Preloaded images with JavaScript

Preloaded images with JavaScript

This document shows the back.gif

and music.gif

images. If you have JavaScript enabled, these should have been loaded by the previous ImgPreload.html page. The server's access log should now show a reference to this page, but should show no new GET for these images, because they should be in your browser's cache.

There are several important things to notice about this preloading:

Warning: If I were less ethical, and you work for a large company (or live in the wrong country), you could be in serious trouble for merely having downloaded that last page. To understand why, read on ...
Speed: If you have JavaScript enabled, this page should have loaded with little or no delay. The images were loaded into your browser's cache while you read the previous page, and don't need to be loaded again.
Why this is useful.: If a web site has a lot of related pages that share graphic images, this Java and JavaScript feature can significantly speed up your access to the site's web pages. The reason is that the common images are downloaded while you read the main page, which should have relatively few graphics. The network load is the same (or possibly higher), but the images are downloaded during otherwise idle time, so from the user's viewpoint it seems faster.
How this can be abused.: You probably didn't notice, but there were actually three images loaded by the previous page. The third isn't shown here. Can you find it? (Hint: It's in your browser's cache.) Think about this a bit.
What a site can do to you.: While this feature was intended to speed up web accesses for sets of related pages, it can also be used to embarrass people by loading things into their browser's cache. This "preloading" can download anything from any site on the web. For example, suppose a coworker gets angry with you and decides to cause you some trouble. They can copy this demo code to a page of their own, replace the hidden image's URL with a pointer to a pornographic web site, and invite you to look at their page. You won't see anything suspicious, but the porn site's page is now in your browser's cache. If anyone is monitoring your web usage, they will see that you just accessed a pornographic site. If someone examines your browser's cache, they will find a pornographic image there. In some companies, this can get you fired. In some countries, it can land you in jail.
Solutions: How can you protect yourself from this sort of misuse of preloading? There is only one way: Turn off Java, Javascript, ActiveX and any other sort of remote programming or scripting that your browser has. They all let remote sites do this sort of preloading. If you do this, preloading will no longer work, and web sites that use it will not download as fast. The pages will look the same on your screen, unless they require scripts to work, but you won't get the hidden image. Only images that are actually used will be downloaded.
Commentary: As more and more companies install software that monitors their employees' web usage, and more web-site developers learn the tricks of the trade, this sort of thing will become much more common. When used to speed up web access, it is useful. But it is a real source of potentially embarrassing files on your disk. Your only defense is to disable anything that allows a remote site to run code on your machine.
Advice: Languages like Java, Javascript and ActiveX allow a web site to send code to your browser that is run automatically. Allowing strangers to run code on your machine is never a good idea. If you value the contents of your disk, or are worried about embarrassing files appearing there without your knowledge, you should make sure that all such programming tools are disabled.
History: A few years ago, I got curious about what was in my browser's cache, and found that it contained a number of "interesting" images which I had never seen. I was curious, so I showed the images to some coworkers, and we tried to figure out where they had come from. We weren't successful. But this aroused our curiosity. Some time later, I stumbled across a discussion in a newsgroup of how to do something called "preloading". This produced an "Aha!" reaction, and when I saw the JavaScript code, it only took me a few minutes to turn it into this demo. Since then, I have generally tried to make sure that I have JavaScript and any other scripting languages turned off in any browser that I use. If you value your job, you might want to do the same.