I didn’t know this was a thing until Stefan Judis’s post:
<a href="https://www.stefanjudis.com/popular-posts/" ping="https://www.stefanjudis.com/tracking/">Read popular posts</a>
You give an anchor link a URL via a
ping attribute, and the browser will hit that URL with a web request (a literal PING) when clicked. The headers have a
ping-to key with the
href value of the link.
Why? Data. Wouldn’t it be nice to know what off-site links people are clicking on your website?
Even if you have Google Analytics installed, you don’t get that data by default. You’d have to write something custom or use something like their autotrack plugin with the
outboundLinkTracker. Whatever you do, it is non-trivial, as in order to work, it has to:
- Prevent the default action of the link (going to the website)
- Track the event (send a ping somewhere)
- Then tell the browser to actually go to the website (window.location = …)
Presumably, with the
Why not use Google Tag Manager and creat an event that fires on all URLs that contain a domain that excludes that of the website.
It seems that
autotrackis not being maintained anymore. Plus, gtag.js has been available for some time and google recommends that we use it instead of analytics.js. Couldn’t gtag.js automatic things for us?
Google use the ping-attribute in their search-results, if you’re not using Firefox. I wrote about it earlier this year: https://dev.to/madsstoumann/google-tracking-and-the-ping-attribute-41d5
GDPR is about tracking/personal data in general, not only for cookies — so I wonder if ping-based tracking is legal, if you use it without informing the end-user?
I don’t know that pinging something is automatically tracking personal data. It would be if you, for example, if a user was logged in and you sent along their name and email address as query parameters. Not a lawyer though.
I’m not a lawyer either :-) But it can track user-behaviour, and maybe that’s the reason for disabling it in Firefox? Also, no browsers supporting the ping-attribute lives up to this:
“When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URLs.”
The ping attribute is also a massive security hole. There’s no limitation to the number of URLs it can ping, the URLs are not limited to the same domain as the originating click, and it’s not exposed to the end user without the active use of dev tools.
This feature was removed from the HTML5 specification in 2010 because of its potential for malicious exploitation. Google is just lucky that so far it hasn’t been the source of a huge data breach.
Actually, let me correct myself: it has been used maliciously. https://www.imperva.com/blog/the-ping-is-the-thing-popular-html5-feature-used-to-trick-chinese-mobile-users-into-joining-latest-ddos-attack/