User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160726073904 Steps to reproduce: I searched for the history / css hack and found e. g. http://www.web-tuts.de/css-history-hacks-auslesen-von-besuchten-webseiten.html on that german site, it is described, due to a "CSS hack" in some browsers (as well my firefox branch 48) you can generate lists of URLs and check if the user has any of these URLs in his history. here the proofs: http://www.web-tuts.de/demo/history-hack-css.php [ http://www.web-tuts.de/demo/history-hack-js.html Actual results: It worked on with my browser, means on http://www.web-tuts.de/demo/history-hack-css.php http://www.web-tuts.de/demo/history-hack-js.html websites i visited where marked. Expected results: No one should be able check my history if I was on certain websites.
OS: Unspecified → All
Hardware: Unspecified → All
those proofs don't work for me. do they work with clean profile, or need some configuration?
(In reply to Tooru Fujisawa [:arai] from comment #1) > those proofs don't work for me. > do they work with clean profile, or need some configuration? hi tooru since the hack checks if a certain url is in your history, i guess it still works with a clean profile but since you don't have any entries in your clean profile, the css hack can't mach any url (because your list of visited urls (=history) is empty)
Yes, I mean, run Firefox with clean profile and click those links. the rendered color of those links are changed, but none of them is moved to "Besuchte Webseiten" list.
ahh, I see what you mean, I guess it's a "bug" of that website, since the list of "Besuchte Webseiten:" (visited websites) is always empty, although i visited some webpages (which are always in the list of "Noch nicht besuchte Webseiten:" (still not visited websites) but they are marked as soon i visit the page.)
bdw.: according to that website http://www.web-tuts.de/css-history-hacks-auslesen-von-besuchten-webseiten.html the origin of that bug is the way browsers save links in the history if they are already followed. ("Die Ursache der Sicherheitslücke ist die Art, wie ein Browser speichert, ob ein Link bereits gefolgt wurde.")
do you confirm the CSS hack working in somewhere with Firefox 48? the CSS hack mentioned in the website have already been fixed in way old version (bug 147777 and bug 557287), so, unless the website is saying about regression or remaining flaw after that, it won't work. (and I think the page is so old...)
(In reply to Tooru Fujisawa [:arai] from comment #6) > do you confirm the CSS hack working in somewhere with Firefox 48? > > the CSS hack mentioned in the website have already been fixed in way old > version (bug 147777 and bug 557287), > so, unless the website is saying about regression or remaining flaw after > that, it won't work. > (and I think the page is so old...) i read how to report a bug on https://developer.mozilla.org/de/docs/Richtlinien_zum_Schreiben_eines_Bugreports and i also updated my firefox. so i definitely confirm that i tried it with firefox 48 (i just checked it again "Help" -> "About Firefox" and it says my firefox 48 is up to date) couldn't you reproduce that bug with your firefox? bdw: i'm using different profiles (one for facebook and profiles for others issues) but i don't think this changes the circumstances
it's not reproducible for me. as you wrote in comment #4, the "Besuchte Webseiten:" is always empty for you, right? it means the hack is not working.
yes that's write, the list of "Besuchte Webseiten:" (visited websites) is always empty. but all the links to websites of that list "Noch nicht besuchte Webseiten:" (still not visited websites) i have visited are red, the others blue. to see what i mean, and to see that there is still a way (in firefox 48) to check if one visited certain urls you can download the video under (177MB :/ ): https://www.dropbox.com/s/h0ra3jzohzexrdv/css-hack.mp4?dl=0
ahh, i see, so it was false alarm. sorry for that! markus
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
there is something i still don't understand. so can java script of my browser check which urls i have visited (but not the website itself)? how come the rendered color of these links is changed? so if java script of my browser can check if i visited an url, by using ajax tequniques of java script it should be easy send that information to a server no?
These documents explain how it's fixed. https://developer.mozilla.org/en-US/docs/Web/CSS/:visited https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector in short, it returns non-visited style even if it's visited and rendered as visited.
You need to log in before you can comment on or make changes to this bug.