get.."No, it only tells some servers that you clicked on a link" means exactly the same to them as "It tells people where i go on the Internet".

In many cases I find that when I say 'server' to people using a browser in the office the only 'server' they know is the server they actually run their network software off of and now they think Firefox is telling that server where they go on the internet....bad bad bad.

Firefox has GREAT press behind it, and Microshaft is peddling fast to hold market share. The absolute LAST thing you can do here is let something like this get misconstrued and ruin the confidence of your user base. So basically I don't care how great an idea it may be, it sounds bad, it smells bad and there is no support behind it even amongst the most loyal Firefox fans...hence it has no place in the product.

My sincere advice is rip it out of there now before this gets out of hand. Already in this room which has VERY techie people in it there is confusion about what this is, what it does and why we need it. If we're in this much confusion over it, think what they average user is going to go through.

What a load of rubbish

- Ping can mean no redirects are required

BOLLOCKS

Trackers will still use redirects as a means on top of PING just so that they can two the methods for being able to track even more.

> I also agree that bad guys aren't going to bother using pings since they
> won't want users to know what they are doing

First of all, it isn't clear what you mean by "bad guys". Take a search engine that simply logs all search terms and results clicks along with the client IP address and unique cookie, but doesn't actually use that information for anything. Is it a bad guy? No. Is it doing something that is bad from a privacy point of view. Yes, certainly if it is keeping logs for very long periods of time let alone indefinitely. There is nothing to stop them, or someone who acquires them, from misusing that information tomorrow. It wouldn't even have to be at the company level... a lone employee could sell it or what have you. The core problem with ping is the privacy issue, and privacy issue is as much about what might happen as what actually does happen ATM. If that doesn't make sense, how about giving me some of your usernames/passwords? No? Why not? Maybe because I *might* lose, share, or use them at some point?

Secondly, being able to see ping targets, and redirect targets for that matter, might be a discouragement in certain scenarios but in others it wouldn't make any difference. Heck, if one wanted to do something bad with click reports on a large scale, the best way to do it would be to partner with, coerce, or create a "legitimate" ad broker that wouldn't raise unique suspicions.

> Have you ever uses personalized search (or search history) on google? It tracks
> your clicks so that it can show you a historical record of all of the searches you
> did and the search results you chose. Google does not do this by default of course...

Doesn't do what by default? Provide a means of seeing a historical record of all your searches/clicks, gather and log that information, or both?

> Yes, it is adding another vector, but that additional vector is not worse (or
> significantly different)than what is already possible.

Have you not created a new vector which has advantages over existing vectors in terms of operating costs, perhaps even ease of implementation as well? Regardless of which method they use to report a click, the consequences to the user would be the same, yes. But have you considered the broader question in light of the fact that "few people mess with default settings"?

> If the threat union of A and B is A, then B doesn't matter. This is how we judge all
> additions to the web platform. If I can do X with Y already, then allowing X to
> be done with Z is okay.

Hmmmm... so given that rooting tool Y exists, it is fine to *create and distribute* rooting tool Z? I don't know, maybe it was that mandatory engineering ethics class we took or something, but that logic doesn't sit well with me. The creation of Z to do X shouldn't be justified on the basis that Y exists. It should be evaluated on its own merits. IOW, what you should ask yourself is, if there were no current ways to do click reporting, should you create that ability? If you were creating a mechanism from scratch, what features would you support? Reports to serving sites only? Reports to an unlimited number of third parties? Would it be enabled by default or disabled? Etc.

This ping feature brings really much advantage to users and admins, but the feature will only be used when it is backward compartible with the actual tracking system. This can be reached if the "ping" and "href" atributes are switched, so the the page which the user wants to see is in "ping" tag.

