Hussein, your channel should have 340k subscribers, honestly the highlight of my day whenever I see a new video added by you. As always, thank you for the great context!

from chrome docs Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request.

That thumbnail... 😄 Perfect. Great job on the video, Hussein. I really don't understand why your channel doesn't have ten times the audience. Keep up the fantastic work; we'll keep learning and sharing!

Really awesome stuff Hussein! Like you said I think this is useful for some cases, but really concerning. Also those use-cases can be implemented without the ping attribute, so in my opinion all browsers should disable this.

Wow, never heard of this before, thank you!

I really can't explain how grateful to you. Really thank you for your work.

I have something to add to the Firefox bit. At 10:30 you say "They don't lie, they actually show you that it's a google URL". They actually do "lie" in a very sneaky way :D - The original href when the page loads IS the actual URL you're supposed to be redirected to (linkedin.com/hsnaser in that case). If you just hover on a link without clicking it, that's what you'll see at the bottom of the screen, or if you inspect the HTML without doing a right click directly on the link. I suspect it's this `onmousedown` attribute you glossed over quickly, which triggers some JS function which replaces the href to the google's url when you press down the mouse button, and when you release it that's when you actually navigate, to the freshly replaced google.com/?... href value. Really sneaky. Great video otherwise thanks! I didn't know about this ping attribute :D

Thank you so much for this informational video. Even though its scary, I feel a lil bit secure in terms of cookies, I always set them up to Lax or Strict.

Wow didn't knew that it exists, that's why always waiting for your videos, thank you

Thank you for sharing this. I am very disturbed that I only knew about this now. _Perhaps the sneakiness is intentional..._ 🤔 👀

It is a POST request, but as you mentioned with no body, so I do not see any actual difference in functionality from a GET request except semantics. Since tracking IS storing information it should be a post request to signal that. The only problem with that is the DDOS attacks that could be orchestrated (but I guess its not that hard to firewall ping requests originating from places you do not want. I wonder how this "circumvents" the no-cookies GDPR clause.

About this feature being a security risk, I don't see how because it can't share the main page's cookies so it's not vunerable to CSRF nor can it execute scripts so it's not XSS vunerable.

I will never stop watching if you upload these type of videos

Nice content, keep it rolling

Thanks, Hussein. Useful lesson.

Thank you so much for all your videos. Please don't stop making these tutorials. Can you please make some .net related videos?

Thanks man for this amazing video. 👏👏

so, I guess that in case you own a server and you want to stop malicious activity, couldn't you discard requests that come with 'text/ping' content type?

Great video. Keep it going!

Good job Hussein 👍🏾

I had no idea this existed. Thanks as always Hussein. Do you have any videos on Elastic Search?

Thanks you for the info.... wasn't aware of it.

I was thinking if a website doesnt uses SSL(say abc) , you can just post a link

Very interesting , can I use this for sending email , instead of making new thread to send email , because it runs asynchronously ?

Great video nasseir. I don't think it will be a security threat as if you mention other domain url the cookies won't be passed because of Same origin policy. It could be dangerous when a hacker can inject links in the content using html Injection vulnerabilities where in that case hacker can point the ping url to same site to some sensitive endpoint like delete account, change status etc., etc.,

Never knew this exist. Thank u

Odd, I enable send_pings in Firefox Nightly, and also disabled the enhanced protection, still, Google doesn't add the ping attribute, I think It's playing safe :D.

Fantastic !! I am thinking how I can use this exploiting CSRF vulnerability.

Thanks, you make good content :)

Thx bubby 😁😁😁

Oh boy so thats y Firefox is a bit slower

Would've been cool if you also tried duckduckgo

that was awesome

Don't worry, banks use CSRF token, or at least you shall change of banks if they doesn't support basic security 😜

Ping don't work in Microsoft edge. I think that's safe

Thank you.

Intersting