TumTum on IRC (#mozilla.nl rocks :-)) told me this:
a[href="http://annevankesteren.nl"]:visited{
background-image:url(/image?url=annevankesteren.nl);
}
Is the visited state accessible via Javascript? If so, that opens up a whole new world of evil. Targeted ads based on which competitors the user has visited recently... Not to mention any number of delicious pranks.
This is actually old news. Check out Browserspy's test. The test indeed demonstrates that you can read this information via Javascript.
@mark: You wouldn't really need javascript, you could point the link to a php page as well that once it's clicked redirects the user to the page that you specified when the background-image was loaded.
The point was to be able to alter the page based on the user's history, without the user doing anything. And Arve's link proves you can -- set a :visited color for the link, then check link.currentStyle.color. Sweet!
Yes, playing with :visited is very øvil...
That's a nice "trick" indeed...
Actually, Mark, :visited styles deserve inclusion in your diveintoaccessibility guide, as an example of what not to do. If more people do what I did, all hell will break loose. It's the CSS equivalent of blinking marquees, but is ultra-hard to disable, and is totally destructive.
Anne, the time displayed for comments is borked on your blog. I posted the first comment half an hour ago, and the time is shown as differing by several seconds, and backwards. Me, I'm not a spammer :)
Thanks Moose, I used "H:m:s" instead of "H:i:s" (m is for months, not minutes...).
I like your demo by the way, nice!
I've been writing a little about this (Dutch) this morning. It shows the same Javascript approach as linked to by Arve, I wasn't aware of that untill just now.
(For non-dutch readers: click the first sentence of the main article in a Mozilla based browser and you've missed nothing.)
I think this is a pretty nasty issue by the way and don't see an obvious way for browsers to prevent it. Of course, the background image attack can be solved by disabling background images on visited links in your user-stylesheet. But the Javascript attack?