For any other developers dealing with this problem, here's what seems so far to work:
- On pages where you don't want to allow prefetching, go through all of the request headers and see if any of them equal "prefetch". The main one seems to be Purpose: prefetch, but there seem to be at least 3 different headers, which is why I'm just scanning through all headers.
- Return an error if it's a prefetch, along with a Cache-Control: no-store header so that the error isn't returned if the user actually visits the page.
That's probably No-State prefetch you were blocking. I read in the
release notes that "Purpose: prefetch" was added in Chrome 69. Odd for this problem to crop up just now, or maybe it had silently existed all these months and nobody noticed.
Two bug reports were filed on Chromium a few months (years in the case of the second bug) before that complaining that prefetch requests were identical to normal requests and had no distinguishing headers back then (
796738 and
86175), where you can actually see users and developers arguing about why they're not sending a header although it was easy to make it do so. I'm glad they finally got things sorted out.