Mozilla to Tackle Browser CSS History Privacy Leak

Share this article

All browsers can be exploited to reveal the websites that you’ve visited; that is, all the websites in your browser’s history list. The technique is fiendishly simple. Apply a rule to a link using the CSS :visited selector that either applies a background image or a color. Then, either query the property with JavaScript to see if the value was applied, or make a unique URL to the background image for each link you’re testing that records the information server side. There are ready-made libraries available that can check large numbers of URLs very quickly — I’m talking hundreds of thousands per minute.

Well, Mozilla has announced a strategy they’re adopting to tackle the issue, which will have some repercussions for web designers. And they’re hoping other browser makers will follow suit. It involves three major changes to the Mozilla codebase that will affect browser behavior:

  1. Visited links can only be differentiated by color: foreground, background, outline, border, SVG stroke, and fill colors.
  2. All style rules for visited and unvisited links will be resolved at the same time, and before any link styles are applied.
  3. When JavaScript is used to query the computed style of links, only the unvisited style values will be returned.

Surprisingly this strategy is compliant with the CSS 2.1 specification, which states:

UAs may therefore treat all links as unvisited links, or implement other measures to preserve the user’s privacy while rendering visited and unvisited links differently.

I have to admit I was unaware of how big the problem is and how easy it is to exploit. But, after doing some reading on the subject, it seems like the right action to take. I’m also surprised that it has taken this long for a browser vendor to address the problem. I hope Mozilla’s example catches on.

In the comments to the Mozilla post people are already complaining that they often use background images to style visited links, and that color-blind users will be disadvantaged. What do you think of this strategy? Will any of your favorite CSS techniques have to be changed? Will this really have a big effect on your work or will it be easy to accommodate?

Andrew TetlawAndrew Tetlaw
View Author

iOS Developer, sometimes web developer and Technical Editor.

Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form