No, Darin, what's amazing is how you seem completely unable to understand a few very simple objections to your system:

1) user tracking is seen as an undesirable imposition by the vast majority of your user base who are therefore rightly opposed to _any_ support for user tracking being added to Firefox

2) many of us already run the various Firefox add-ons (as well as other systems such as JunkBuster and various blackholing setups) which help prevent exactly this sort of tracking, so your argument that there's nothing we can do about it so we may as well make it easier is completely unsupported

3) your proposal is self-contradictory: your system will not be used by many web sites unless it is widely available in browsers, yet you argue that the reason to support it is that it can be turned off; if more than a small percentage of the users disable it (and you may rest assured that at least those who are aware of it will do so), then web sites will not discontinue other tracking means in favor of your system, at best they'd add your pings as yet another parallel tracking system, and thus no gain would be made from making your proposed system available _anyway_

For many of us posting here, "link tracking" is _not_ the status quo and one of the reasons we use Firefox is to guarantee that this _absence_ of tracking (as well as a host of other invasive and dangerous things which either don't threaten Firefox or which can be more easily guarded against with Firefox) remains _our_ status quo.

Your proposed change is a direct threat to the reasons why many of us choose (and recommend) Firefox.

-robin

> Wow, a lot of people seem to have really missed the point of this feature. In a world where link tracking is the status quo, this feature comes along with the intent of giving the user more control than they previously had, and people balk at it. I'm really quite shocked that so few people seem to realize this.

Robin,

On the contrary, I do understand the argument that you and others are making, but I believe that you are side-stepping some significant facts that might inform your opinion:

1) <a ping> will help inform people about user tracking when websites agree to use <a ping>. Yes, bad guys, who wish to subvert your privacy, will continue to choose not to use this -- fine -- but good guys have a chance to make the experience on their site better for their users. They can be more transparent about click tracking, and they can help keep click tracking from interfering with your browsing.

2) There is no extension to Firefox that can prevent click tracking. Various extensions may employ algorithms that defeat some forms of click tracking, but in general there's no way to block it entirely without unplugging your network cable. Please don't believe that you are immune to click tracking just because you have some extension installed that claims to protect you against such things.

3) Most users run with the default browser configuration, and most websites assume that the default browser configuration is intact. For example, by default referrers are sent with HTTP requests. That informs the site you are visiting where you came from. You can easily disable this with a hidden preference in Firefox. Yet, many websites leverage the referrer header for business purposes. Hence, the ability for the user to disable a feature of the browser, that is by default enabled, is not enough to deter websites from depending on the feature.

4) This feature is widely available in 90% of all web browsers via that bug I described in IE. It is also widely leveraged. Unlike the IE version of this feature, the Firefox version can be disabled and it can also inform the user about what is going on.

Finally, I'm totally with you guys about the significance of Firefox as a vehicle to empower users on the internet. If this feature makes it into a release of Firefox, then you will have the power to turn it off. You will also have the power to see who on the internet is using it and how they are using it and so on. That kind of information is good for users, especially users who are concerned about privacy.

Thanks for the quick reply, Darin.

I think you're ignoring my point 1: that those of us who don't wish to be tracked will not _for any reason_ support a browser that makes user tracking easier. Even if I thought your arguments in favor of this feature had any merit, which I do not, I would still not support adding this feature to Firefox.

Someone attempting to track my usage of the web is _by definition_ not a "good guy". If they want to block my access to their site unless I acceed to being tracked, fine; but any attempt to track my usage without that level of openness about it makes any site who tries a "bad guy".

On point 2: There will _always_ be some information about a user available to a web server, if only because some of it (such as what page they're requesting and generally the client's IP address, though judicious proxy use can foil even that) is absolutely necessary, but appropriate Firefox preferences combined with NoScript can block most systems that try to achieve more than that, provided you configure it properly (NoScript's defaults are arguably not as good as they could be). Regardless, the argument that because something is difficult to prevent you are justified in making it easier to do has no merit whatsoever.

