Dangers of using HTML5 prefetch?

Question

Ok, so it isn't a huge worry yet as it is only supported by a few browsers:

• Mozilla Firefox: Supported
• Google Chrome: Supported since version 13 (Use an alternate syntax)
• Safari: Currently not supported Internet
• Explorer: Currently not supported

However, prefetch makes me twitch. If the user lands on your page and bounces off to another site have you paid for the bandwidth of them visiting your prefetch links?

Isn't there a risk of developers prefetching every link on the page which in turn would make the website a slower experience for user?

It looks like it can alter analytics. Will people be forcing page views onto users via prefetch?

Security, you wont know what pages are being prefetched. Can it prefetch malicious files?

Will all this prefetching be painful for mobile users with limited usage?

Answer 1

I can't call myself an expert on the subject, but I can make these observations:

1. Prefetch should be considered only where it is known to be beneficial. Enabling prefetch on everything would just be silly. It's essentially a balance of server load vs user experience.
   
   
2. I haven't looked into the HTML5 prefetching spec, but I would imagine they've specified a header that states "this request is being performed as part of prefetching", which could be used to fix the analytics problem - i.e. "if this is a prefetch, don't include it in analytics stats".
   
   
3. From a security standpoint, one would expect prefetch to follow the same cross-domain rules as Ajax does. This would mitigate any cases where XSS is an issue.
   
   
4. Mobile browsers that support HTML5 prefetch should be smart enough to turn it on when using WiFi, and off when using potentially expensive or slow forms of network connection, e.g. 2G/3G.

As I've stated, I can't guarantee any of the above things, but (like with any technology) it's a case of best practices. You wouldn't use Cache-Control to force every page on your site to be cached for a year. Nor would you expect a browser to satisfy a cross-domain Ajax request. Hopefully the same considerations were/will be taken for prefetching.

Answer 2

To answer the question of analytics and statistics, the spec has the following to say:

To ensure compatibility and improve the success rate of prerendering requests the target page can use the [PAGE-VISIBILITY] to determine the visibility state of the page as it is being rendered and implement appropriate logic to avoid actions that may cause the prerender to be abandoned (e.g. non-idempotent requests), or unwanted side-effects from being triggered (e.g. analytics beacons firing prior to the page being displayed).