Newer versions of Chrome, Safari, and Opera will no longer allow you to disable hyperlink auditing, which is a concern for those seeking maximum privacy. While some of these browsers previously allowed you to disable this feature, newer versions are going in the opposite direction.
Hyperlink auditing is an HTML standard that can be used to track clicks on web site links. This is done by creating special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page, which can then examine the request headers to see what page the click came from.
To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable as shown below.
This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL of https://www.bleepingcomputer.com/pong.php, so users will not even realize this is happening unless they examine the sites source code.
When a user clicks on the above link, the browser will first send a POST request back to the ping URL https://www.bleepingcomputer.com/pong.php as shown below. It will then open the www.google.com page. This means that every time a user clicks on a hyperlink audited link, the browser will make two requests instead of one.
Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to. The headers associated with the information sent in the ping request are shown below.
[HTTP_PING_FROM] => https://www.bleepingcomputer.com/ping.html
[HTTP_PING_TO] => https://www.google.com/
[CONTENT_TYPE] => text/ping
As you can see, using Hyperlink Auditing developers can track link clicks from any web property that they have access to.
Most browsers will not let you disable in the future
With privacy and online tracking being such a large problem and major concern for many users, you would think that browser developers would give you the option to disable anything that could affect your privacy.
Unfortunately, this seems to be going in the reverse direction when it comes to hyperlink auditing.
According to developer Jeff Johnson, Safari enabled hyperlink auditing by default, but allowed you to disable it by using the following hidden preference.
defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool falseJohnson has stated that this flag no longer works with Safari 12.1.
"Unfortunately, this no longer works in Safari 12.1. I actually discovered the issue in Safari Technology Preview 72, and I filed a Radar on January 2, 2019 as rdar://problem/47000341," Johnson stated in a blog post. "Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists. To end this article, I'll quote the full text of the Radar that I filed:"
Google Chrome also enables this tracking feature by default, but in the current Chrome 73 version it includes a "Hyperlink auditing" flag that can be used to disable it from the chrome://flags URL.
In the Chrome 74 Beta and Chrome 75 Canary builds, though, this flag has been removed and there is no way to disable hyperlink auditing.
The current version of Microsoft Edge also enables hyperlink auditing by default and provides no way to disable it that I could find. I also took a look at the upcoming Microsoft Edge Insider build and as it's based on Chromium 75, there is no way to disable hyperlink auditing on that browser either.
Like Edge, Opera is also based on Chromium, and the Opera 61 Developer build removes the option to disable hyperlink auditing as well.
Finally, I also tested it the mobile versions of Chrome and Safari and its enabled by default with no way of disabling it.
What this means is that starting next month when Chrome 74 is released to the stable branch, the Edge, Chrome, Opera, and Safari browsers will no longer offer a way of disabling this tracking feature and privacy risk.
Firefox and Brave win the award
Of all the browsers I tested, only Brave and Firefox currently disable it by default and do not appear to have any plans on enabling it in the future.
Firefox 66, Firefox Beta 67, and Firefox Nightly 68 disable Hyperlink auditing by default and allow users to enable it using the browser.send_pings about:config setting.
The privacy focused Brave Browser also disables it by default and does not allow you to enable it at all. It does have a display bug in the brave://flags that show that Hyperlink auditing is enabled, but this is a carryover from Chrome and is not displayed correctly.
Going forward, if privacy is important to you and you want to reduce the risk of being tracked online, then you will need to use Firefox or Brave.
More commonly used than originally thought
When we first published the article, some of the comments were that this feature is not used that often compared to other tracking methods such as JS and redirects.
It turns out that Google uses hyperlink auditing in their search result pages. Every time you click on a search result link, your browser will also send HTTPS POST request back to a Google url in order to track the click.
Update 4/7/19: Cleaned up the confusing first paragraph.
Update 4/8/19: Added information about Google SERPs using hyperlink auditing.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
phossler - 6 years ago
"It does not show you the ping back URL of https://www.bleepingcomputer.com/pong.php, "
ping pong -- I like it :-)
Warthog-Fan - 6 years ago
So in this current age of users being more and more conscious of security and privacy, what were these Browser developers thinking when they made these changes? I'd sure like to hear their rationale for doing it.
LMX - 6 years ago
Most likely because any website that wants to track your clicks can already do it by making links run a script (that logs the click then goes to the url) instead of directly referencing a url.
This will simply make it easier for developers, but with a couple of advantages for users: websites will be a little smaller as they don't have to send script to do this; more importantly, it makes it easier for custom plugins to detect this behavior and modify it as the user wants. It's really hard for a plugin to detect this in a script and modify the script so that everything still works. Much easier to simply remove the Ping attribute from the link and nothing breaks.
That's my take anyway.
Lawrence Abrams - 6 years ago
Agreed. There are a lot of comments stating this is not a big deal because javascript can still do the same thing without anyone knowing.
