Joi Ito's Web

Joi Ito's conversation with the living web.

Google & Firefox == Evil & Annoying

I recently did a search at google for "radio shack". To my surprise, I received a cookie setting request from radio This had never happened before- and radio shack also happened to be a sponsored link. I did other searches, such as "ford", "sony", and even "girl scouts"- and each time, the top link requested a cookie to be set. Since Girl Scouts did not have a sponsored link- I realised it must only be the top link that sets a cookie. It turned out that Mozilla browsers (that includes firefox) and Google have both enabled prefetch- although it would seem that Google only recently enabled it- as this is a new occurrence. I always verify the setting of cookies- so this makes every google search into an annoying cookie refusal time waste. It would also seem that prefetching is turned on my default in firefox- and is very unintuitive to turn off.

So- for my friends that automatically accept cookies- you are now downloading a page and a cookie nearly every time you use google and firefox together.

And even though I never clicked on their link- and never wanted to visit their site- I'm downloading the top link of my search results to my harddrive every time I do a Google search.

This makes me dislike not only Mozilla- but Google as well.

There is a discussion about this on as well. This feels annoying and since it's more fun to pick on Google than Microsoft these days, I'm blogging it.


I wonder if the pre-fetch request on the sponsored link counts as a 'click' and therefor charges the sponsor for the click? Note that Mozilla pre-fetching will only follow HTML tags and HTTP Link: headers, not tags.

To disable pre-fetching, add the following to prefs.js


It seems that this is a mistake from both parties, but not intentional evil activity. Google should have marked the links not to be pre-fetched, and Mozilla should in no circumstance accept cookies from a third-party site in the background without the user knowing about it.

Prefetching is a good thing, not a bad thing.

It means that while you're reading page 1, your computer can be downloading page 2, so it appears to load instantly when you click the link.

As as user, if you'd prefer your browser not to do this, then you can disable it -- Mozilla about:config lets you change it (network:prefetch-next is the parameter.

As a webmaster, you can refuse prefetch requests by examining the HTTP headers for "X-moz: prefetch"

See the Mozilla pre-fetch FAQ. They have a strong argument that if this isn't implemented in a standard way in the browser, then web designers will implement it in non-standard, non-user-configurable ways using Javascript and DOM, which would be much worse.

The only slight worry I have is that prefetch could allow nasty sites to make your browser prefetch non-worksafe materials which you could then get blamed for browsing. OTOH prefetching gives you plausible deniability ;)

I'm tempted to implement prefetch in some of my own web pages -- the "next" link in my travel diaries seems appropriate.

Currently Mozilla will *not* pre-fetch regular links (the "a href" variety), only link elements in the header that are explicitly marked to be pre-fetched. Google explicitly wanted the top search result to be pre-fetched.

P.S. I would probably advocate a third setting alongside "allow prefetch" and "disallow prefetch" -- "disallow cross-site prefetch".

yea, "disallow cross-site prefetch" sounds like a good solution to me.

Please see Googleblog.
. There is a message, which announces the new feature.

Seems like the Firefox developer that Google hired is earning his salary. Sorry to state the obvious but the Girl Scouts are always trying to "drop" their cookies on everyone.

I still can't understand why people think cookies are so evil. Do you avoid customer-care cards? Banish credit cards? Wear rubber gloves and store your cash under your bed? Seriously folks, they aren't that bad.

Amen, Jonathan!

IMHO, cookies are one of those things that are easy to make into a boogeyman, but I've yet to see any demonstrable harm.

Has anyone ever been able to accurately site a case in which their privacy was violated due to cookies?

Denied health insurance? Fired from a job? Lost a case in traffic court?

No, I'm serious. I have yet to read any convincing arguments against cookies that cite actual threats, not hypothetical dangers.

Well, Cookies can be used by employers or other people who have access to your computer to "prove" you accessed cetain sites. Also, cookies are a security risk since it sends info in the clear. I wonder what happens when you hit a site where you have an account. Does pre-fetch communicate with a cookie in your computer? I'm not sure about this, but for instance, when you are on an open wifi you don't want to go to sites where you have a cookie that includes information such as personal information or login info since it could send the information in the clear without you knowing it. A sniffer could pick this up. In the course of surfing while avoiding sites where you have login cookies, you could feasibly hit the cookie by accident while Googling, no?

The reason the prefetch drops a cookie is because the browser is communicating with the first site on the list. Cookies are limited between you and the site that issues them. So (assuming Firefox is programmed correctly) Google has no access to these cookies coming from these other sites.

Now, it is true that passwords and other personal information could be sent in the clear without you knowing it. But if a sniffer could pick this up, they're just as likely to pick it up when you created the account or any time you log into the site. A good web developer should not actually store clear-text passwords in a cookie anyways.

So let's say you are on an open Wifi connection, could that clear text data inadvertently get sent while Googling? Yes, that is a possibility. In fact, a quick test googling Hotmail does indicate that my e-mail address got sent without actually visiting the Hotmail site. In which case, turning off the prefetch would solve this problem.

Turning off cookies altogether, on the other hand, still seems extreme (not that you were suggesting it). I think the idea of prefetching in general makes sense and maybe the solution is simply that cookies do not get sent during prefetch. But with broadband becoming more pervasive, it seems like prefetching isn't really necessary.

Goto Google. Search for 'selinux'.

You now have a Cookie from, and your Firefox browser has downloaded Nice implementations of privacy Firefox team. Good job.

More violations of privacy, now courtesy of Mozilla- shock horror! Do you REALLY think that you have a CHOICE? Never underestimate the power of '33'!!

"I've got nothing to hide..."- yeah, exactly Sherlock!! :)

3 TrackBacks

Listed below are links to blogs that reference this entry: Google sending prefetch cookies.

TrackBack URL for this entry:

Joi Ito's Web: Google sending prefetch cookies: "It turned out that Mozilla browsers (that includes firefox) and Google have both enabled prefetch- although it would seem that Google only recently enabled it- as this is a new occurrence."... Read More

Google sending prefetch cookies from Quickies
April 5, 2005 8:00 PM

Google sending prefetch cookies... Read More

I noticed some additional information about concerns regarding firefox prefetch. It happens that Google recently enabled prefetch on the first links of their search results pages, and this, in combination with the default settings of Firefox (actually ... Read More