Privacy

Newer versions of Chrome, Safari, and Opera will no longer allow you to disable hyperlink auditing, which is a concern for those seeking maximum privacy. While some of these browsers previously allowed you to disable this feature, newer versions are going in the opposite direction.

Hyperlink auditing is an HTML standard that can be used to track clicks on web site links. This is done by creating special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page, which can then examine the request headers to see what page the click came from.

To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable as shown below. 

Ping HTML Link
Ping HTML Link

This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL of https://www.bleepingcomputer.com/pong.php, so users will not even realize this is happening unless they examine the sites source code.

Hover shows link URL, but not ping back URL
Hover shows link URL, but not ping back URL

When a user clicks on the above link, the browser will first send a POST request back to the ping URL https://www.bleepingcomputer.com/pong.php as shown below. It will then open the www.google.com page.  This means that every time a user clicks on a hyperlink audited link, the browser will make two requests instead of one.

Example Ping POST Request
Example Ping POST Request

Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to. The headers associated with the information sent in the ping request are shown below.

    [HTTP_PING_FROM] => https://www.bleepingcomputer.com/ping.html
    [HTTP_PING_TO] => https://www.google.com/
    [CONTENT_TYPE] => text/ping

As you can see, using Hyperlink Auditing developers can track link clicks from any web property that they have access to.

Most browsers will not let you disable in the future

With privacy and online tracking being such a large problem and major concern for many users, you would think that browser developers would give you the option to disable anything that could affect your privacy.

Unfortunately, this seems to be going in the reverse direction when it comes to hyperlink auditing.

According to developer Jeff Johnson, Safari enabled hyperlink auditing by default, but allowed you to disable it by using the following hidden preference.

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

Johnson has stated that this flag no longer works with Safari 12.1.

"Unfortunately, this no longer works in Safari 12.1. I actually discovered the issue in Safari Technology Preview 72, and I filed a Radar on January 2, 2019 as rdar://problem/47000341," Johnson stated in a blog post. "Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists. To end this article, I'll quote the full text of the Radar that I filed:"

Google Chrome also enables this tracking feature by default, but in the current Chrome 73 version it includes a "Hyperlink auditing" flag that can be used to disable it from the chrome://flags URL.

Chrome 73 Hyperlink Auditing Flag
Chrome 73 Hyperlink Auditing Flag

In the Chrome 74 Beta and Chrome 75 Canary builds, though, this flag has been removed and there is no way to disable hyperlink auditing.

No Hyperlink auditing flag in Chrome 74
No Hyperlink auditing flag in Chrome 74

The current version of Microsoft Edge also enables hyperlink auditing by default and provides no way to disable it that I could find. I also took a look at the upcoming Microsoft Edge Insider build and as it's based on Chromium 75, there is no way to disable hyperlink auditing on that browser either.

Like Edge, Opera is also based on Chromium, and the Opera 61 Developer build removes the option to disable hyperlink auditing as well.

Finally, I also tested it the mobile versions of Chrome and Safari and its enabled by default with no way of disabling it.

What this means is that starting next month when Chrome 74 is released to the stable branch, the Edge, Chrome, Opera, and Safari browsers will no longer offer a way of disabling this tracking feature and privacy risk.

Firefox and Brave win the award

Of all the browsers I tested, only Brave and Firefox currently disable it by default and do not appear to have any plans on enabling it in the future.

Firefox 66, Firefox Beta 67, and Firefox Nightly 68 disable Hyperlink auditing by default and allow users to enable it using the browser.send_pings about:config setting.

Firefox 66 Setting
Firefox 66 Setting

The privacy focused Brave Browser also disables it by default and does not allow you to enable it at all. It does have a display bug in the brave://flags that show that Hyperlink auditing is enabled, but this is a carryover from Chrome and is not displayed correctly.

Going forward, if privacy is important to you and you want to reduce the risk of being tracked online, then you will need to use Firefox or Brave.

More commonly used than originally thought

When we first published the article, some of the comments were that this feature is not used that often compared to other tracking methods such as JS and redirects.

It turns out that Google uses hyperlink auditing in their search result pages. Every time you click on a search result link, your browser will also send HTTPS POST request back to a Google url in order to track the click.

Hyperlink auditing being used in Google
Hyperlink auditing being used in Google

Update 4/7/19: Cleaned up the confusing first paragraph.
Update 4/8/19: Added information about Google SERPs using hyperlink auditing.

Related Articles:

Opera sees big jump in EU users on iOS, Android after DMA update

Google Chrome gets real-time phishing protection later this month

Brave: Sharp increase in installs after iOS DMA update in EU

Check if you're in Google Chrome's third-party cookie phaseout test

Google fixes Chrome zero-days exploited at Pwn2Own 2024