Thursday, April 1st, 2010

Stop sniffing my breadcrumbs!

Category: CSS, JavaScript, Mozilla, Security

Chris Blizzard has done a nice roundup of David Baron’s post, the bug and the post on the security blog which discusses the :visited issue.

We have seen :visited sniffing for good as well as ill (Aza wrote about using it to detect what networks you are on which can help you put up the right badge in an OpenID signup say) but it is a loophole that many want to fix.

The fix could affect you though. Here is what is changing:

These changes will have some impact on web sites and developers, so you should be aware of them. At a high level here’s what’s changing:

  • getComputedStyle (and similar functions like querySelector) will lie. They will always return values as if a user has never visited a site.
  • You will still be able to visually style visited links, but you’re severely limited in what you can use. We’re limiting the CSS properties that can be used to style visited links to color, background-color, border-*-color, and outline-color and the color parts of the fill and stroke properties. For any other parts of the style for visited links, the style for unvisited links is used instead. In addition, for the list of properties you can change above, you won’t be able to set rgba() or hsla() colors or transparent on them.

These are pretty obvious cases that are used widely. There are a couple of subtle changes to how selectors work as well:

  • If you use a sibling selector (combinator) like :visited + span then the span will be styled as if the link were unvisited.
  • If you’re using nested link elements (rare) and the element being matched is different than the link whose presence in history is being tested, then the element will be drawn as if the link were unvisited as well.

Posted by Dion Almaer at 12:01 am

4.1 rating from 14 votes


Comments feed TrackBack URI

Never mind, just realized drawWindow is only available to extensions.

Comment by Joeri — April 1, 2010

Hmmm, interesting. Didn’t realize this was such a big issue. The fix seems reasonable in any case, I ever only use color for :visited anyway.

Also, what’s with all the spam? Didn’t update your spam filter plugin?

P.S. I’m liking the new spam questions, especially the “new sexy html” :)

Comment by iliad — April 1, 2010

I don’t think this should be fixed. Some things can be abused by design, it’s just the way it is. That’s not a good enough reason to make CSS behave “incorrectly”.
This should only be introduced as an opt-in/out. Something that would go well in a “privacy protector” extension/add-on.

But introducing unexpected/inconsistent behavior into CSS because someone found a clever use case of a CSS feature seems a bit much.
I find it comparable to creating a filter for cookie data by default. Which would be kind of silly, no?

Comment by jhiswin — April 1, 2010

And after reading through the whole bug tracker it appears to be an opt-in at the moment. I really hope nobody tries to lobby for a CSS spec change.

Comment by jhiswin — April 1, 2010

HAHA! April Fools. You got me! There is no such thing as the :visited selector… ;)

Comment by blister — April 1, 2010

Leave a comment

You must be logged in to post a comment.