On point 3 (and thank you for numbering your points to coincide with mine): disabling the referrer is a known option which, in my opinion, should not be a "hidden preference"; if you're going to bother having a preference tab labelled "Privacy", then you should actually let the user anonymize the browser easily by using it. But that's a whole different peeve. ;-)

The referrer is also not a good argument to support your proposition: though many sites _use_ the referrer (and seem happy to do so even knowing it can be faked), there are no parallel mechanisms for them to get the same information, so they really have no choice. Your ping, on the other hand, would only be one of many possible systems and with many of those already established. In addition, this ping would be the easiest of the bunch to defeat (making it also the least dependable). While it seems reasonable to think many sites might support it, it doesn't seem likely at all that _any_ site would stop using existing methods in order to switch entirely to this new one.

And the further argument that ping should be supported precisely because it can be disabled is just silly. ;-)

On your point 4: the argument that I.E. allows this and thus Firefox should has no merit _anyway_, but it's even less convincing when you add that I.E. only allows it through a _bug_. There's absolutely no reason for Firefox to adopt any or all of I.E.'s failings.

Isaac Asimov wrote that it's not enough to be less bad; less bad is still bad. I really wish you'd considered this addition in that light before checking it in.

-robin

Darin wrote:

> Websites even employ "onmousedown" event
> handlers that change the href attribute at the
> very last second before a click occurs. This
> makes it so that hovering over the link displays
> the location that you want to go to, but it
> still ends up taking you someplace else.

Will it be possible to change ping attributes in onmousedown handlers? Will it be possible to have an anchor with no ping attributes invoke javascript that simulates a click on an anchor that does have ping attributes?

> those of us who don't wish to be tracked will not _for any reason_ support a browser that makes
> user tracking easier.

Yes, I understand. The biggest challenge facing this feature is the _fear_ that it may increase abuse of privacy. As it is, I haven't heard any strong factual arguments to support that fear, so I continue to try to win you guys over ;-)

> Someone attempting to track my usage of the web is _by definition_ not a "good guy".

Have you tried google's personalized web search feature? If you opt-in to the feature, they will track your link clicks from the search results page and provide you with a historical record of the links you clicked on. This is done so that you can find things again that you may have found a week or so ago without having to remember what you typed in the search box to find them. Are they a "bad guy" for providing such a feature to their users?

> Regardless, the argument that because something is difficult to prevent you are justified in
> making it easier to do has no merit whatsoever.

That wasn't my point. My point was that you cannot defeat click tracking unless you simply avoid clicking on links. Take redirect-based click tracking for example. You can try to guess the final destination of the redirect from the URL itself, but that is easily foiled. You can try to prevent clicking on links that look like they are going to redirect, but then you'll never get to your final destination. This redirect-based click tracking does not require any Javascript, and whatever you do to try to defeat it will invariably break legitimate uses of HTTP redirects.

There is a trade-off to be had here. <a ping> gives websites something in return for something that benefits users (more visibility, better performance, etc.). I personally would elect that trade-off in favor of a world where click tracking happens secretly and in a manner that slows me down. There are websites out there that similarly wish to track link clicks in a transparent fashion without getting in the way of users.

> then you should actually let the user anonymize the browser easily by using it.

I agree completely, and I am in favor of such a privacy panel in the browser's preferences. I think it could be a macro setting that disables a bunch of features that would help the user browse anonymously.

> there are no parallel mechanisms for them to get the same information

Actually, it is not unheard of for business partners to encode referrer information in the URLs themselves.

I doubt many sites will transition to <a ping> unless it provides them with sufficient benefit. There's a threshold to be crossed. As I said before, there are sites that are interested in having a more user-friendly way of tracking link clicks. Though I know you feel that such click tracking can never be user-friendly, please re-consider the examples I've given of what I would call legitimate uses that do not infringe on user privacy. Also, let me repeat that one key advantage of <a ping> is that it informs the browser of what the site is doing so that the browser may in turn inform the user. This makes any click tracking done via <a ping> much more out in the open, which is good for users.

> And the further argument that ping should be supported precisely because it can be disabled is
> just silly.

How is it a silly argument?

