Firefox developers block old CSS leak
In the Mozilla Security blog, the developers of the Firefox browser have described how they intend to fill an ancient privacy loophole. The "CSS History Hack" triggered recent excitement because it allows web sites to spy on users of social networks. The problem was first described in a bugzilla entry from 2000.
The issue is caused by the fact that traditionally web browsers have displayed visited and unvisited links differently. A web application can use this information to find out what pages a user has visited. The W3C has responded to this problem by modifying the CSS 2.1 specification to allow browsers to represent all links as unvisited, or to take other measures to ensure the privacy of the user.
For the second case, the Mozilla developers have decided that only certain attributes of the :visited
pseudo-class will be accessible. Attributes that load remote resources such as background-image
will be ignored by the browser. The developers will also adjust the layout engine to position all the links at the same speed so applications cannot use the variation in timing behaviour to determined if a link has been visited. Finally, if the JavaScript method getComputedStyle
is used on a link or its sub-elements, Firefox will return style values as if it were unvisited.
The announced changes will soon be incorporated into the development branch of the Firefox browser and the developers hope the look of most websites will remain unchanged, following its introduction.
(djwm)