Up until mid-2010, any rogue website could get a good sense of your browsing habits by specifying a distinctive
:visitedpseudo-class, rendering thousands of interesting URLs off-screen, and then calling the
getComputedStyleAPI to figure out which pages appear in your browser's history.
After some deliberation, browser vendors have closed this loophole by disallowing almost all attributes in
:visitedselectors, spare for the ability to alter text, foreground, and background colors for such links. The APIs have been also redesigned to prevent the disclosure of this color information via
This workaround did not fully eliminate the ability to probe your browsing history, but limited it to scenarios where the user can be tricked into unwittingly feeding the style information back to the website, disclosing information about one URL at a time. Several fairly convincing attack vectors have been demonstrated - my own entry can be found here - but they generally require roughly one click per every visited URL. In other words, the whole thing doesn't scale particularly well.
The practicality of such CSS-based history snooping attacks could be improved greatly if we had a way to design an n-to-2n decoder circuit with the styling elements available on visited links.
Stay up-to-date by subscribing to the Comments RSS Feed for this post.