If you know CSS, then you know that the :visited
pseudo-class is a method to determine if a user has already been to the link it targets. For example, you may have styles for a:link
and a:visited
in your CSS file to help users see a difference between links they've clicked and links they haven't. Combine this with the getComputerStyle
method in JavaScript and an author can conceivably figure out all the sites you've visited. This issue has prompted Mozilla to announce changes to how the :visited
selector will work.
The Mozilla Hacks blog outlines how these changes will affect web sites and web developers. At the high level:
getComputedStyle
(and similar functions likequerySelector
) will lie. They will always return values as if a user has never visited a site.- You will still be able to visually style visited links, but you're severely limited in what you can use. Mozilla is limiting the CSS properties that can be used to style visited links to
color
,background-color
,border-*-color
, andoutline-color
and the color parts of thefill
andstroke
properties. For any other parts of the style for visited links, the style for unvisited links is used instead. In addition, for the list of properties you can change above, you won't be able to set rgba() or hsla() colors ortransparent
on them.
They also note some subtle changes to how selectors will work. Mozilla acknowledges that these two items might be confusing and has promised some examples in the near future.
- If you use a sibling selector (combinator) like
:visited + span
then thespan
will be styled as if the link were unvisited. - If you're using nested link elements (rare) and the element being matched is different than the link whose presence in history is being tested, then the element will be drawn as if the link were unvisited as well.
The blog post points out a couple of areas that will probably require changes to existing sites:
- If you're using background images to style links and indicate if they are visited, that will no longer work.
- Mozilla won't support CSS Transitions that related to visitedness (I think they made that word up). There isn't that much CSS Transition content on the web, so this is unlikely to affect very many people.
Right now Mozilla cannot say what version of Firefox will get this change, but the post is intended to get us all ready for the impact in advance of that release.
Mozilla does admit that this won't fix all the potential security leaks of your browsing history (see the bug report). They do offer an option for minimizing your exposure to the other leaks, or to minimize yourself in your current release of Firefox until they get the fixes out:
...[V]ersion 3.5 and newer versions of Firefox already allow you to disable all visited styling (immediately stops this attack) by setting thelayout.css.visited_links_enabled
option inabout:config
tofalse
. While this will plug the history leak, you'll no longer see any visited styling anywhere.
Read more:
- privacy-related changes coming to CSS :vistited
- Plugging the CSS History Leak
- Preventing attacks on a user's history through CSS :visited selectors
- Bug 147777 - :visited support allows queries into global history
- What the Internet knows about you. This page checks your browser history and determines which of the 5000 most popular Internet websites you've recently visited.
0 comments:
Post a Comment