Friday, June 1st, 2007

Spyjax: Using a:visited to test your history

Category: JavaScript, Security

Spyjax can scare you, or excite you depending on what you want to do.

By using a simple JavaScript check on the CSS style on URLs, a script can work out if you have been there:


  1. function hasLinkBeenVisited(url) {
  2.     var link = document.createElement('a');
  3.     link.href = url;
  4.     document.body.appendChild(link);
  5.     if (link.currentStyle) {
  6.         var color = link.currentStyle.color;
  7.         if (color == '#ff0000')
  8.             return true;
  9.         return false;
  10.     } else {
  11.         link.setAttribute("href",url);
  12.         var computed_style = document.defaultView.getComputedStyle( link, null );
  13.         if (computed_style) {
  14.             if (computed_style.color == 'rgb(255, 0, 0)')
  15.                 return true;
  16.         }
  17.         return false;
  18.     }
  19. }

Couple this with the ability to chunk this over time, and you could quickly test a lot of URLs.


Posted by Dion Almaer at 1:27 am

3.8 rating from 37 votes


Comments feed TrackBack URI

This is most interesting ;)
Incredibly simple yet powerful. I’ve thought about it some time ago.

Anyways, I believe it will be considered a hack and blocked by browsers in the near future, same as cascading-killer-popups and other funny things, that have been invented since Netscape 3 :)

Have a great day!

Comment by Joustin — June 1, 2007

Technique from 2006 … … how exciting. Where are the cool new things, ah, I remember its Friday again ;-)

Comment by digitarald — June 1, 2007

Yep – this is just a rip off based on the work of Jeremiah Grossman and Robert Hansen. The PoCs included just ten or twenty URLs to test – this one seems to use over 10K URLs. This definitely crosses a border – bad stuff!

My 2cents…

Comment by .mario — June 1, 2007

While there’s nothing novel here, it’s nice to have that code wrapped up, free and ready to use. IIRC, the earlier PoCs had some problems with performance, not all of them were cross-browser and I don’t rememeber how they were licenced.

Comment by a hovering ox — June 1, 2007

Great thing)

Comment by dienow — June 1, 2007

Don’t complain that this project is nothing new. The guys at even state that.

Quote from

“based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri”

Comment by Stephan — June 1, 2007

-.- … here’s the quote:

“[…]based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri[…]”

Comment by Stephan — June 1, 2007

This is sad … do people not remember the article from August 25, 2006 on ajaxian.

Comment by Tahir Khan — June 1, 2007

except Grossman’s “Where have I been?” trick isn’t working (for me anyway) anymore

Comment by BillyG — June 1, 2007

I wrote the “web 2.0 awareness test” that checks around 45 URLs for fun, but a script that scans thousands of URLs with the potential to send the results somewhere is not, IMHO, very cool.

It has been a known potential issue for quite a long time (see this Mozilla bug from 2000 with :visited):

Comment by Scott Schiller — June 1, 2007

…thanks for the post and the info. This is good to know about. I, for one, did not know it was out there, guessing others didn’t too. Interesting stuff, thanks, Ajaxians

Comment by Mark Holton — June 1, 2007

wow, good stuff!!! very excited to try it out later tonight and see what I can find out.

Comment by Liming — June 1, 2007

Hah, changed the browser setting (firefox -> tools -> options -> content -> colors) to display both visited and unvisited links in same color and spyjax didn’t find jack … :)

Comment by Vasili Sviridov — June 1, 2007

Hey Everyone,
Thanks for commenting on Spyjax. I put a good amount of my free time into it over the course of a week or two. So it’s nice to see people talking about it!

Comment by Justin — June 1, 2007

Re Vasili: you can easily change the script to not check the visited color, but, for instance margin-right, or text-indent, or background-repeat or whatever…

As long as :visited is allowed in CSS and getComputedStyle/currentStyle is allowed and accurate in JS this will be a problem.

And if they block getComputedStyle for link-elements, I could, just as easily make sure my a:visited has side-effects on an ancestor-element (by setting display to block and height to 1000px for instance) and my script can detect it by checking that ancestor element.
And disabling all getComputedStyle/currentStyle-informaton will break a lot, if not all, animations/ajax/js.

So I don”t see a solution here. Except disabling :visited in CSS.

Comment by lon — June 1, 2007

Re Ion: that’s true. It’s pretty much a chicken and egg problem – I disable this, you enable that, and so on and so forth… For now i’ll just adblock the js and php with those names. Just in case :)

Comment by Vasili Sviridov — June 1, 2007

If you are using Firefox, this extension seems to protect against this attack:

Comment by Wodow — June 1, 2007

Leave a comment

You must be logged in to post a comment.