> the argument that I.E. allows this and thus Firefox should has no merit _anyway_

I never made that argument. That's taking my comments completely out of context. I was simply responding to your specific assertion that this capability is somehow not widely available, which is clearly false.

> There's absolutely no reason for Firefox to adopt any or all of I.E.'s failings.

Agreed. That's why we chose to implement something better.

> less bad is still bad.

Indeed, and "bad" OR "less bad" EQUALS "bad". Therefore, the "less bad" thing is inconsequential. In other words, adding a new click tracking mechanism does not introduce a new privacy problem. The privacy problem that is click tracking already exists with or without the addition of <a ping>.

Finally, if we can encourage websites to do click tracking on our terms, then we can know when they are doing it, and in turn we can inform the user. How is that not a good thing?

> Will it be possible to change ping attributes in onmousedown handlers? Will it be possible to have an
> anchor with no ping attributes invoke javascript that simulates a click on an anchor that does have
> ping attributes?

Yes. That is possible in the current implementation.

I give up discussing this here.

I'll do my best to make sure this never makes it into a release, but I don't expect much success. Maybe it is indeed time for a fork or entirely new browser should this come to be, but I fear I'm not one who could help such a project much (Only small projects yet, CS student though). In case anyone seriously considers such a thing then (as soon as "ping" is on a list of features that'll be in a release officially), you can contact me, but I'll probably be at your site to offer any help I can anyway :-/

Darin wrote:

> Yes. That is possible in the current implementation.

Seems to me that would present a problem for hover based user feedback (no guarantee the ping list would be accurate). How are you dealing with that?

FWIW, I just took a look at the latest spec and noticed that it says user agents "must honour the HTTP headers — in particular, HTTP cookie headers". A literal interpretation of that would be that blocking cookies is prohibited.

>Finally, if we can encourage websites to do click tracking on our terms, then we can know when they are doing it, and in turn we can inform the user. How is that not a good thing?

Do they link tracking and they dont have to kiss up to a browser to do it. Theyre called logs and dont need browsers to start informing 3rd party servers of surfing habits PERIOD. Your ping attribute is ONLY ever going to be used to subversive tracking.

> Seems to me that would present a problem for hover based user feedback (no guarantee the ping list
> would be accurate). How are you dealing with that?

I don't have a good solution for that problem. Suggestions are welcome.

> FWIW, I just took a look at the latest spec and noticed that it says user agents "must honour the
> HTTP headers — in particular, HTTP cookie headers". A literal interpretation of that would
> be that blocking cookies is prohibited.

Yeah, that seems like an error in the spec to me as well since cookie blocking is a common UA feature.

> Do they link tracking and they dont have to kiss up to a browser to do it. Theyre called logs and
> dont need browsers to start informing 3rd party servers

Paul, I'm not actually sure what you're talking about.

> Your ping attribute is ONLY ever going to be used to subversive tracking.

I gave examples of how it could be used for non-subversive purposes, but yes... it could also be used for subversive purposes. However, so could the click tracking mechanisms that already exist.

The privacy community is up in arms, and a week of debate has hashed out a number of concerns. I honestly have nothing to add other than the newest version of NoScript now blocks the by default on both trusted and non-trusted sites.

IMO: One (Firefox) does not deliver a loaded weapon () into the hand of an inexperienced child. In this case, the children are those that would use this tool for the ill of the privacy of the user.

Darin wrote:

> I don't have a good solution for that problem. Suggestions are welcome.

It sounds to me as though ping could be used as a general purpose broadcasting system and anything could trigger it... page loads, keystrokes, hovers, etc. Deciding what you'll do about the silent/background pings would seem be the first step, for any user feedback system which covers those could be used in place of or in addition to hover based feedback. If you believe it is important that users have accurate and advance notice of who will be receiving the pings, I don't see how you can get around annoying prompts.

Well, my first reaction to a description of the ping attribute was a positive one. There is a potential for abuse of privacy with the attribute, but that's not what I take to be its purpose.

