A couple of days ago I wrote about the visited link javascript hack that lets any website operator query a user’s browser history to determine if they’ve visited any other particular site. One possible use for this is to detect which Web2.0 social applications a user visits so that you can display the appropriate link badges.
It’s a creepy scenario, though, that a website operator can effectively bypass the browser’s intended security model to invade your privacy by seeing if you’ve been visiting other sites. Hackszine reader Logical Extremes commented with a solution to this problem:
This is a common phishing vector. Rather than encouraging broader use, we should be educating and protecting against it. There is a Firefox add-on that explicitly blocks this.
Some hackers over at the Stanford Computer Science Department created SafeHistory, a Firefox plugin that protects against visited link tracking techniques. It works by only allowing the a:visited property to apply to off-site links that were previously visited from the current URL.
This seems to be a reasonable way to keep the functionality of visited links without leaking any additional information. I wonder how long it will be before this is adopted as a browser behavior standard.
Stanford SafeHistory
Protecting Browser State Using Same Origin Policy (PDF)
Previously:
Detect which sites a web user visits
ADVERTISEMENT
