Articles index

Safari link tracking can no longer be disabled

April 3 2019 by Jeff Johnson
To support this blog please buy my apps StopTheMadness and Underpass

HTML5 added a "feature" to the web called hyperlink auditing. You can read the specification from the Web Hypertext Application Technology Working Group (WHATWG). Hyperlink auditing is added to a web page via the ping attribute on an HTML anchor element (<a>), i.e., a link. Here's a example, followed by the HTML code for a simple test page that implements it:

Ping Me

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Ping Test</title>
</head>
<body>
<p>
<a href="http://lapcatsoftware.com/" ping="http://underpassapp.com/">Ping Me</a>
</p>
</body>
</html>

Notice that when you hover over the "Ping Me" link, you only see the href URL, you don't see the ping URL, so you don't even know that the attribute exists unless you look at the HTML page source. When you click the link, it loads the page http://lapcatsoftware.com/ as expected. But it also sends an HTTP POST request to http://underpassapp.com/ without any visible indication to the user. You can only see it if you do a packet trace. It should come as no surprise that the primary usage of hyperlink auditing is for tracking of link clicks.

Firefox disables hyperlink auditing by default, as explained in a knowledge base article. You can see this if you open about:config and look at browser:send_pings. However, Safari and Google Chrome both enable hyperlink auditing by default. In Google Chrome, hyperlink auditing can be disabled by opening chrome://flags#disable-hyperlink-auditing and setting the flag to Disabled. (Update: This flag is getting removed from Chrome! See the update at the end of the article.)

Prior to Safari 12.1, you could disable hyperlink auditing with a hidden preference:

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

Unfortunately, this no longer works in Safari 12.1. I actually discovered the issue in Safari Technology Preview 72, and I filed a Radar on January 2, 2019 as rdar://problem/47000341. Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists. To end this article, I'll quote the full text of the Radar that I filed:

Summary:
You can disable anchor ping, AKA hyperlink auditing, in Safari Version 12.0.2 (13606.3.4.1.4) with a Terminal command:
$ defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false
However, this doesn't work with com.apple.SafariTechnologyPreview. Neither does WebKitPreferences.hyperlinkAuditingEnabled instead of com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled. It seems that -[WebKitPreferencesManager _migrateWKViewContentPageGroupPreferencesIfNecessary]: in Safari.framework has no reference at all to hyperlinkAuditing.

Steps to Reproduce:
1. $ defaults write com.apple.SafariTechnologyPreview com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false
2. Open the attached ping.html in Safari Technology Preview.
3. Click the Ping link. (This is simply <a href="http://lapcatsoftware.com/" ping="http://underpassapp.com/">Ping</a>)

Expected Results:
There should be no connection to http://underpassapp.com/

Actual Results:
There is an HTTP POST to http://underpassapp.com/

Version/Build:
Safari Technology Preview Release 72 (Safari 12.1, WebKit 13607.1.17.1)

Update on Google Chrome, April 5 2019

I've been informed that chrome://flags#disable-hyperlink-auditing is now missing from the Google Chrome betas, even though it still exists in the current non-beta version. The flag was removed from the source code a little over a month ago.

To support this blog please buy my apps StopTheMadness and Underpass

Articles index