Closed Bug 647129 Opened 14 years ago Closed 14 years ago

Link pre-fetching should be disabled by default.

Categories

(Core :: General, enhancement)

Product:
Core
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jonathandl92, Unassigned)

Details

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/4.1.3 Safari/533.19.4 Build Identifier: To prevent "drive-by" downloads, link pre-fetching should be disabled by default or, in the alternative, the option to disable itshould be made visible and accessible from the Preferences menu. Reproducible: Always This would also tend to prevent exploitation of any future security vulnerabilities.
Uh... How does link prefetching help drive-by downloads, exactly? Or more precisely, how would disabling it prevent them?
If Firefox has any as-yet-to-be-discovered security bugs, they might be exploited by a page that the user did not specifically intend to download. Even if no such bug exists, I see no reason why the preference to enable or disable prefetching should not be in the Preferences menu; it is better to let the user decide, rather than to make this choice for them.
> they might be exploited by a page that the user did not specifically intend to > download How? Prefetching just saves the raw bytes into the cache. There's no processing done on them. So you're positing a bug in the code that grabs bits off the wire and puts them on disk. This is pretty simple code, but bugs are always possible..... but you can trigger this code in so many ways other than prefetching that prefetching doesn't add much of an attack vector. Note that we only prefetch a link if the page the link is in explicitly asks us to. If it wanted to execute an attack it could just redirect to that link instead. > I see no reason why the preference to enable or disable prefetching should > not be in the Preferences menu The obvious reason is because most users don't care and space in Preferences is limited. In any case, this is a UI issue, not a core rendering engine issue. > it is better to let the user decide This is why the option to disable prefetching is present, for those who do wish to exercise it. See https://developer.mozilla.org/en/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3f Thank you for explaining your concerns. I think that as filed this is wontfix.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.