But you could still add a 1px padding to all links exept visited, and then getComputedStyle (if it returns a empty string then it is visited)

Can’t you make that :link styles apply to :visited also? That way you couldn’t make different styles for them

And it’d be greate if you add the outline to the supported styles for :visited, becouse it wouldn’t affect the others (would it?)…

:P

I can’t install Add-on Fire FTP. Any body else having that problem? It was fine in previous version.

The Panopticlick experiment scares me, a lot, so I’m very glad to see this happening.

Are the other Panopticlick vulnerabilities/recommendations being addressed in FF 4?

If Firefox implement this shit, i will just use a other Browser and for then never recommend Firefox to anyone.
Ok I’m a Guy who don’t care that much about my visited links, but because i have nothing to hide so its wayne to me.

But a Browser should do what a Browser should. So when i tell the Browser to do something (and it’s a valid standard) it should do it, otherwise the Browser is just crap and i should better use a correct working one.

The other thing is that such “security” isn’t security. So there are points that makes such exploit unimportant:
1. a scripts needs long to brute-fore enough “interesting” data.
2. such script needs much resources and i will detect it / the site that is the shit.
3. sry but i don’t know the benefits to know users history^^
4. such damaging to the browser what is called to be working here, does nothing as just damaging the browser, because if I’m not wrong you don’t need getComputedStyle() etc, you just need to read the current link color by using “javascript:node.style.color” and load a special URL to determine the color for visited links. (using an iframe for example).

So as long you don’t disable :visited etc. in CSS there is no save way to prevent such abuse.
The only way that should work, is a intelligent browser, so it should work like an AV and detects bad scripts and asking the User what to do. A script is for example dangerous when it uses a big loop and checking some link properties…. this doesn’t damage the browser and should work.

This is just one short idea and i hope I’m not that wrong ;)
Sorry for my English as well… hope it’s enough :P

Kind regards
White-Tiger

1. Matti Schneider-Ghibaudo

   I’ll just answer to the points you give to prove the exploit is unimportant:
   1. How long does http://www.check-history.com/visitedsites.html take to load?
   2. Has loading the previous page made you detect any suspicious activity?
   3. One just needs to test which of the websites of the 10 biggest banks in your country you visited to know which one one should try to phish you with (possibly via tabnagging: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ ).
   Or, perhaps less financially threatening, but quite annoying for privacy-related issues: this could also be used to know if you visited porn sites, or sites like meetic, or online games… Basically, it’s a threat for whatever you’d prefer people not to know you’ve been to.
   4. If the API lies, it lies. Period. No way of knowing anything through JavaScript if the browser pretends something that is not true, since JS is only asking the browser to give it the info.

   Your idea of detecting “bad scripts” is not implementable for there are so many ways to circumvent such checks (mainly because JS is extremely dynamic and could not be evaluated on load, for example). Beyond that, with the banks example, even testing only one bank is enough, since there should be statistically enough visitors to test phishing with some.

   I hope you now understand the problematic a bit better :)

   July 31st, 2010 at 15:27

I use a border-bottom to style my links (looks nicer and stands out better than text-decoration:underline). Unvisited links are solid, visited links are dotted.

This breaks that styling, and left me very confused for a long time.

I understand the rational for breaking that part of CSS, and I guess I’m okay with it. I just wish there was a workaround.

hey,this is one of the best posts that I’ve ever seen; you may include some more ideas in the same theme. I’m still waiting for some interesting thoughts from your side in your next post.

I rather agree with White-Tiger: I’m going to consider going to another browser. When I get a page full of links, I need a reliable way to be able to hide or otherwise modify the links that I’ve already visited so I’m not repeating myself. This is a daily inefficiency thing that translates to tons of wasted time. While I appreciate the thought of protecting my privacy, there has to be a way to do it while still allowing me to control visited links better.

According to the original entry, only colors can change, not visibility. Since JavaScript can’t access the browser history, you also can’t do it there either, but that’s also the point of the privacy issue. I can understand breaking the JS methods, but it doesn’t make sense that CSS is also being broken.

This is incredibly good news. The fact that no browser currently protects its users from these attacks has been bothering me since I first heard of them (which was not long ago, but I understand the attacks were observed for nearly 10 years and that the identification via social network’s groups is known for months).

To be honest, I was checking the features’ list to see if this was going to be implemented, and getting ready to send a request if not.

