Chrome, Safari, Opera and Edge to make hyperlink auditing mandatory

Last week, Bleeping Computer reported that the latest versions of Google Chrome, Safari, Opera, and Microsoft Edge will not allow users to turn off hyperlink auditing that was possible in previous versions.

What is hyperlink auditing?

The Web Application Specification 1.0 Introduces a new feature in HTML5 called hyperlink checking for link click tracking. To track user clicks, the “a” and “area” elements support a “ping” attribute that takes one or more URIs as a value. For example:

When you click on the hyperlink, the “href” link will load as expected, but in addition, the browser will also send an HTTP POST request to the ping url. The request headers can then be examined by scripts that receive the ping POST request to find out where the ping came from.

Which browsers have made hyperlink auditing mandatory?

After finding this issue in Safari Technology Preview 72, Jeff Johnson, a professional Mac and iOS software engineer reported this to apple. Despite this, Apple released Safari 12.1 without any settings to turn off hyperlink auditing. Prior to Safari 12.1, users could turn off this feature with a hidden preference.

Similar to Safari, in Google Chrome, hyperlink auditing was enabled by default. Users could previously disable this by going to “chrome: // flags # disable-hyperlink-auditing” and setting the flag to “Disabled”. But, in the Chrome 74 Beta and Chrome 75 Canary versions, this flag has been removed completely. Developer version of Microsoft Edge and Opera 61 also removes the option to disable / enable hyperlink auditing.

Firefox and Brave, on the other hand, have disabled hyperlink auditing by default. In Firefox 66, Firefox Beta 67, and Firefox Nightly 68, users can enable it using the browser.send_pings parameter, the Brave browser, however, does not allow users to enable it at all.

How are people reacting to this development?

The hyperlink auditing feature has received mixed reactions from developers and users. While some were concerned about its privacy implications, others believe this process makes the user experience more transparent.

Sharing how this development can be misused, Chris Weber co-founder of Casaba Security wrote in a blog post, “the URL could easily be added to junk files, causing large HTTP requests to be sent to an excessively long list of URIs. Information could be disclosed in the usual sense of Referent / Ping-From leaks. “

A Reddit user said that this feature is privacy neutral as this type of tracking can be done with JavaScript or non-JavaScript redirects. Sharing other advantages of the ping attribute, another user said, “The ping attribute for hyperlinks aims to make this process more transparent, with additional benefits such as optimizing network traffic to the target page to load faster, as well as an option to disable sending of pings. for more user-friendly privacy.

While this functionality provides some benefits, the Hypertext Application Technology (WHATWG) Web Working Group encourages user agents to put control in the hands of users by providing them with functionality to disable this behavior.

User agents should allow the user to adjust this behavior, for example in conjunction with a setting that disables sending HTTP `Referent`(sic) headers. Depending on user preferences, UAs can either ignore the ping attribute completely or selectively ignore URLs in the list», Says WHATWG.

To read the full story, visit Beeping computer.

Read more

Google dissolves its External Advanced Technology Advisory Board in a week after repeated criticism of member selection

Microsoft’s #MeToo report: employees denounce harassment and discrimination at work

Mozilla explores ways to reduce spam from notification permission prompts in Firefox

Comments are closed.