Have a look at this URL linking to this post:
Notice any tracking variables? Me neither! But check out the HTTP request and response in the network inspector of your browser — it is redirecting to the “same” URL:
The idea is to use zero-width and space characters of
UTF-8 Unicode such as U+200B, U+200C, U+200D which are invisible both in the browser address field and on page or in the HTML source.
This is a Unicode code point that’s supported in many more encodings than just UTF-8.
Thanks for pointing that out! I fixed it in the article.
Could someone explain me how is it useful?
This can replace query variables (such as utm_source) for click tracking purposes — everything from affiliate links to advertising campaigns.
But there are enougth empty chars to identify each user? And what about copy+pasted links?
They’re invisible so you can use as many as you like (within the limit defined by the max URL length which is huge).
Well as long as there are two, you can just use combinations of N characters and get 2^N possible unique identifiers for your users.
More generally, if there are m empty characters, you can use n of them and have m^n unique combinations.
Right click and the link and “Copy Link Address” (Chrome). Then Paste it back into the address bar and you’ll see the hidden characters.
As Andrew pointed, we can do the same with Safari. But interesting thing :)
GET request character limit is around 2000 characters. If you have 3 invisible characters and you generally have max 200 characters for your site. That is, there are
3^1800 = 6.6 x 10^858 combinations roughly.
Safari shows the extra characters url escaped:
The linked page about the characters explains
“Do not use this character in domain names. Browsers are blacklisting it because of the potential for phishing.”
I don’t know if this’ll apply to the query parameters at the end, but might not be a great idea to jump on this discovery just yet.
a basic firefox extension for prevention https://addons.mozilla.org/en-US/firefox/addon/url-watcher/ feel free to improve it on github