June 14th, 2009

artlebedev poster, 2006-03-17, 2189

CSS :visited

(from someone via hackers)

http://it.slashdot.org/story/09/06/13/2125211/Sniffing-Browser-History-Without-Javascript?art_pos=14
http://www.making-the-web.com/misc/sites-you-visit/nojs/

It appears to be an interesting design failure in the CSS specification: since one can specify different styles for links depending on whether or not they were visited by the user, one can specify different images for every link that has been visited, and provide the user with a big collection of possible links, and then, depending on which images are requested from the server, some (rather limited) browsing history of the user is revealed to an unauthorised host.

P.S. Actually, it's old news, of course, thanks to some commenters on slashdot:

https://bugzilla.mozilla.org/show_bug.cgi?id=57351 (Bug 57351 - css on a:visited can load an image and/or reveal if visitor been to a site. 2000-10-19 16:57 PDT by Jesse Ruderman)
https://bugzilla.mozilla.org/show_bug.cgi?id=147777 (Bug 147777 - :visited support allows queries into global history. 2002-05-28 21:29 PDT by David Baron [:dbaron])