A lot of people like to track exit links from their site - for example, to track advertising clickthroughs, or simply to say show how many people followed an off-site link in a CMS. Most of them do not constitute an abuse of privacy per se - for example, in order to bill advertising customers accurately, it's necessary to count how many clicks an advert receives. There are plenty of opaque methods available to track clicks to external links, what's so bad about making it transparent?

I'm in the process of rewriting my CMS to make it all shiny and wonderful and work the way I want. Designing the data tables, it occurred to me that a table containing data on links could also include a count of how many people clicked on the link. How would I implement that? I could have a redirect script, that increments the counter, but redirect linkout scripts are evil(tm). They hide the target url from the user, and can take away perceived linkage in the eyes of search engines. If I want to link to somebody, shouldn't that register in google, yahoo, etc?

This ping attribute could be a good answer to the problem. I don't want to conceal what the destination URL is. I don't want to break search engine linkage. I would like to have the ability to count how many clicks are made on a given link. Given that I can enforce counting by using a redirect script, how would this othe method be an invasion of privacy?

If you believe this "feature" is really useful, upload it as an extension. Those like-minded people who want to help enable trackers are sure to download it. But not me!

> If the threat union of A and B is A, then B doesn't matter. This is how we judge all additions to the web platform. If I can do X with Y already, then allowing X to be done with Z is okay. You have to prove to me that the union of A and B is not A if you are going to counter my argument.

For people that don't want to be tracked and try to reduce the tracking, the addition of another vector simply increases the possibility that they will be tracked anyway. Some people lack the will to keep up with increasing vectors for exploits but this does not mean they accept them unconditionally.

Browser development isn't my thing and my knowledge of the event model is quite limited. But I had a thought...

If ping attributes can be modified by script, particularly in event handlers, and script can indirectly trigger pings through simulated clicks, you either add additional logic to prevent that or you deal with it. I'm assuming the first approach would be opening up a can of worms and is off the table. WRT the latter, I think it imperative that no ping lists be "executed" without the user having reviewed them. Earlier I said I can't imagine a solution that wouldn't involve annoying prompts, as if that were a bad thing. I just realized that is actually a good thing.

In cases where pings aren't triggered by a user click and/or the user hasn't seen an accurate list of the ping targets, throwing up a modal allow/disallow prompt would a) give users the opportunity to review the list of targets, b) give users the opportunity to allow or disallow the pinging (which parallels the ability to hover over a link and choose whether or not to click on it), and c) annoy the user, thereby discouraging sites from playing games.

As for how one might determine if a ping falls into that category, I'm not sure this would work or is the best way, but...

Upon entering a hover over a link, begin displaying the list of ping targets and store a reliable, unique identifier for that link along with the list of ping target URIs. Upon exiting the hover, clear that information. In the anchor click handler, before enumerating that anchor's ping targets and initiating the pings, see if its id and target list match what was captured during hover. If it matches, the user has already seen the ping target list and you can simply proceed with the pings. If it doesn't match, throw up a modal allow/disallow prompt so the user can review the list and decide what they want to do. The only problem I can think of ATM would be in cases where script simulates a click of link A when the user happens to be hovering over link A. If the browser can differentiate between real and simulated clicks, that could be handled.

> Yes, I understand. The biggest challenge facing this feature is the _fear_ that it may increase abuse of privacy. As it is, I haven't heard any strong factual arguments to support that fear, so I continue to try to win you guys over ;-)

It is not about fear it's about principles. I do not want to be tracked and so I want my browser to _discourage_ tracking -- not enable more opportunities.

Increased methods for tracking will increase tracking. Period. As you are considering this "feature" tracking coders are brainstorming ways to exploit it for more advantage.

At the very least the addition of will catch some percentage of users who don't know or forget to turn it off. Trackers are counting on this. It's money in the bank.

Also, It has been argued here that most users don't notice redirects. Yet, in contradiction, delays caused by redirects are given as a prime reason for implementing .

