One reason many of us insist on using free software is its relative lack of
surprises. Free programs rarely contain features which cause them to
behave in a way which is contrary to the interests of their users. Unlike
many proprietary programs, free applications tend not to phone home without
permission, unnecessarily restrict what their users can do, or perform
unexpected operations behind users' backs. As Lauren Weinstein recently
, however, the Firefox browser
can be made to behave in a way which is surprising indeed - and Google, in
the name of faster browsing, is taking advantage of that behavior.
In particular, Firefox will, at times, "prefetch" the contents of a web
page which it thinks you might want to see soon. If a page is marked as
being the "next" page in a series, Firefox, by default, will prefetch that
page's contents. (And, yes, for those who have asked for "next" tags for
the LWN Weekly Edition, it will happen when we get a chance). When the
user hits the link for the next page, it will already be resident in the
Firefox cache, and will display more quickly.
The interesting thing is that Firefox can be told explicitly to prefetch
pages; all it takes is a tag like:
<link rel="prefetch" href="URL">
Google will, if it decides that you should be feeling lucky, add such a tag
to the first in a series of search results, causing that first result to be
in the browser even though the person ostensibly in control of the browser
never decides to visit the site. An easy experiment will verify this
behavior: turn on cookie notifications, then search for a term with a
relatively obvious top result - Lauren used "soundbite." The result will
be a screen somewhat like that shown on the right: the soundbite.com web
server is attempting to set cookies, even though your editor never clicked on a link
which would lead to that site.
Prefetching in this way can lead to a number of undesirable consequences:
unwanted cookies, bandwidth use, etc. More seriously, it could lead to
accesses to truly unwanted sites: stumbling into non-work-safe sites is
already too easy, without one's browser deciding to fetch additional pages
from arbitrary servers with no user participation. Should an unpleasant
Firefox security hole be discovered, prefetching could, for the right sort
of vulnerability, be exploited to compromise systems. That would be
an unwelcome sort of surprise.
Google's use of prefetching in this way is unfortunate; it seems certain to
lead to trouble for somebody, somewhere down the line. The real problem,
however, is with Firefox, which is shipped with prefetching turned on.
There is no indication, anywhere in the preference screens, that an option
controlling prefetching even exists. Anybody wanting to disable
prefetching will have to edit their prefs.js file, or tweak the
network.prefetch-next option on the about:config screen.
Turning off prefetch in this way will slow down some page loads, but, for
many users, the extra delay will be worth it.
[As a postscript, your editor can't help but poke at a bit of poor user
interface design in Firefox. An attempt to pull up a long page yielded this dialog, asking: "A script on this page is
causing mozilla to run slowly... Do you want to abort the script?" The two
buttons are marked "Cancel" and "OK". It is nice that Firefox does not
entirely lose control in such situations. But does "Cancel" kill the
script, or let it run?]
to post comments)