Yeah, I'd noticed this a while ago. It's actually pretty nice if you've told Firefox to ask you about cookies first. I find that if the top site in the search results tries to set a cookie, it's often also one of those times that it's worth skipping to the second.

What's interesting about this is that it won't so much help spy on you (it won't), as tell people how effective their search engine optimization is (prefetch requests where referrer=Google mean you hit the top on something). I would expect it would make it slightly harder (one more hoop) to spy on you, because getting the cookie does not necessarily imply that you clicked the link.

Within a single administrative domain, this wouldn't be a problem. The target already knows you visited the origin page, and exact contents of the origin page. The only information leaked is that the user has 'prefetch' on.

In Google search results, this is problematic. It reveals your search terms and IP address to a third party you've never decided to visit. It's essentially equivalent to a 1-pixel 'web bug' sharing your Google search visit info with the first result site.

Just discovered this by accident when I cleared my cookie cache, went to Google and found a non-Google cookie on my computer. How did it get there? Google had inserted a link="prefetch" for the top search result (or presumably that cost some money).

I am a bit shocked - yet another way to spy and be spied upon :-(

Don't think it's there for money - search Google for "reddit" or "ycombinator news" and you'll see that the most obvious site result for those terms is put in a <link rel="prefetch" ...>.

It doesn't seem to appear for things that don't have an obvious site.

I bet it's in there just to "speed up" browsing, especially for people who use Google search as their address bar.

Or another way for sensationalists to moan about being spied upon?

Seriously... They already know you searched for "X". What difference does it make if they load some stuff in your browser cache. What extra information does that give them? How is this spying?

I know in the big scheme of things it is not a biggie, it just frustrates me that it is yet another thing to watch out for (and coming from the "good guys" a ka open source Mozilla). There are too many already - Flash cookies, Javascript includes etc.

I just happened to test the cookei thing - my Sage news reader also installs several cookies immediately, even though I have told it to not automatically update the feeds. I am guessing it comes from the favicons?

Anyway, I am planning to create a collection of all of this.

'installs several cookies'

eugh please

what does "eugh" mean?

Sorry if my language was not precise enough. What I meant is that several cookies get set via the Sage reader. Better now?

Thanks. Cookies get set. They're data the server asks the client to remember for it. The word 'install' suggests something much more.

Well they feel a little bit like hooks the server sinks into the client, but yeah ;-)

It gives extra information for the owners of the site that is the top search result, who otherwise wouldn't know that you searched for the term.

True, so the top result may know that you searched for them even if you didn't click on them. I'm at a loss to see how they would use that information in a bad way though - all they have is some server logs telling them a person from the IP address a.b.c.d did a search for them, and google suggested the browser prefetch their page.

I know it's the principle and a slippery slope and everything, but I'm not sure how an IP is of any use - especially given the number of ISPs that use dynamic pools, or web caches etc

They also get to set a cookie. Anyway, maybe that one use by Google is not too bad. But it seems unnecessary, and in general that functionality seems to be only good for spying on users. So why enable it in an open source product?

I'd say because for most people it'll speed up the responsiveness of their browsing experience, and they won't really care if a website sets a cookie or logs their IP address.

If you're doing something you don't want to be spied on, anonymous proxies work well.

Hey, as long as you're not a terrorist you have nothing to be concerned about.

Nothing major here, you can already do this with a hidden iframe if you like.

Except that this makes it voluntary for the user. Many people still pay for bandwidth, and they would be able to turn off prefetching in order to minimize usage. By using iframes or AJAX to prefetch, you may be costing the user money that he doesn't want to spend.