
A couple of days ago I wrote about the visited link javascript hack that lets any website operator query a user’s browser history to determine if they’ve visited any other particular site. One possible use for this is to detect which Web2.0 social applications a user visits so that you can display the appropriate link badges.
It’s a creepy scenario, though, that a website operator can effectively bypass the browser’s intended security model to invade your privacy by seeing if you’ve been visiting other sites. Hackszine reader Logical Extremes commented with a solution to this problem:
This is a common phishing vector. Rather than encouraging broader use, we should be educating and protecting against it. There is a Firefox add-on that explicitly blocks this.
Some hackers over at the Stanford Computer Science Department created SafeHistory, a Firefox plugin that protects against visited link tracking techniques. It works by only allowing the a:visited property to apply to off-site links that were previously visited from the current URL.
This seems to be a reasonable way to keep the functionality of visited links without leaking any additional information. I wonder how long it will be before this is adopted as a browser behavior standard.
Stanford SafeHistory
Protecting Browser State Using Same Origin Policy (PDF)
Previously:
Detect which sites a web user visits
5 thoughts on “SafeHistory: protect your privacy from visited link analysis”
Comments are closed.
This would seem a great way to generate a barcode on the client side, just convert a barcode font, and generate from plaintext. A nice way to avoid using (learning) image generation server-side.
But if you can’t mark or copy the text then it’s just like an image.