Hacker News new | past | comments | ask | show | jobs | submit login

Unfortunately, this is just really old news and really lame. Man, I hate using the word lame. Its not an "attack". Its simply taking advantage of a feature built into all browsers since like 2000 or before.



This is now the 5th time this topic has been posted to HN. May 2008 was when it all started:

http://www.azarask.in/blog/post/socialhistoryjs/

http://news.ycombinator.com/item?id=248558

http://news.ycombinator.com/item?id=404564

http://news.ycombinator.com/item?id=617546

http://news.ycombinator.com/item?id=717802


That's true -- there have been several projects making use of the CSS :visited history sniffing technique. The method itself was originally reported in early 2000. See http://whattheinternetknowsaboutyou.com/docs/details.html#re...


It's old and it's somewhat lame, but it is an attack. CSS and the DOM were designed not to allow this sort of information leak. They missed a spot.


The problem, of course, is how to solve this without neutering both CSS and the DOM in the process.


Maybe :visited should not apply to cross domain links.


It is old news, but CSS history 'browsing' can be used as an attack to find authz tokens in certain URLs.


It's




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: