
link rel="prefetch" - nasty, nasty? - Tichy
http://developer.mozilla.org/en/docs/Link_prefetching_FAQ
======
amalcon
Yeah, I'd noticed this a while ago. It's actually pretty nice if you've told
Firefox to ask you about cookies first. I find that if the top site in the
search results tries to set a cookie, it's often also one of those times that
it's worth skipping to the second.

What's interesting about this is that it won't so much help spy on you (it
won't), as tell people how effective their search engine optimization is
(prefetch requests where referrer=Google mean you hit the top on something). I
would expect it would make it slightly _harder_ (one more hoop) to spy on you,
because getting the cookie does not necessarily imply that you clicked the
link.

------
gojomo
Within a single administrative domain, this wouldn't be a problem. The target
already knows you visited the origin page, and exact contents of the origin
page. The only information leaked is that the user has 'prefetch' on.

In Google search results, this is problematic. It reveals your search terms
and IP address to a third party you've never decided to visit. It's
essentially equivalent to a 1-pixel 'web bug' sharing your Google search visit
info with the first result site.

------
Tichy
Just discovered this by accident when I cleared my cookie cache, went to
Google and found a non-Google cookie on my computer. How did it get there?
Google had inserted a link="prefetch" for the top search result (or presumably
that cost some money).

I am a bit shocked - yet another way to spy and be spied upon :-(

~~~
axod
Or another way for sensationalists to moan about being spied upon?

Seriously... They already know you searched for "X". What difference does it
make if they load some stuff in your browser cache. What extra information
does that give them? How is this spying?

~~~
Tichy
I know in the big scheme of things it is not a biggie, it just frustrates me
that it is yet another thing to watch out for (and coming from the "good guys"
a ka open source Mozilla). There are too many already - Flash cookies,
Javascript includes etc.

I just happened to test the cookei thing - my Sage news reader also installs
several cookies immediately, even though I have told it to not automatically
update the feeds. I am guessing it comes from the favicons?

Anyway, I am planning to create a collection of all of this.

~~~
axod
'installs several cookies'

eugh please

~~~
Tichy
what does "eugh" mean?

Sorry if my language was not precise enough. What I meant is that several
cookies get set via the Sage reader. Better now?

~~~
axod
Thanks. Cookies get set. They're data the server asks the client to remember
for it. The word 'install' suggests something much more.

~~~
Tichy
Well they feel a little bit like hooks the server sinks into the client, but
yeah ;-)

------
axod
Nothing major here, you can already do this with a hidden iframe if you like.

~~~
BrandonM
Except that this makes it voluntary for the user. Many people still pay for
bandwidth, and they would be able to turn off prefetching in order to minimize
usage. By using iframes or AJAX to prefetch, you may be costing the user money
that he doesn't want to spend.

