I believe this is not a new concept. However, I applaud the accessibility, style and implementation of the proof-of-concept, given that the author seems to be only 15!
Also sidenote: I like the creative and subtle plug for the author's 'Quickz' project (seems to be a Kahoot alternative - I have never heard of either) in the "not visited category".
I rarely see websites that actually make use of `:visited` style as intended, it would be good if browsers had an option to just disable it and prevent this class of leaks completely.
I like :visited. It’s useful. I don’t want browsers to disable it, but developers to stop clobbering and disabling it on their sites.
Any site I make will have sane blue underlined links and purple underlined visited links. I’m willing to vary the shades of blue and purple, and I prefer to reduce the opacity of the underline when not interacting with the link, but I say general links should be blue and purple and underlined, and anything else is troublemaking.
(In https://github.com/w3c/csswg-drafts/issues/3012, there’s talk of changing :visited to essentially work from the site’s perspective—exposing only history that the site could have tracked itself—rather than for the user as global visitedness does. This makes me sad, though I quite understand the perspective; to me, :visited has always been about the user, even though such first-party link following is its primary use.)
Not sure what you mean. Under that proposal :visited wouldn't be available for styling or scripting except for links the site could already know that you visited.
The only time I ever see a visited style link is when links aren't styled at all. It's anachronistic and the feature should probably be dropped altogether. If some users want to see it, it could be done with an extension that has history access (or a coarse-grained version of history). Then they'd be able to see it for all sites, not just the tiny fraction of sites that don't style links.
Looks like Firefox has it in their advanced settings under "layout.css.visited_links_enabled", but on Chrome (or other Chromium based browsers) you have to clear history regularly, or use incognito mode.
The answer to having both visited styles and not security violations is to allow a domain to only style links that are local to that domain and not others.
They already do that with referers, there is a security level to only let the site see referers that are local to its domain. I think this is the default for https
I was wondering why this wasn't working for me. Looking through my settings in Firefox, I finally narrowed it down to Privacy and Security -> History. I have it set to "use custom settings" (clear history on exit, everything else unchecked), but presumably "never remember history" would also work.
Oh nice, I always have trouble making realistic clickjaking demos. This is just perfect. Previously I put stuff like a play button on a funny video, and for a second click the skip button on an ad. This stuff is golden, you can get a nearly infinite amount of clicks out of it.
I remember seeing the same concept applied to something else and a demo here on HN many years ago. This implementation however is novel, and feels more 'exploitable'. Good idea/nice find!
No, not blocked. Nothing on the console too except that the loading of "plausible.js" was blocked.
PS. Played with it a bit and .box divs are zero-height. You need to have some content in <a> tags for them to not collapse vertically. This fixes it (somewhat) -
Thanks. I can't reproduce the issue on Chrome or Firefox (98), but I've just pushed an update that changes "aspect-ratio: 1/1", to "aspect-ratio: 1 / 1". Perhaps I needed those spaces.
Let me know if that solves it. :)
Edit: Looks like Firefox only got support for aspect-ratio in version 89, is your browser up to date?
I am on 88 and planning to stay on it for a while. Mozilla got way off track recently with their pointless UI changes and, more troubling, business "collaborations", so a conservative approach to updating is well-warranted.
Basically the only defense is an extension that prevents styling for a visited link. But on the plus side to use this exploit you either need to be very specific about what sites you check or have the user clicking lots of links…
I use Firefox Focus. It deletes your history each time you close the app. I find I never need my history, so I’m happy to have it deleted regularly. Others seem to use their history and tabs, so YMMV.
I don't think you can defend against this by adding CSS rules, only removing them. Extensions would need to parse the entire CSS of a website and replace it, which would be cumbersome.
>What is going on with those new accounts preaching against online privacy recently?
From my experience (as I prefer freedom of information) if you are against privacy you tend to get downvoted. I think downvotes can lead to your account being rate limited which is annoying so it makes sense that people would want to use another account.
I don't think the new account was actually arguing against privacy (those words have basically become a strawman now); rather it was just a bit of dry humour.
I just reread the comment and maybe you are right. I don't know if he edited the comment or if I misread when I wrote my reply, but I didn't see the word "goes". So I read "I believe the argument [...]".
Also, lying the visited state on JS was implemented as early as Firefox 4 - so it is definitely not a JS-dependent "exploit" (rather, it's a rather oblique way of social engineering).
Fortunately most browsers already have some measures to prevent that (https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and...), the demo avoids automating the process altogether, and relies on tricking the visitor into 'voluntarily' telling if they've visited a site.
I meant you can use CSS on the checkbox once it is checked, there is no need to actually submit a form. I understand that you can't use CSS directly on the :visited selector.
Also sidenote: I like the creative and subtle plug for the author's 'Quickz' project (seems to be a Kahoot alternative - I have never heard of either) in the "not visited category".
Keep up the good work!