> Given that I can enforce counting by using a redirect script, how would this othe method be an invasion of privacy?

Your assuming that _any_ tracking is not an invasion of privacy. Just because I tolerate a certain amount of tracking (by concession or ignorance) does not mean I want to facilitate it.

It needs to be a _clear option_ and _off by default_. Or better yet, leave the onus of tracking to the host.

"Clear Option" and "Off by Default" are key points in legislation fighting spam. I believe there are similar principles at stake with .

> There are plenty of opaque methods available to track clicks to external links, what's so bad about making it transparent?

Sites could easily choose to make them obvious to the client with current methods but they don't. That leads me to think that they would continue to obfuscate their tracking by finding ways to exploit or simply using it as a means to extend themselves through erosion.

> If I want to link to somebody, shouldn't that register in google, yahoo, etc?

Redirect links don't have to hide the destination. Make it explicit. Delay is the cost of doing business. Sites that don't will be quicker than ones that do.

>> Your ping attribute is ONLY ever going to be used to subversive tracking.

>I gave examples of how it could be used for non-subversive purposes, but yes... it could also be used for subversive purposes. However, so could the click tracking mechanisms that already exist.

Oh, so that makes the addition of another tracking method a legitimate one? Why add another tracking method when there are enough already? Do you honestly think that all these subversive tracking sites are going to drop onmousedown, redirects etc and jump on as an exclusive method? I dont think so. What I see happening is that they will employ exactly the same methods as they use now and will just add on top of them in order to broaden the hit-rate. This is still a crazy insane idea and I cant grasp your reasoning.

will just become

If you implement this, 99%+ of its use will be in subversive tracking. Is this what you want to see? Kazaa adware/spyware first, Gator second, Darin Fisher third - I know I wouldnt want my named tied to the biggest disapointment to be released into the public, that has, so far, praised Firefox as being a more secure alternative to IE.

>I could have a redirect script, that increments the counter, but redirect linkout scripts are evil(tm).

Why dont you either
- change the window.status
- put an ALT tag on your HREF that displays the URL of the page that is being redirected to.

Great, privacy invasion code in order to track clicks....

The funny part about features like this is the "endusers can just turn it off" opinion. The open source philosophy consistently underestimates hassle and overestimates how enthusiastic *everyone* is to spend hours to figure out the tiniest of details. Oh yay, people can view Firefox source code themselves to evaluate security features on their own.

I'd much prefer to pay others I trust for good editing/vetting of this stuff to give me a simple browser with few features and without all this obnoxious tracking, spurrious traffic, (or ActiveX). Trust is valuable and worth a lot of money. I trusted firefox more a month ago than I do today.

As a user who has been interested in network surveillance, and therefore a big fan of Internet Junkbuster and Privoxy, I will call this a show stopper: Goodbye Firefox, hello Opera.

Coming up: Un-filterable, garishly formatted text ads that use CSS and Javascript to fire strobe lights and the like on web pages, with dynamically generated "ping anchors" as a work around to defeat privacy software that threatens the revenue streams of Doubleclick et al. As I read it at present, the new "feature" is an elegant solution for the banner ad and click-tracker industry, neatly defeating "privacy" and "ad blocking" options at the application layer.

BTW, where's the RFC for this new protocol? Let's don't be using the W3C as a straw man. I don't give a hoot an a half for explicit W3C compliance, but as a site designer & maintainer I would like to think that I am entitled to ask for appropriate engineering documents, and raise polite hell if they ain't provided.

Does it talk to arbitrary servers, or is it limited to the originating host? What port and protocol does it use? Does it break anonymizing protocols? Without answers to these (and probably other) questions, Firefox is poisoned too badly to use in any environment where privacy and security matter to /any/ extent.

I reall liked the new Firefox, but if this "ping anchor" feature stays, I will roll back to a version that does not include it, and transition to Opera at earliest conveneince. Naturally, I will be publicising my take on this new "feature" in Firefox to the fullest of my admittedly limited capability.

