Mozilla to Tackle Browser CSS History Privacy Leak
All browsers can be exploited to reveal the websites that you’ve visited; that is, all the websites in your browser’s history list. The technique is fiendishly simple. Apply a rule to a link using the CSS
Well, Mozilla has announced a strategy they’re adopting to tackle the issue, which will have some repercussions for web designers. And they’re hoping other browser makers will follow suit. It involves three major changes to the Mozilla codebase that will affect browser behavior:
- Visited links can only be differentiated by color: foreground, background, outline, border, SVG stroke, and fill colors.
- All style rules for visited and unvisited links will be resolved at the same time, and before any link styles are applied.
Surprisingly this strategy is compliant with the CSS 2.1 specification, which states:
UAs may therefore treat all links as unvisited links, or implement other measures to preserve the user’s privacy while rendering visited and unvisited links differently.
I have to admit I was unaware of how big the problem is and how easy it is to exploit. But, after doing some reading on the subject, it seems like the right action to take. I’m also surprised that it has taken this long for a browser vendor to address the problem. I hope Mozilla’s example catches on.
In the comments to the Mozilla post people are already complaining that they often use background images to style visited links, and that color-blind users will be disadvantaged. What do you think of this strategy? Will any of your favorite CSS techniques have to be changed? Will this really have a big effect on your work or will it be easy to accommodate?