zlacker

[parent] [thread] 5 comments
1. miki12+(OP)[view] [source] 2024-10-10 20:37:56
> I don’t know how it’d be possible to do that

It isn't, at least not in the way you think.

Visited links have always looked different from unvisited ones, and the moment you could customize how links looked via CSS, browsers also had to implement styling for visited links specifically.

Modern browsers put a lot of care into making the changes to those styles observable to the user, but not to Javascript.

This is an extremely hard problem, and browsers have had a lot of security issues related to this behavior. Nowadays, you can only apply a very limited subset of CSS properties to those styles, to avoid side-channel timing attacks and such.

This means you can display a banner to anybody who has a certain URL in their browser history, but you can't observe whether that banner actually shows up with JS or transmit that information to your server.

replies(2): >>manana+13 >>Wowfun+E7
2. manana+13[view] [source] 2024-10-10 20:55:44
>>miki12+(OP)
Ah. Ahhh[1]. I see.

  <!doctype html>
  <style>a { color: white; background-color: white; } a:visited { color: black; }</style>
  <body><a href="https://example.com/abracadabra" onclick="return false">you are a bad person</a>
[1] https://developer.mozilla.org/en-US/docs/Web/CSS/:visited#pr...
3. Wowfun+E7[view] [source] 2024-10-10 21:32:05
>>miki12+(OP)
> This means you can display a banner to anybody who has a certain URL in their browser history, but you can't observe whether that banner actually shows up with JS or transmit that information to your server.

How do they stop you from using Canvas to see the output and send it back?

replies(1): >>zamada+0g
◧◩
4. zamada+0g[view] [source] [discussion] 2024-10-10 22:40:30
>>Wowfun+E7
Canvas can't "see the output", it only sees what is drawn in it (which is not a set of HTML tags, it's JS commands).

The screen recording/screen sharing API can be used for this but security is the reason you have to give explicit permission to the site before it can do this.

replies(1): >>miki12+4r
◧◩◪
5. miki12+4r[view] [source] [discussion] 2024-10-11 00:36:22
>>zamada+0g
IIRC, Firefox had a bug where this exact scenario was possible, I think you needed to embed the link in html embedded inside an SVG, which was displayed in the canvas, and then access the bitmap. You could e.g. make the link black if visited and white otherwise, and then the number of white versus black pixels in the bitmap would tell you whether the link was visited or not.

There was also that asteroids game / captcha where links were white/black squares and your goal was to click all the black ones. Of course, clicking a square revealed that you knew the square was black, which meant the URL under it was in your history.

replies(1): >>zamada+wZ3
◧◩◪◨
6. zamada+wZ3[view] [source] [discussion] 2024-10-12 12:45:51
>>miki12+4r
If you go back far enough there weren't even protections against this sort of thing at all! E.g. you could just say a visited link style was 1px taller then measure that. The protections had to be added in after the fact (often with special case logic for what's allowed to be styled or read on :visited) once security became a major concern!
[go to top]