How is facebook tracking our (outgoing) URLs?

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, March 30, 2011

Follow me on Twitter as @mattiasgeniar

Perhaps I’m one of the few, but I always check the location-URL that shows up in the statusbar when you hover over a link. Just to avoid people showing a link to “site.be” which would in fact direct you to “random.be”. By doing so, you’ll learn a lot about who ‘s tracking your clicks etc.

But not everyone makes it so obvious to decipher it, and that includes our beloved Facebook. Take the screenshot below, for example. I hover over the “F.lux” URL, and the statusbar shows that I would be redirected to the URL I was expecting.

However, that’s not what happens when you click on it. In fact, you get redirected to the following URL:

http://www.facebook.com/l.php?u=http%3A%2F%2Fstereopsis.com%2Fflux%2F&h=833ba

By simply decoding the URL-encoded chars, it’s obvious what the real link is:

http://www.facebook.com/l.php?u=http://stereopsis.com/flux/&h=833ba

So then mr. Zuckerberg, how are you tracking us? My best guess would have been javascript events that are added on all “” elements on the page that are fired upon mouseclick. That keeps the source code intact (since they fire client-side), and makes it a lot harder to track it. (at least, that’s how I attempted to do it with my firefox extension)

Here’s what such an URL actually looks like.

<a href="http://stereopsis.com/flux/” target=”_blank” rel="nofollow” **onmousedown="UntrustedLink.bootstrap($(this), "833ba", event, bagof(null));"**>F.lux

So they’re dealing with it using onmousedown events, not by adding event handlers on all found URLs. The result remains: the client sees the real URL on mouseover, but the underlying java-script deals with the actual tracking. And this still works on people that have javascript disabled in the browser.

I’m not sure how long this has been happening, but I’ve only just recently noticed it. Probably because the redirect-page took slightly longer to load, and thus showed the actual URL in the browser.

All things considered, it’s a good way to hide your tracking. I’m worried whenever I see a link that differs from what I mouseover, and I feel more “at ease” (no matter how much trickery is still at play) when I see that they match as I would have expected.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.