I considered this a problem from the first day prefetch showed up. Then there's the secondary (but very real) distortion of server log information.

For reference:

[developer.mozilla.org...]

I'd never given this a lot of thought, which is why I looked into it. Out of curiosity, if your AVG is up to date and doing it's job, wouldn't this offer some form of protection against this?

If you want to stop Firefox from prefetching web pages on your website, add the following to your .htaccess file:

RewriteCond %{X-moz} ^prefetch [NC]
RewriteRule (.*) - [F,L]

I recently caught a virus on its first day in the wild - my AV had not yet added the exploit's signature, and the website that served it up was owned by a high profile company, but the site had just been hacked that day.

Prefetch is more and more a liability, IMO - especially the way malware is proliferating and become quite devious today.

Prefetch is more and more a liability, IMO - especially the way malware is proliferating and become quite devious today.

Agreed!

I've disabled prefetching on all my profiles. To disable prefetching add the following to your prefs.js:

user_pref("network.prefetch-next", false);

I think the Firefox developers are so enamored with their prefetch idea that they are not willing to see just how big of a security issue it could pose.

Or, found it yesterday but can't find the link today:

- New tab, type about:config

- If you get the warranty void warning, click "ok I'll be careful"

- in the Filter field, enter network.prefetch-next

- If set to false, you're good, otherwise double-click the config line which will set it to false.

The more I think about this, the more I wonder W** they were thinking. "Internet Destroyer Emulation mode?"

prefetch sounds like a good idea initially, but is really really a bad idea in the real world.

what if they set it not to prefetch any scripts?

Rocknbil,
Thanks for the shortcut. When I went in to about:config, I searched for the term "prefetch". The first one to come up was network.prefetch-next, but I also found these:

stumble.2893641.prefetch;true
stumble.2893641.prefetcher_fetch_depth_in_topic;3
stumble.2893641.prefetcher_pass_1_timeout_ms;10000
stumble.2893641.prefetcher_pass_2_timeout_ms;30000
stumble.2893641.prefetcher_pass_3_timeout_ms;120000
stumble.2893641.prefetcher_pass_max;3
stumble.2893641.prefetcher_skip_resources;false
stumble.log_prefetch_progress;false

I am assuming these came from my stumbleupon toolbar.

Could these be a problem as well?

rocknbil;

Thanks for the step by step instructions.

Much appreciated!

Firstly, they never should have set this to be on by default. This is the kind of BS that will turn people off from Firefox.
Secondly, the on/off option for this should be easy to set, e.g. a check box on the main Options page.

Physics, I agree that it should be off by default, but putting it on the options page would probably not help the average Joe.

I had never heard of prefetch before this thread, so I can imagine that most everyday people would not have a clue as to what it does.

There is a **small** saving grace to this, at least, I hope.

When I've accidentally tripped on malicious sites, my AVG goes off like a ten alarm fire. Hopefully, a prefetched malicious site would do the same thing. Still, why pull the wildcat's tail . . .

I have to agree with Physics, if Firefox is going to have prefetch, it REALLY needs needs to be a check box setting in the options panel.

Could these be a problem as well? stumble settings in config

I missed this on page 1, I don't know. A good way to find out might be to run HTTP Live Headers while you visit stumble upon.

I didn't realize FF prefetched by default, thanks for the heads up, just disabled it.

As far as downloading malware goes, there is a big difference between downloading code and executing it. Until it's executed it's not a threat.

I suppose it's possible that FF left some kind of hole in their prefetcher that would allow an app to run itself... but the chances are remote, that's the kind of mistake even IE would be unlikely to make.

Better safe than sorry. Thanks for telling how to fix this...never realized FF did this. The pre-fetch might also explain a couple of pesky things that my anti-virus has been catching recently.

Prefetch is NOT a security problem. It simply means that data is buffered into memory in the expectation that it might be wanted sometime soon. In order for there to be a security issue, the data would have to processed, for instance, if it's javascript, it would have to be run, if it's a nasty .gif (or whatever) it would have to pass through a display routine.

Hope that clarifies the issue.

Kaled.

refetch is NOT a security problem. It simply means that data is buffered into memory

Furthermore, it's only used when the web site requests it. For example, in a slide show where the user is highly likely to click one specific link. It's not normally used to fetch a bunch of links that the user may or may not click. Correct?

There are no security problems with pre-fetch as far as I can tell but it could cause some LEGAL problems by pre-fetching links you would never click, perhaps something that violates your internet usage policy for your job.