Don't think of me as an ex-advocate. Think of me as a vigorous advocate, of something the Firefox development team just killed. Until, of course, the promised "off toggle" is provided.

Why not just rely on the "manufactured consent" of a default "on" setting? That will enable privacy advocates to keep using Firefox while working to get this malfeature fixed or removed.

Nothing personal. Just honest feedback.

:o)

Steve

I couldnt believe that a (apparently) sane person would even think about this but for you to actually press ahead and implement this, is just madness.

If you want to push ahead wtih this agenda (I think someone big is behind it - Doubleclick perhaps) then have ping off by default...

I must concur with Paul. I heard mention earlier of some 'bigger sites' that wanted this without any indication of who that might be. I am viewing this move currently as a complete sellout to advertisers at the expense of user confidence in the product.

I can PROMISE you that this option will do nothing but alienate the very support you need to carry Firefox forward. So.... I'm just wondering who bought the development team off and how much they paid to subvert the basic principles that made you successful to start with.

This 'idea' did not develop in a vacuum and the tenacity with which it's being unsuccessfully defended on here by development makes me believe there's already a firm commitment to someone to make it happen. So who would that be and what are they offering in order to get it? What's the confidence of your user base worth?

> Have you tried google's personalized web search feature?

Of course I haven't. The "Google that knows more about you", or whatever that drivel is, just isn't for me.

I really can't take the time to argue with you, since you don't seem to even be able to understand that people can disagree with you, much less that the vast majority of us do.

Take comfort, Darin, in the fact that you are in a very rare position: the eventual fate of a major software project could very well be entirely in your hands. And few people ever get an opportunity like this.

You can proceed, against the nearly unanimous objections of your user base, and very possibly do permanent damage to Firefox' credibility or you can drop this thing now and at least repair the damage you've already done.

-robin

Darin, listen to what Robin said, hes spot on. You can cause Firefox to go down in a screaming ball of flames (as you KNOW that media will slaughter it) or you could drop it and do something to repair your credability.

I'm thoroughly confused. Someone here said the >ping> option was only in experimental versions.I swear I saw some option for in the Firefox 1.5. Maybe it was in setup, because I can't find it now. I thought it said the default was "block ping". Did I misunderstand? Did I see this somewhere else?
Does it exist in Firefox 1.5 now, and if so, where do I find it?

Help! I'm only semi-HTML-literate.

Thanks

The NoScript extension can filter ping out of A elements if anyone is concerned.

Magic,

No, there is no "a ping" in FF 1.5.

Darin,
I read through this long discussion here and after all pros and conts being exchanged I would like to give you my feedback as a firefox user: Please drop this "a ping" feature.

Christ, you people are chicken littles.

ping is nothing but an invitation to abuse, for it to even be considered for FF makes me think it is time to find an alternative browser and drop support for FF on my sites.

It is nothing but a sellout ot commercial interests looking yet another way to spy on users. You should be ashamed of yourselves for even considering it.

After 40 years of watching good ideas grow up and then get hijacked by bankers, stockbrokers, and greedy marketers, I guess I should not be surprised to see yet another great product turned into a piece of trash. This is the thin end of the wedge. Don't do it.

Darin wrote:

4) This feature is widely available in 90% of all web browsers via that bug I described in IE. It is also widely leveraged. Unlike the IE version of this feature, the Firefox version can be disabled and it can also inform the user about what is going on.

You've missed the point entirely. IE will not send pings for a link with a ping attribute. 90% of users will still be using IE for the forseeable future. A percentage of the users who are using firefox will disable it. Therefore anyone who needs a reliable method of tracking links will continue to do so using other means. Redirects etc will not go away.

Claims that it'll be better because you can show some form of UI are equally flawed. Anyone using the existing methods of tracking will circumvent your protection, making it nothing but an ineffective security blanket - masking the more nefarious tracking schemes.

