Friday, June 1st, 2007
Spyjax: Using a:visited to test your history
Category: JavaScript
, Security
Spyjax can scare you, or excite you depending on what you want to do.
By using a simple JavaScript check on the CSS style on URLs, a script can work out if you have been there:
JAVASCRIPT:
-
-
function hasLinkBeenVisited(url) {
-
var link = document.createElement('a');
-
link.href = url;
-
document.body.appendChild(link);
-
if (link.currentStyle) {
-
var color = link.currentStyle.color;
-
if (color == '#ff0000')
-
return true;
-
return false;
-
} else {
-
link.setAttribute("href",url);
-
var computed_style = document.defaultView.getComputedStyle( link, null );
-
if (computed_style) {
-
if (computed_style.color == 'rgb(255, 0, 0)')
-
return true;
-
}
-
return false;
-
}
-
}
-
Couple this with the ability to chunk this over time, and you could quickly test a lot of URLs.
3.9 rating from 30 votes
This is most interesting ;)
Incredibly simple yet powerful. I’ve thought about it some time ago.
Anyways, I believe it will be considered a hack and blocked by browsers in the near future, same as cascading-killer-popups and other funny things, that have been invented since Netscape 3 :)
Have a great day!
Technique from 2006 … http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html … how exciting. Where are the cool new things, ah, I remember its Friday again ;-)
Yep - this is just a rip off based on the work of Jeremiah Grossman and Robert Hansen. The PoCs included just ten or twenty URLs to test - this one seems to use over 10K URLs. This definitely crosses a border - bad stuff!
My 2cents…
.mario
While there’s nothing novel here, it’s nice to have that code wrapped up, free and ready to use. IIRC, the earlier PoCs had some problems with performance, not all of them were cross-browser and I don’t rememeber how they were licenced.
Great thing)
Don’t complain that this project is nothing new. The guys at Merchanto.com even state that.
Quote from http://www.merchantos.com/makebeta/tools/spyjax/:
-.- … here’s the quote:
“[...]based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri[...]“
This is sad … do people not remember the article from August 25, 2006 on ajaxian.
http://ajaxian.com/archives/its-friday-how-web-20-aware-are-you
except Grossman’s “Where have I been?” trick isn’t working (for me anyway) anymore
I wrote the “web 2.0 awareness test” that checks around 45 URLs for fun, but a script that scans thousands of URLs with the potential to send the results somewhere is not, IMHO, very cool.
It has been a known potential issue for quite a long time (see this Mozilla bug from 2000 with :visited):
https://bugzilla.mozilla.org/show_bug.cgi?id=57351
…thanks for the post and the info. This is good to know about. I, for one, did not know it was out there, guessing others didn’t too. Interesting stuff, thanks, Ajaxians
wow, good stuff!!! very excited to try it out later tonight and see what I can find out.
Hah, changed the browser setting (firefox -> tools -> options -> content -> colors) to display both visited and unvisited links in same color and spyjax didn’t find jack … :)
Hey Everyone,
Thanks for commenting on Spyjax. I put a good amount of my free time into it over the course of a week or two. So it’s nice to see people talking about it!
-justin
Re Vasili: you can easily change the script to not check the visited color, but, for instance margin-right, or text-indent, or background-repeat or whatever…
As long as :visited is allowed in CSS and getComputedStyle/currentStyle is allowed and accurate in JS this will be a problem.
And if they block getComputedStyle for link-elements, I could, just as easily make sure my a:visited has side-effects on an ancestor-element (by setting display to block and height to 1000px for instance) and my script can detect it by checking that ancestor element.
And disabling all getComputedStyle/currentStyle-informaton will break a lot, if not all, animations/ajax/js.
So I don”t see a solution here. Except disabling :visited in CSS.
Re Ion: that’s true. It’s pretty much a chicken and egg problem - I disable this, you enable that, and so on and so forth… For now i’ll just adblock the js and php with those names. Just in case :)
I read a poll published Oct 27, 2004 from Bentley College that states “49 percent of internet users are not aware of security flaws in Internet browsers”. Further, “48 percent are rarely sure or are unsure that sensitive information is encrypted before transmitting it over the Internet”. I’m sure that these figures have changed slightly since the end of 2004, but I don’t think public awareness of Internet security issues has significantly changed. Very few internet business even address browser security issues beyond general warnings. For the most part web publishers seem Dependent on these kind of tracking tools to target potential customers or deliver targeted ads.
The answer to browser and identity security concerns isn’t solved by updating browsers or turning off javascript. Statistics show that a little less than half of all Internet users are even aware of security flaws. You will find significantly fewer people aware of the vast amount of information personal information being collected, let alone the intrusive methods that are used to collect that information. In regard to these issues the average internet user would probably see words like “javascript” and “cookie” as tech-talk and ignore Internet security issues all together. Put more simply, the language used to describe security problems is far too technical and no good simple answers are available.
It would be interesting to see internet companies ranked against each other on these security issues. Google publicly acknowledges that it mines a lot of data by tracking links, parsing email, and using persistent cookies; whereas http://christonium.com lets you turn ads off, does not use persistent cookies and protects all of your content from caching. Anyone can put up just about anything on myspace; and whatever that is certainly doesn’t take user security or privacy into consideration.
I personally believe that the solution to these problems is for publishers to create web applications that are profitable or popular because they are useful, like linkedin, wikipedia, salesforce and chirstonium.com. What I see proliferating on the web are advertisers that are skillful at manipulating users to click on targeted advertisements. Google, myspace, facebook, youtube, yahoo, and the like don’t currently fit into that kind of business plan because they’re all dependent on maintaining high ad revenues and current business/marketing plans for survival.
If you are using Firefox, this extension seems to protect against this attack:
http://safehistory.com/