Opened 10 years ago

Closed 10 years ago

#1673 closed defect (fixed)

Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring rewrite rules

Reported by: schoen Owned by: mikeperry
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Firefox supports a feature called HTTP Prefetch, where an HTML page can "hint" that a user is likely to access a particular page in the near future. Firefox can (and by default does) load the relevant URL even before the user clicks on this.

Google search results (in some circumstances) contain HTML code that requests a prefetch of the top search result. (Google is not necessarily the only site that triggers this problem!) Firefox will, by default, then load this page, ignoring any potentially applicable HTTPS Everywhere rewrite rules. For instance, if the top search result is a Wikipedia page, Firefox will load that page in plaintext in the background, even though HTTPS Everywhere has a rule that should force the Wikipedia page access to be rewritten. (Actually clicking on the link results in HTTPS Everywhere rewriting it, but the browser has already loaded the unencrypted version!)

for more discussion of this problem.

See also
for discussion of HTTP Prefetch. (You can turn it off entirely, but I don't know whether that's the right solution.)

Child Tickets

Change History (2)

comment:1 Changed 10 years ago by pde

Owner: changed from pde to mikeperry
Status: newassigned

comment:2 Changed 10 years ago by pde

Resolution: fixed
Status: assignedclosed

Fixed in the recent development branch

Note: See TracTickets for help on using tickets.