Comments on: Spyjax: Using a:visited to test your history http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history Cleaning up the web with Ajax Thu, 17 May 2012 07:43:39 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Wodow http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251104 Wodow Fri, 01 Jun 2007 23:51:21 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251104 If you are using Firefox, this extension seems to protect against this attack: http://safehistory.com/ If you are using Firefox, this extension seems to protect against this attack:

http://safehistory.com/

]]> By: Vasili Sviridov http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251100 Vasili Sviridov Fri, 01 Jun 2007 20:59:39 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251100 Re Ion: that's true. It's pretty much a chicken and egg problem - I disable this, you enable that, and so on and so forth... For now i'll just adblock the js and php with those names. Just in case :) Re Ion: that’s true. It’s pretty much a chicken and egg problem – I disable this, you enable that, and so on and so forth… For now i’ll just adblock the js and php with those names. Just in case :)

]]> By: lon http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251099 lon Fri, 01 Jun 2007 20:53:23 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251099 Re Vasili: you can easily change the script to not check the visited color, but, for instance margin-right, or text-indent, or background-repeat or whatever... As long as :visited is allowed in CSS and getComputedStyle/currentStyle is allowed and accurate in JS this will be a problem. And if they block getComputedStyle for link-elements, I could, just as easily make sure my a:visited has side-effects on an ancestor-element (by setting display to block and height to 1000px for instance) and my script can detect it by checking that ancestor element. And disabling all getComputedStyle/currentStyle-informaton will break a lot, if not all, animations/ajax/js. So I don''t see a solution here. Except disabling :visited in CSS. Re Vasili: you can easily change the script to not check the visited color, but, for instance margin-right, or text-indent, or background-repeat or whatever…

As long as :visited is allowed in CSS and getComputedStyle/currentStyle is allowed and accurate in JS this will be a problem.

And if they block getComputedStyle for link-elements, I could, just as easily make sure my a:visited has side-effects on an ancestor-element (by setting display to block and height to 1000px for instance) and my script can detect it by checking that ancestor element.
And disabling all getComputedStyle/currentStyle-informaton will break a lot, if not all, animations/ajax/js.

So I don”t see a solution here. Except disabling :visited in CSS.

]]> By: Justin http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251098 Justin Fri, 01 Jun 2007 19:35:25 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251098 Hey Everyone, Thanks for commenting on Spyjax. I put a good amount of my free time into it over the course of a week or two. So it's nice to see people talking about it! -justin Hey Everyone,
Thanks for commenting on Spyjax. I put a good amount of my free time into it over the course of a week or two. So it’s nice to see people talking about it!
-justin

]]> By: Vasili Sviridov http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251097 Vasili Sviridov Fri, 01 Jun 2007 19:05:38 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251097 Hah, changed the browser setting (firefox -> tools -> options -> content -> colors) to display both visited and unvisited links in same color and spyjax didn't find jack ... :) Hah, changed the browser setting (firefox -> tools -> options -> content -> colors) to display both visited and unvisited links in same color and spyjax didn’t find jack … :)

]]> By: Liming http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251094 Liming Fri, 01 Jun 2007 18:43:29 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251094 wow, good stuff!!! very excited to try it out later tonight and see what I can find out. wow, good stuff!!! very excited to try it out later tonight and see what I can find out.

]]> By: Mark Holton http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251088 Mark Holton Fri, 01 Jun 2007 16:29:43 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251088 ...thanks for the post and the info. This is good to know about. I, for one, did not know it was out there, guessing others didn't too. Interesting stuff, thanks, Ajaxians …thanks for the post and the info. This is good to know about. I, for one, did not know it was out there, guessing others didn’t too. Interesting stuff, thanks, Ajaxians

]]> By: Scott Schiller http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251087 Scott Schiller Fri, 01 Jun 2007 15:54:58 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251087 I wrote the "web 2.0 awareness test" that checks around 45 URLs for fun, but a script that scans thousands of URLs with the potential to send the results somewhere is not, IMHO, very cool. It has been a known potential issue for quite a long time (see this Mozilla bug from 2000 with :visited): https://bugzilla.mozilla.org/show_bug.cgi?id=57351 I wrote the “web 2.0 awareness test” that checks around 45 URLs for fun, but a script that scans thousands of URLs with the potential to send the results somewhere is not, IMHO, very cool.

