An explicit ping attribute makes it easier for content blockers; with a redirect there's nothing you can do but with a declarative attribute it's clear what to block.
This seems very clearly better to me.
It seems like JS-based trackers using sendBeacon are the better option for analytics.
I implement these kinds of trackers, and right now, my choices look like this:
1. Use a redirect:
<a onclick="navigator.sendBeacon('trackingurl')" href="target">link</a>
3. Use CSS:
4. Use ping:
<a ping="trackingurl" href="target">link</a>
However I appreciate to some people "anyone" might not include the people who write the content you're reading -- after all, if you don't care about them, then surely there isn't "anyone" who wants this, but this is immature. These are most certainly people, and these are the people that want this: People who know about other methods and have thought about the risk/reward of using them.
But I guess it does provide a simple mechanism for folks who would otherwise use a redirect and don't want to deal with the complication, so thanks for the insight.
I find Mozilla’s (and Apple’s) position on enabling this by default tenable, because we certainly don’t want sites to block Firefox for this reason or tell users to use another browser (with euphemisms like) “for a better experience”. On this point, I think Brave has cornered itself as a niche browser that sites may start revolting against when it grows.
What is not acceptable from any browser vendor, especially a vendor like Mozilla or Apple that wears privacy on its sleeves, is not having a way to disable this using preferences (visible or something like about:config or defaults). Not everyone may want to trust and install several extensions for things like this. On this, Mozilla has failed (and so has Apple, though I didn’t check that in this context).
The browser still reports “ping” as usable so no blocking of the user or expensive (resource wise) js alternatives, but when you click the link the URL is evaluated as being blocked and safari does nothing relating to the ping.
This isn’t theory, I’ve tested it and it works.
I don’t know enough about blocking capabilities in Firefox to theorise how it would work there.
That only works when the destination URL of the ping is specified as a content blocker rule. Content blockers are too limited to block the ping mechanism itself, so you would need to statically add every single arbitrary tracker URL pattern to the ruleset and hope they don't match a site or resource you want.
You don’t need to “block” the ping functionality (which itself would be come a fingerprinting data point) any more than you need to block xhr/fetch or following 301 redirects (which are also used for the same purposes the ping attribute may be used for)
There are literally dozens of content blockers available for both macOS and iOS and all have extensive block lists of trackers, ad networks, etc. Some also allow you to add custom rules.
That same content blocker will also block XHR/fetch based link tracking that many will just fallback to if ping support is not detected.
If those capable were compiling and sharing versions of Firefox without some of these "features", perhaps some users might be interested.
Bias/ignorance: I like to use smaller software for doing TCP connections and HTTP requests that require more modest resources and shorter time to compile; often these projects provide many compile-time options. There are many, many examples of such software. First example that comes to mind for some reason is socat, if one needs an example of what I mean.
Concerns about this were also the reason why toggling the sending of the DNT header was removed for example.
Probably good for the reasons you mention considering DNT is dead anyway.
The only legitimate reason to add this is that if some browsers have it and some don't usability will be better on some browsers than on others.
This is a prisoner's dilemma. Or was.
TL;DR ITT: "Link auditing / ping will eliminate the disadvantages of tracking!" - Ad Industry and sites that serve tracking: "What disadvantages?"
It's kind of like Do Not Track. Once IE enabled it by default, every single ad network stopped honoring it.
I doubt Microsoft didn’t realize what they were doing would kill DNT acceptance, but they did it anyway to add a bullet point to their feature list.
The analogy in the tracking space would be something like Safari ITP, not DNT.
Life is simpler these days. Others should envy me.
> Contains a space-separated list of URLs to which, when the hyperlink is followed, POST requests with the body PING will be sent by the browser (in the background). Typically used for tracking.
Does this mean that if I put a proxy between the browser and the internet I can block this kind of requests? (of course at the expense of requests that contain that same body for other reasons, in which case I wonder why they didn't add a specific http request header to clearly mark those requests as pings)
So it’s better to standardize and make it transparent.
E.g. google search results get rewritten to redirects as soon as you hover over them or press them (and are redirects in the first place with JS off). Have been for at least 8 years now.
It seems like one day Nike will say, we need to send the location of every step you take, where you're heading and the speed so we can make better shoes. And people just, yes, seems fair to me.
Check out the latest episode of Security Now, which talks about this. https://www.grc.com/securitynow.htm
It's more like Nike are fitting their stores with a special floor that track people walking around in the store to figure out where people go and what they find interesting.
There are many vendors of these special floors, and they offer different kinds of reporting to Nike.
At the moment, Nike can't use multiple vendors without careful testing because the floors can potentially interfere with eachother. Sometimes the interactions only occur in extreme cases, such as massively overweight or underweight individuals. Nike may not be floor experts and not know how to to this. It also makes the floor "thicker" with multiple vendors special floors layered on top of each other, which might feel weird walking on.
These vendors don't just sell to Nike, they sell to lots of stores. Obviously they don't share Nike's "data" with ASIC but each of them have to deal with the fact that even if they solve the problem for Nike's chosen set of vendors, they'll have to do it again for ASIC as well.
So, the floor vendors got together and proposed a mechanism whereby they can all work together.
No new privacy leak, no new information is being generated, or even being transmitted to anyone who didn't already have the ability to collect it, but the implementation is simpler, and user experience is better.
There's that producer of floors that stands against these forms of tracking and says "go to the stores that buy from us, they won't track you!" So this benefits the stores that but from them, the floor maker and the store's patrons.
But this analogy broke down pretty soon this way, didn't it?
Good going, Mozilla!
you can always downgrade your FF version and turn off auto updates, or go to a custom palemoon, then have a chat with mozilla about why you did so.
If it does have an advantage, it's probably just something incidental like particular HTTP proxies being configured to let pings through, or something like that.