I have a Gmail account, but I always access it in Mail app, never in webmail, so I wasn't aware of some Google mischief until recently. I had previously written about how Google Search hijacks your link clicks and replaces the apparent URL with a tracking URL. It turns out that Gmail also does something similar.
One of the ways that StopTheMadness protects your privacy is by trimming tracking tags such as
utm_source from the end of the URL of a clicked link. A customer contacted me to report that this feature wasn't working in Gmail, and after some investigation I was able to reproduce the problem. I discovered that StopTheMadness did in fact successfully trim the tracking tags from the link URL, but the URL that gets loaded when you click isn't the URL that you clicked!
A clickable link on the web is an "anchor" element, represented by something like
<a href="https://example.org/?utm_source=tracker">Click Me</a> in HTML. The
href attribute of the anchor contains the URL. Under normal circumstances, the
href URL is what gets loaded when you click a link. In this example, StopTheMadness would remove
?utm_source=tracker from the
href when you click the link, before the URL gets loaded. However, Gmail uses another attribute of the anchor, called
data-saferedirecturl, to hide the original tracking URL, then hijacks the link
data-saferedirecturl URL in a new tab. Sneaky! (The "safe" part of the attribute name must be ironic.) If you just clicked a link in Gmail without ⌘-clicking the link, then this technique would bypass the privacy protection feature of StopTheMadness.
The good news is that you've always been protected if you ⌘-clicked links in Gmail, because StopTheMadness ⌘-click protection prevents the
click event from getting hijacked. The bad news is… there is no bad news, because StopTheMadness version 14.0, now available in the Mac App Store, has a fix for this form of Google madness. When you click a link, the
data-saferedirecturl attribute will automatically get removed from the anchor, so Gmail can't swap the tracking URL for the non-tracking URL.
You can rest easy now, because Gmail is safe again! Well, except for the thing where Google scans the contents of all your email and harvests information for advertising purposes. But other than that.