DEV Community

loading...
Cover image for How Google tracks with the ping-attribute

How Google tracks with the ping-attribute

madsstoumann profile image Mads Stoumann ・3 min read

Have you heard about the ping-attribute?
It's an attribute on the <a>nchor-tag, that most people haven't heard about.

Websites can use the ping-attribute to track clicks on hyperlinks.

You provide a space-separated list of URI's:

<a ping="/relativeuri https://not-so-relative-uri.com">
Enter fullscreen mode Exit fullscreen mode

Each URI will receive a POST with the request payload 'PING'.

Google use this feature on their search-result-page.

Here's an example if you search for "ping attribute":

<a href="https://www.w3schools.com/tags/att_a_ping.asp" ping="/url?sa=t&amp;source=web&amp;rct=j&amp;url=https://www.w3schools.com/tags/att_a_ping.asp&amp;ved=2ahUKEwixrcD5g93mAhUqy8QBHRrVAN0QFjACegQIBBAB">...</a>
Enter fullscreen mode Exit fullscreen mode

As a user, you will only see the content of the href-attribute when you hover the link. You will not see the list of URI's in the ping-attribute, that will be POST'ed if you follow the link.

This is against the official recommendation:

When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URLs.


Google will 'PING', even if you don't allow cookies. You can check it by following these steps:

  1. Open an incognito window, and search for "ping attribute".
  2. Inspect the markup and delete the Google popup, asking you to accept cookies.
  3. Go to the Network-tab of Chrome DevTools and enable "Preserve Log".
  4. Clear the current network-traffic.
  5. Click on the first link (in my case, it's a w3schools-link).
  6. Check the network-traffic. The first couple of entries are from the previous page (the Google result).

One of them has a 'PING' payload.

If you study that request you'll see, that Google will have more than enough info about your browser and where you're browsing to, even though you never accepted cookies or any other tracking-agreement.

If you do the same in Firefox, the result will not have ping-attributes, as Firefox currently is the only browser that disables the ping-attribute by default. That's why Google Search use a JavaScript event handler in Firefox.

It's not possible to disable it in Safari.

And in Chrome, the setting:

chrome://flags#disable-hyperlink-auditing
Enter fullscreen mode Exit fullscreen mode

— has been removed. Even if you enable "Do Not Track*)", the ping URI's are still POST'ed.


If you chose to disable JavaScript altogether, Google use redirects instead of direct links:

<a href="/url?q=https://www.w3schools.com/tags/att_a_ping.asp" ... >
Enter fullscreen mode Exit fullscreen mode

If you inspect the Network traffic once again, you'll see that when you land on the w3schools-page, it'a after a HTTP 302: Redirect.


In these days of GDPR, it's surprising to see tracking-mechanisms that cannot be disabled or bypassed by the user.

*) Do Not Track

"Do Not Track" (DNT) was a proposed HTTP header field, designed to allow internet users to opt-out of tracking by a website. It's still a setting (typically hidden away under "Advanced") in most browsers, but — alas — it doesn't have any effect, and DNT has been cancelled, which is a pity.

Thanks for reading!

Discussion (5)

Collapse
schalkneethling profile image
Schalk Neethling

Interestingly, I think Google might have turned this off as well now. See github.com/mdn/browser-compat-data...

Collapse
madsstoumann profile image
Mads Stoumann Author • Edited

I just tested in the latest versions of Chrome and Canary (MacOS) – they both have the ping-attribute, when performing and inspecting the markup for a Google Search. I then clicked preserve log to test the ping – and it's still being transmitted: ping

Collapse
schalkneethling profile image
Schalk Neethling

Tried it again with a different profile in Chrome and it works. 🤷‍♂️ I have no idea what is different between the profiles also, I surely have a different profile in Canary?

I thought it might be Privacy Badger, but nope. Bizare. Alas, I believe the conclusion is that it does work by default in Chrome.

Thread Thread
madsstoumann profile image
Mads Stoumann Author

Yes, at least for now. One could hope that Chrome would either remove it, or at least notify the user, as the specs states.

Collapse
schalkneethling profile image
Schalk Neethling

Huh, how strange. I wonder if it is the way I am testing it with this sample app:
github.com/schalkneethling/using-p...

and specifically:
github.com/schalkneethling/using-p...

Tested with Chrome 90.0.4430.85 (Official Build) (x86_64) as well as Canary (~92). Works out of the box with Safari and Edge as well as with Firefox if I toggle the flag.

Forem Open with the Forem app