Re: Pre-fetch rough draft

The specification states that "Prefetch requests must not include
cookies." which is not an effective measure to prevent user profiling.
For instance somebody could auto generate the prefetch.txt tailored to
the user to fetch URLs like to
http://somedomain.com/whatever?userID=1358f2d55b34fb581fd5479d079d91dd

I'd suggest to allow cookies since the no cookies restriction makes it
more difficult for non malicious uses, but does not effectively deter
malicious uses.

Since we've established that users can be uniquely identified by their
prefetch requests, there are some additional security concerns over
user profiling. For instance an ad-serving domain could generate user
tailored prefetch URLs for their ads. Traditionally ad-aggregators
could profile users browing behavior that way. However with this
additional tool they can also gauge the persistence of the domains
they served ads for in the users history. Additionally since some
browsers implement history/bookmark/tab syncing, it would now allow
those ad-providers to built a holistic picture of a user and all his
browsers/profiles across all his devices including all his history up
to the limit of history entries.


On Tue, Oct 30, 2012 at 10:22 AM, Charles McCathieNevile
<chaals@myopera.com> wrote:
>
> Hi,
>
> I mentioned this and it's somethign we are working on.
>
> Basic idea: site provides list of resources that it uses and can be cached for general improvements on the whole site. (We're seeing load-time improvement from 50% - 300% in our testing. We are using it on sites - mail.yandex.ru/prefetch.txt has an example).
>
> The draft "spec" here is still very rough, but it shows what we've implemented and some of what we think it is good for.
>
> This is meant as input to the appcache/packaging/etc discussion, and may or may not be something this group takes on.
>
> cheers
>
> --
> Charles McCathie Nevile - private mail account

Received on Tuesday, 30 October 2012 09:47:01 UTC