Friday, June 1st, 2007
Spyjax: Using a:visited to test your history
Category: JavaScript, Security
By using a simple JavaScript check on the CSS style on URLs, a script can work out if you have been there:
- function hasLinkBeenVisited(url) {
- var link = document.createElement('a');
- link.href = url;
- document.body.appendChild(link);
- if (link.currentStyle) {
- var color = link.currentStyle.color;
- if (color == '#ff0000')
- return true;
- return false;
- } else {
- link.setAttribute("href",url);
- var computed_style = document.defaultView.getComputedStyle( link, null );
- if (computed_style) {
- if (computed_style.color == 'rgb(255, 0, 0)')
- return true;
- }
- return false;
- }
- }
Couple this with the ability to chunk this over time, and you could quickly test a lot of URLs.
Related Content:
3.8 rating from 37 votes
This is most interesting ;)
Incredibly simple yet powerful. I’ve thought about it some time ago.
Anyways, I believe it will be considered a hack and blocked by browsers in the near future, same as cascading-killer-popups and other funny things, that have been invented since Netscape 3 :)
Have a great day!
Technique from 2006 … http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html … how exciting. Where are the cool new things, ah, I remember its Friday again ;-)
Yep – this is just a rip off based on the work of Jeremiah Grossman and Robert Hansen. The PoCs included just ten or twenty URLs to test – this one seems to use over 10K URLs. This definitely crosses a border – bad stuff!
My 2cents…
.mario
While there’s nothing novel here, it’s nice to have that code wrapped up, free and ready to use. IIRC, the earlier PoCs had some problems with performance, not all of them were cross-browser and I don’t rememeber how they were licenced.
Great thing)
Don’t complain that this project is nothing new. The guys at Merchanto.com even state that.
Quote from http://www.merchantos.com/makebeta/tools/spyjax/:
-.- … here’s the quote:
“[...]based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri[...]“
This is sad … do people not remember the article from August 25, 2006 on ajaxian.
http://ajaxian.com/archives/its-friday-how-web-20-aware-are-you
except Grossman’s “Where have I been?” trick isn’t working (for me anyway) anymore
I wrote the “web 2.0 awareness test” that checks around 45 URLs for fun, but a script that scans thousands of URLs with the potential to send the results somewhere is not, IMHO, very cool.
It has been a known potential issue for quite a long time (see this Mozilla bug from 2000 with :visited):
https://bugzilla.mozilla.org/show_bug.cgi?id=57351
…thanks for the post and the info. This is good to know about. I, for one, did not know it was out there, guessing others didn’t too. Interesting stuff, thanks, Ajaxians
wow, good stuff!!! very excited to try it out later tonight and see what I can find out.
Hah, changed the browser setting (firefox -> tools -> options -> content -> colors) to display both visited and unvisited links in same color and spyjax didn’t find jack … :)
Hey Everyone,
Thanks for commenting on Spyjax. I put a good amount of my free time into it over the course of a week or two. So it’s nice to see people talking about it!
-justin
Re Vasili: you can easily change the script to not check the visited color, but, for instance margin-right, or text-indent, or background-repeat or whatever…
As long as :visited is allowed in CSS and getComputedStyle/currentStyle is allowed and accurate in JS this will be a problem.
And if they block getComputedStyle for link-elements, I could, just as easily make sure my a:visited has side-effects on an ancestor-element (by setting display to block and height to 1000px for instance) and my script can detect it by checking that ancestor element.
And disabling all getComputedStyle/currentStyle-informaton will break a lot, if not all, animations/ajax/js.
So I don”t see a solution here. Except disabling :visited in CSS.
Re Ion: that’s true. It’s pretty much a chicken and egg problem – I disable this, you enable that, and so on and so forth… For now i’ll just adblock the js and php with those names. Just in case :)
If you are using Firefox, this extension seems to protect against this attack:
http://safehistory.com/