[go: up one dir, main page]
|
|
Log in / Subscribe / Register

It's not as simple as that.

It's not as simple as that.

Posted Jun 26, 2008 7:56 UTC (Thu) by khim (subscriber, #9252)
In reply to: Leaking browser history by ekj
Parent article: Leaking browser history

Afterall the situation is, from the pages perspective, completely identical to a broweser with no saved history at all.

Not really. If "visited" links are using significantly different fonts (20pt vs 10pt) JavaScript still can pull information about you history - by calculating sizes of visited and unvisited links. So you need to lie about geometry of object which includes link. Further you need to lie about sizes of objects, placements of objects (big "visited" link can be forced to overlap with something while small "unvisited" link will not do so), etc.

It short: it's nothing like "completely identical to a broweser with no saved history at all". It's almost impossible to do this "right". The only solution is to remove all style changes from "visited" links except safe ones (color and probably nothing else) - and that's quite intrusive change...

to post comments

It's not as simple as that.

Posted Jun 26, 2008 8:31 UTC (Thu) by rvfh (guest, #31018) [Link] 

Thanks for that: this was the main information missing from the article...

But that means there is really no solution then, except not remembering which sites were
visited at all?

Mind you, the browser could apply (and report) the same style to visited and not visited
links, and add some local information (like special background) in the rendering of the
page...

Are there any sites relying on the visited links to render their page? Like: if you visited
the 'New stuff' page then the news are not the latest but the greatest kind of thing? I expect
some must do?

It's not as simple as that.

Posted Jun 26, 2008 9:18 UTC (Thu) by nix (subscriber, #2304) [Link] (3 responses) 

But 99.9% of users do not change anything but the link colour. Having it lie about that alone
seems perfectly practical (yes, if the page modifies its background colour such that all links
are visible even if the user has changed their colour, that code will break, but *that* is
done by essentially nobody).

It's not as simple as that.

Posted Jun 26, 2008 9:33 UTC (Thu) by ekj (guest, #1524) [Link] (2 responses) 

You misunderstand. It's not what the -user- has changed. It's what the -site- has changed.

If I design a malicious site with the goal of spying out which pages you have visited, there's
nothing stopping ME from specifying that visited-links should be in 20pt and nonvisited in
10pt, and then use javascript to figure out which ones fall in which category. (the links can
be invisible to you, say by having the background-color or being in a div that has
display:none.

I'm with the other reply: Render -ALL- links as if they're nonvisited, then apply some local
(not influenced by site-CSS) decoration-change that is invisible in the DOM. 

Yes, this means site lose the possibility of specifying how visited links should look. An
advantage anyway since most use that only to set them equal to nonvisited in the first place,
because it offends "designers" to have lists of links that have two different looks.

It's not as simple as that.

Posted Jun 26, 2008 12:23 UTC (Thu) by NAR (subscriber, #1313) [Link] 

I might be missing something, but e.g. Opera has a feature to disable the site CSS and use a
"user CSS" and this would eliminate this bug. Of course, in this case the web starts to look
quite differently than it used to do :-)

It's not as simple as that.

Posted Jun 27, 2008 9:33 UTC (Fri) by nix (subscriber, #2304) [Link] 

Ah, yes. I must agree with that. I actually use a per-user stylesheet to 
force visited links to be rendered as I like, dammit, specifically because 
of annoying sites like you describe.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds