Anne van Kesteren

':visited' privacy issue

TumTum on IRC ( rocks :-)) told me this:



  1. Is the visited state accessible via Javascript? If so, that opens up a whole new world of evil. Targeted ads based on which competitors the user has visited recently... Not to mention any number of delicious pranks.

    Posted by Mark at

  2. This is actually old news. Check out Browserspy's test. The test indeed demonstrates that you can read this information via Javascript.

    Posted by Arve at

  3. @mark: You wouldn't really need javascript, you could point the link to a php page as well that once it's clicked redirects the user to the page that you specified when the background-image was loaded.

    Posted by TumTum at

  4. The point was to be able to alter the page based on the user's history, without the user doing anything. And Arve's link proves you can -- set a :visited color for the link, then check link.currentStyle.color. Sweet!

    Posted by Mark at

  5. Yes, playing with :visited is very øvil...

    Posted by Moose at

  6. That's a nice "trick" indeed...

    Posted by Mark Wubben at

  7. Actually, Mark, :visited styles deserve inclusion in your diveintoaccessibility guide, as an example of what not to do. If more people do what I did, all hell will break loose. It's the CSS equivalent of blinking marquees, but is ultra-hard to disable, and is totally destructive.

    Posted by Moose at

  8. Anne, the time displayed for comments is borked on your blog. I posted the first comment half an hour ago, and the time is shown as differing by several seconds, and backwards. Me, I'm not a spammer :)

    Posted by Moose at

  9. Thanks Moose, I used "H:m:s" instead of "H:i:s" (m is for months, not minutes...).

    I like your demo by the way, nice!

    Posted by Anne at

  10. I've been writing a little about this (Dutch) this morning. It shows the same Javascript approach as linked to by Arve, I wasn't aware of that untill just now.

    (For non-dutch readers: click the first sentence of the main article in a Mozilla based browser and you've missed nothing.)

    I think this is a pretty nasty issue by the way and don't see an obvious way for browsers to prevent it. Of course, the background image attack can be solved by disabling background images on visited links in your user-stylesheet. But the Javascript attack?

    Posted by Martijn at