Hyperlink Auditing In Chrome Firefox Browsers |WORK|
Network requests created as a result of web pages using navigator.sendBeacon() will not be blocked when the setting "Disable hyperlink auditing/beacon" is checked. This is a limitation of the chrome API prior to v49, as network requests fired as a result of calling navigator.sendBeacon() are reported as the generic type other by the browser.
Hyperlink Auditing in Chrome Firefox browsers
HTML5 added a "feature" to the web called hyperlink auditing. You can read the specification from the Web Hypertext Application Technology Working Group (WHATWG). Hyperlink auditing is added to a web page via the ping attribute on an HTML anchor element (), i.e., a link. Here's a example, followed by the HTML code for a simple test page that implements it:
Notice that when you hover over the "Ping Me" link, you only see the href URL, you don't see the ping URL, so you don't even know that the attribute exists unless you look at the HTML page source. When you click the link, it loads the page as expected. But it also sends an HTTP POST request to without any visible indication to the user. You can only see it if you do a packet trace. It should come as no surprise that the primary usage of hyperlink auditing is for tracking of link clicks.
Firefox disables hyperlink auditing by default, as explained in a knowledge base article. You can see this if you open about:config and look at browser:send_pings. However, Safari and Google Chrome both enable hyperlink auditing by default. In Google Chrome, hyperlink auditing can be disabled by opening chrome://flags#disable-hyperlink-auditing and setting the flag to Disabled. (Update: This flag is getting removed from Chrome! See the update at the end of the article.)
Unfortunately, this no longer works in Safari 12.1. I actually discovered the issue in Safari Technology Preview 72, and I filed a Radar on January 2, 2019 as rdar://problem/47000341. Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists. To end this article, I'll quote the full text of the Radar that I filed:
I've been informed that chrome://flags#disable-hyperlink-auditing is now missing from the Google Chrome betas, even though it still exists in the current non-beta version. The flag was removed from the source code a little over a month ago.
Element/a#attr-pingSupport in all current engines.Firefox? YesSafari6+Chrome12+Opera?Edge79+Edge (Legacy)17+Internet ExplorerNoFirefox Android?Safari iOS?Chrome Android?WebView Android37+Samsung Internet?Opera Android?The ping attribute, if present, gives the URLs of the resources that are interested in being notified if the user follows the hyperlink. The value must be a set of space-separated tokens, each of which must be a valid non-empty URL whose scheme is an HTTP(S) scheme. The value is used by the user agent for hyperlink auditing. 350c69d7ab