No one is saying it cant, but that still doesn't explain why you would remove the ability to disable this feature.
joequincy - 6 years ago
Over the past half hour, I did a dive into the history of the ping attribute, and it's clear the author of this article did not. The feature was originally slated for the HTML5 spec more than a decade ago, and was pulled from the draft (without objection) due to a myriad of reasons. In short though: in order for anyone to adopt it, it needs to be at least somewhat sufficient for the needs of the people who are already using http redirects and Javascript tracking. Major browsers implementing it off by default (as the author so glowingly commends Firefox and Brave for doing) is detrimental to anyone adopting it in the first place.
The feature, despite having been initially introduced to the HTML5 draft more than (and removed from it just shy of) a decade ago, is still not part of the standard. It was added back to the working draft of HTML5.3 in December of 2017, and that document has not yet reached a candidate recommendation, much less a finalized spec. Implementation is all over the place between browsers, and we are not notably closer to overcoming the same flaws that led to its unapposed removal from the draft in 2009. The changes being made by Safari, Chrome, and Edge here won't have any negative effect, because nobody is actually using the feature yet, and nobody is likely to start anytime soon because there's no benefit for them when they can get more reliable data with other methods that aren't blocked or turned by default.
Seriously, go read the rationale for pulling it out of the working draft in 2009 (and while you're at it, peruse the commit history and issues on the W3C Github repo for the current working draft), and you'll have a much better idea where it's at, and why browser vendors are adjusting their approach. https://lists.w3.org/Archives/Public/public-html/2009Dec/0183.html
Lawrence Abrams - 6 years ago
I think your missing the point. The issue isn't that the feature exists, was pulled from a draft, or that JS/Redirect tracking methods are more commonly used.
Mozilla is obviously concerned it could be a privacy risk, so disable it by default and do not appear to be changing that stance any time soon.
Brave goes out of their to fully disable the feature, with no way of enabling it again.
Chrome and Safari previously had given their users the option to disable it. Why remove that ability?
joequincy - 6 years ago
Okay, please answer me this: in what way is the ping feature an equal or greater privacy risk than the tools advertisers already use?
I personally don't believe it is. It's much more limited in the type of tracking data it can convey.
Following up on that, what incentive do advertisers currently have to cease using their existing tools and move to the ping feature, if a significant proportion of user agents disable it by default or can quickly and easily disable it in their browser's options? We already have redirect-based tracking which flat-out can't be blocked by the user-agent. What motivation is there to move to something that can be blocked trivially?
I ask, because your article heavily implies that user privacy is harmed by limiting the scope of a new tool that could potentially enhance user privacy but has only seen adoption on half of the equation because the other half feels it has too broad a scope. It isn't helping anyone now. After this change, it MIGHT see some use, and it still has positive benefits compared what is currently used.
Lawrence Abrams - 6 years ago
I 100% agree with you. I do not think it's a greater or worse privacy risk compared to the more commonly used methods of using JS and redirects.
I am also not saying that this feature should be removed.
What I am saying is if people consider it a privacy risk, which some browser devs obviously do based on their decisions to disable it by default, then why remove the choice from an end user?
Unlike javascript tracking implementations that can be blocked by simply disabling JS (yes, I know blocking JS makes the web almost useless these days), there is no way to disable this option as it's baked into the browser.
Just give users the choice.
testa - 6 years ago
When most browsers remove that ability to disable it at the same time, it's probably to trap criminals or something
Sheuk - 6 years ago
Criminals? Oh man, criminals use Firefox or even Tor. You wanna trap them with this feature? Impossible!
Smurfix - 6 years ago
You could still use Chrome et al. Writing a TamperMonkey extension which removes all hyperlinks' "ping" attributes is fairly easy.
Is this nonsense also done in privacy mode?
kelkay - 6 years ago
One step forward, and three steps back. Privacy and freedom are under attack, and it is growing worse. Corporations must be sharing that data with their partners. Now you can't even go into private mode, without them knowing what zip code you are in. (yes my location is off) If they can't get you to buy something, your data obviously seems to be just as much if not more important to them. It is ridiculous. They don't want it to happen to them though, just the regular folks. The criminals are having a field day with all of the loopholes. Never give an inch of your freedom for a fake security. Demand privacy, or use other companies that treasure it. Vote with your feet.
keeganwitt - 5 years ago
There's a new update to this developing story: Firefox will eventually enable this (once the feature is ready) with no way to disable it. This leaves only Brave at the moment.
https://www.bleepingcomputer.com/news/software/mozilla-firefox-to-enable-hyperlink-ping-tracking-by-default/
Vivaldi may add an option to disable this in the future, but no timeline or commitment (https://forum.vivaldi.net/topic/36644/vivaldi-most-likely-won-t-be-able-to-shield-us-from-click-tracking-privacy-risk/4).
nmgyrl - 2 months ago
I recently installed Firefox 128.6.0esr on my desktop. I took a look just now, and it still has the "browser.send_pings" option listed in about:config . Moreover, it still has this set to false as the default. So I don't know what transpired in the 5 years since this post was originally made, but it appears that Mozilla has not changed how they handle hyperlink auditing. I'm grateful for this, because "trackers gonna track" is not the privacy position we should be subjected to. (I also have the NoScript and Privacy Badger extensions installed; the latter also by default disables hyperlink auditing.)