You land some spam page Google served up as a top 10 result, it's a dicey page with shady links to dubious places, you try to get out as quick as possible but TOO LATE as you've pre-fetched all sorts of things from places you aren't supposed to be going.

Try to explain that you didn't go to that adult site, it was your browser, to your HR dept. and try to keep a straight face.

"This might void your warranty!"

WHAT warranty? What's this about? Firefox comes with a warranty?

RewriteCond %{X-moz} ^prefetch [NC]
RewriteRule (.*) - [F,L]

F always implies L so you only need F.

RewriteCond %{HTTP:X-moz} ^prefetch [NC]
RewriteRule . - [F]

You also don't need to backreference the pattern as you are not reusing it.

Be aware that the above rule, while widely used, doesn't stop requests for the root "/" URL of any site.

That's the problem with developers, they think good design adapts to what a user might do and ignore what the user is doing!

Pre-fetching something also bombed massively with Vista which treats RAM like a RAM drive (they are two totally different things).

Pre-fetching websites is obviously bad for security, but it also skews statistics and wastes resources.

In regards to software pre-fetching it should only be done intelligently. For example many video games have launcher programs associated with them (e.g. World of Warcraft and Oblivion). The OS should see what executable (that has an actual open window) commonly calls another (must be an actual open window and not just a background-process) executable. Then and only then is the correct way to do any kind of pre-fetching. If speed is truly that important to the person using their computer they can spend the extra money to get a faster computer if need be.

- John

I have to agree with Physics, if Firefox is going to have prefetch, it REALLY needs needs to be a check box setting in the options panel.

Yes, and the default setting should be "prefetch off."

"This might void your warranty!"

WHAT warranty? What's this about? Firefox comes with a warranty?

This was simply a "little joke" in the UI -- an amusing (if perhaps ill-advised) way to word a warning that changing Firefox settings using About:config can cause performance, functional, or security problems in Firefox or in the network.

 RewriteCond %{HTTP:X-moz} ^prefetch [NC]
RewriteRule . - [F]

...
Be aware that the above rule, while widely used, doesn't stop requests for the root "/" URL of any site.

The rule can be modified to deny prefetch requests for "/" as well, by changing the rule pattern from "." to "^.*$" or even to just "^".

If a custom 403 error page is used, then it will have to be excluded from the rule to prevent an 'infinite' rewrite/error loop. If not already done "globally" in your config code, this can be accomplished by using a negative-match pattern such as

RewriteRule !^URL-path-to-my-custom-403-error-page\.html$ - [F]

Jim

If speed is truly that important to the person using their computer they can spend the extra money to get a faster computer if need be.

Pre-fetch is about bandwidth speed and internet and server latency issues, it has nothing to do with local computer speed because the fastest computer in the world still can't download a page from the same web server any faster, but can only format it for display faster.

Pre-fetching websites is obviously bad for security

Everyone keeps saying this but nobody can identify a single security issue.

Pre-fetch only downloads a web page in advance, it does not execute the page.

For a security problem to happen the page must be executed, specifically javascript, flash, PDF, etc. and those elements are not downloaded nor activated until that page is physically displayed by action of the user.

Don't get me wrong, I'm not defending the technology as I'm completely against pre-fetch because in theory if everyone was using it, it could overload our networks and servers in relatively short time.

However, that doesn't mean we should be spreading FUD that has no merit about the technology because at the end of the day pre-fetch simply wastes bandwidth and server resources, nothing more.

The browser observes all of these hints and queues up each unique request to be prefetched when the browser is idle. There can be multiple hints per page, as it might make sense to prefetch multiple documents. For example, the next document might contain several large images.

I want to learn more about prefetching. Apparently the source can provide prefetch hints which are typically found in the link rel element.

What are the prefetching hints? - The browser looks for either an HTML link tag or an HTTP Link: header with a relation type of either next or prefetch.

For some reason I just don't feel 100% comfortable with that prefetch mechanism - FUD or not. :)

Prefetch is a bit of busy work. Disabled simply to keep things simple. Don't see a purpose for it, but it might have a use under certain conditions.

I do agree that FF should make it an option easy to find, and should be default OFF.

So this prefetch stuff is supposed to speed up page loads for a visitor, right? Or do I have the whole idea wrong?

Anyhow, if speeding up load times is part of the deal, will turning off prefetch slow load times down?

And if so, will that have any consequences inrelation to the recent talk about Google using apge load times as a ranking factor? (Or do I have that concept wrong too?)

Disabling the prefetch feature will have no impact on Google's page speed measurements because they are doing these measurements via the Google Toolbar, which is on IE and the prefetch we have been discussing is on Firefox.