This is simply a battle not worth fighting because you will both lose and look worse for trying.

I don't think this is a good idea, as HeroreV had said, this is behavioral and should be handled by some sort of scripting language (e.g. Javascript). HTML is meant to be solely used a language for structuring data and not for defining specific behaviors that are meant to be implimented by scripting languages.

Plus there's the lack of support by other browsers such as Opera, Safari, Konqueror, etc. (I think at least). The W3C is the only organization that should influence webstandards IMHO because anyone could create a standard (i.e. WhatWG) and disturb the interoperability of code between browsers more than it already is.

hito is absolutely right. if you want to track my clicks, it's going to cost you two 200's, a database lookup, and a 302. period.

for those who are interested, the NoScript extension may be used to patch this bug.

Seventy-two million smackeroos -- THAT is what's behind the push to implement this marketer's wet dream come true. Need proof? Observe ...

http://www.informationweek.com/story/showArticle.jhtml?articleID=181501852

Wow. People are really stupid. Please sit back and consider your knee-jerk reactions.

"Marketers are bad."

Marketers are not bad. They are the people who make websites possible. Websites cost money to develop and run, and they regain this money via marketing and advertising. Do you think slashdot could afford to run without advertising revenue?

"Link tracking is bad."

Link tracking is not bad. Do you think search engines would even exist without some form of link tracking? This is how they make money. If they couldn't make money, they wouldn't be able to provide a service, and we wouldn't be able to search the web.

"I'm being spied on."

Do you really think that Agent Smith is watching your every move? Aha, today User 384763352 clicked from FHM.com to hotxxxbabes.com! Now we know everything about User 384763352! Mwuhahahaha!!

Get real. Nobody cares about your personal browsing habits. FHM.com wants to know that 300 people clicked to hotxxxbabes.com, so they can invoice hotxxxbabes.com for 300 click-thrus. The only people who seriously need to worry about privacy are political activists in China, and they have a lot more to worry about than the ping attribute.

"There are no benefits to me, it's all going to the corporate machine."

Ranking systems (used in news, blogs, search engines) need to know how many people clicked on each outgoing link, so they can rank the most popular links. Marketers need to know what links interest people, so they can make their site more interesting. This directly benefits you since you get a better experience from the website.

-----

However, having said all that, it's clear that the ping attribute is not going to be good for Mozilla, since it elicits so many stupid knee-jerk reactions, and the force of all those knee-jerks could kick Mozilla out of business.

Hey Gary,

We're going to install a surveillance camera in your bathroom so we can count the number of times a day you take a dump. Don't think of it as an invasion of your privacy - after all, we're not interested in using the footage for anything beyond simply providing some statistics to the companies that manufacture toilet paper. After all, they need to know how much is being used so they can set the price to more accurately reflect the demand.

I don't like this idea.
Like many posters before, I hate advertising and yielding to commerce.

It's difficult however, because we live in a world where services cost money, one way or the other.

I'm ambivalent towards Google.
They have the web site I use most, the search Engine. This has become a victim of its own success. Google has buckled under the pressure of the industry to sponsor top-ranked links.
Ouch!

I have also entrusted my e-mailaccount to them.
Still, I automatically block Google AdSense on every page it presents itself.
Google tries to say: Yes I know you don't like advertising, but ads that are personalised and non-imposing can't be bad?
I never ever asked for those ads, so I will discard them with every means possible.
Alas this also takes energy and processor time.

The sheer idea that these extra "features" cost me bandwidth I can use for better purposes...
Far too often I wait for a site, because the things that load first are the ads.
This bogs down my browsing and infuriates me, because my time is short.

The first time I became suspicious of Mozilla is when they moved their prime products, Firefox & Thunderbird to a .com-page.
I was absolutely shocked.

Keep Mozilla clean, don't succumb to the lobbying of big money.

Xyloc

They shouldn't have called it a ping. It isn't a ping, of course, but for some reason that allows trolls to write easy headlines.