It has been a known potential issue for quite a long time (see this Mozilla bug from 2000 with :visited):
https://bugzilla.mozilla.org/show_bug.cgi?id=57351

]]> By: BillyG http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251085 BillyG Fri, 01 Jun 2007 15:47:19 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251085 except Grossman's "Where have I been?" trick isn't working (for me anyway) anymore except Grossman’s “Where have I been?” trick isn’t working (for me anyway) anymore

]]> By: Tahir Khan http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251084 Tahir Khan Fri, 01 Jun 2007 15:29:25 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251084 This is sad … do people not remember the article from August 25, 2006 on ajaxian. http://ajaxian.com/archives/its-friday-how-web-20-aware-are-you This is sad … do people not remember the article from August 25, 2006 on ajaxian.
http://ajaxian.com/archives/its-friday-how-web-20-aware-are-you

]]> By: Stephan http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251079 Stephan Fri, 01 Jun 2007 11:19:34 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251079 -.- ... here's the quote: "[...]based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri[...]" -.- … here’s the quote:

“[...]based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri[...]“

]]> By: Stephan http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251078 Stephan Fri, 01 Jun 2007 11:17:48 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251078 Don't complain that this project is nothing new. The guys at Merchanto.com even state that. Quote from http://www.merchantos.com/makebeta/tools/spyjax/: <blockquote>"based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri"</blockquote> Don’t complain that this project is nothing new. The guys at Merchanto.com even state that.

Quote from http://www.merchantos.com/makebeta/tools/spyjax/:

“based on the Hey you! Where have you been? blog post by Peter van der Graaf and script from Jeremiah Grossman and Robert Cabri”

]]> By: dienow http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251077 dienow Fri, 01 Jun 2007 10:56:32 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251077 Great thing) Great thing)

]]> By: a hovering ox http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251075 a hovering ox Fri, 01 Jun 2007 09:25:49 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251075 While there's nothing novel here, it's nice to have that code wrapped up, free and ready to use. IIRC, the earlier PoCs had some problems with performance, not all of them were cross-browser and I don't rememeber how they were licenced. While there’s nothing novel here, it’s nice to have that code wrapped up, free and ready to use. IIRC, the earlier PoCs had some problems with performance, not all of them were cross-browser and I don’t rememeber how they were licenced.

]]> By: .mario http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251074 .mario Fri, 01 Jun 2007 08:22:52 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251074 Yep - this is just a rip off based on the work of Jeremiah Grossman and Robert Hansen. The PoCs included just ten or twenty URLs to test - this one seems to use over 10K URLs. This definitely crosses a border - bad stuff! My 2cents... .mario Yep – this is just a rip off based on the work of Jeremiah Grossman and Robert Hansen. The PoCs included just ten or twenty URLs to test – this one seems to use over 10K URLs. This definitely crosses a border – bad stuff!

My 2cents…
.mario

]]> By: digitarald http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251072 digitarald Fri, 01 Jun 2007 07:28:22 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251072 Technique from 2006 ... http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html ... how exciting. Where are the cool new things, ah, I remember its Friday again ;-) Technique from 2006 … http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html … how exciting. Where are the cool new things, ah, I remember its Friday again ;-)

]]> By: Joustin http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history/comment-page-1#comment-251071 Joustin Fri, 01 Jun 2007 07:25:29 +0000 http://ajaxian.com/archives/spyjax-using-avisited-to-test-your-history#comment-251071 This is most interesting ;) Incredibly simple yet powerful. I've thought about it some time ago. Anyways, I believe it will be considered a hack and blocked by browsers in the near future, same as cascading-killer-popups and other funny things, that have been invented since Netscape 3 :) Have a great day! This is most interesting ;)
Incredibly simple yet powerful. I’ve thought about it some time ago.

Anyways, I believe it will be considered a hack and blocked by browsers in the near future, same as cascading-killer-popups and other funny things, that have been invented since Netscape 3 :)

Have a great day!

]]>