This will greatly weight in favor of Firefox in my What browser should I use? dilemma. At the moment, I also use Opera, as there are a few reasons that make it a better choice for some of the things I do. This is the case mostly in browser-based games in which:
– the speed at which you can validate a form on a tab, switch to the next tab, validate again, switch again etc makes Firefox a bad choice, especially as in some cases when the form runs some javascript when submitted, Ctrl+Tab fails to switch tab),
– Opera’s userscripts are more powerful than GM scripts thanks to the BeforeScript event handlers that allow the user to prevent or modify a page’s script before it’s run. I gave a fast try at doing the same thing by writing a Firefox addon, but (probably because I didn’t do it well), this greatly slowed down the page’s loading, while in Opera it doesn’t.

So with Firefox 4, it will be Firefox for general purpose browsing (NoScript, AdBlock, this :visited change and other addons I love), and probably still Opera for browser-based games.

Before taking this step, please consider the Electronic and Information Technology Accessibility Standards (Section 508), published in the United States Federal Register on December 21, 2000, to wit:

§ 1194.21 (g) Applications shall not override user selected contrast and color selections and other individual display attributes.

§ 1194.21 (i) Color coding shall not be used as the only means of conveying information, indicating an action, prompting a response, or distinguishing a visual element.

§ 1194.22 (c) Web pages shall be designed so that all information conveyed with color is also available without color, for example from context or markup.

The thing is, you don’t break functionality to fix a bug. If the problem is that certain styling on visited links can give people information. Bold is screwed up because it makes text take up more space, which can be queried. The way to fix that is either to do what Chrome does and keep bold the same size as nonbold.

Loading a background picture is a problem because it queries the server. So make it where the background is already preloaded upon page load. Heck, that would fix pretty much everything–analyze everything as if all links had been fixed.

Finally, fingerprinting is a concern, but a lot of people don’t give a crap. Those of us that do aren’t going to run Firefox vanilla in the first place. We’ll use adblock, noscript, and, in risky situations, the built in private browsing mode.

This is just a step backwards. JavaScript + CSS + HTML5 is supposed to be a fully functional system that will replace many overbearing plugins. Removing features so that people have to go back to relying on Firefox is just stupid.

I really wish programmers would get off their soapboxes and design what the users want, rather than thinking they know better than the users they are supposed to be serving.

BTW, I find it funny that they suddenly are okay with breaking standards, when before they didn’t give a crap. Designers are going to design to de facto standards, not what Firefox elitists tell them to do. Stop acting like IE.

I dont know. Dogs are the way to express feelings about CSS I would prefer yellow or brown. Default or not. Fingerprinting is a concern not nearby the wastelands of tomorrow and beyond. We are just little sparks in the immense web of information….Who cares! As time itself will catch up eventually. Regards!, Frank

The chosen solution is far more drastic and has far more wide-ranging impact than what’s necessary. A better solution would be this:

— To thwart the non-JavaScript attack, where a server detects CSS background-image fetches: Regardless of the unvisited/visited state, always fetch both images, the visited and the unvisited, always in the same order. If other CSS properties exist that can have a similar impact, always act as if rendering both the visited and the unvisited versions.

— To thwart detection by JavaScript: Determine the link’s dimensions and the resulting text flow for both cases, the case with the visited version and the case with the unvisited version of the link. Flow the page in such a way that there’s room for either version. Let the user see the correct version of the link in this space. Let JavaScript see the style settings of the unvisited version.

— Do the same in cases of siblings and nesting. As above, prepare room enough for either version, display the right version, let JavaScript see the unvisited version.

— Forbid only those CSS properties whose impact on rendering is so drastic that the above cannot work neatly, i.e. forbid properties like float, clear and display.

With this solution, the huge number of websites that use various decorations in fully legitimate ways would still work fine. All they’d notice would be minor ugliness in the unusual cases where :visited is indicated with size-changing properties like boldface or border-width. And the only problem on these sites would be that the link size and text flow would become a bit ugly. The style’s signalling functionality would still remain.

There was a comment above stating “don’t remove functionality to fix a bug”. This assumption about good security is not realistic. There is no way to be secure without some restrictions on both the end user and the developer. Removing small pieces of functionality that prevent developers and users from using some parts of a functional piece is a non-sacrifice here. Data mining and identity theft are a much bigger issue than the ability to use a background image on a visited link. Good for the Mozilla Foundation! They have been brave enough to care for users security more than web developers pain points.

Also there is a VERY good reason they removed this from a development standpoint. It has to do with separation of concerns. If you want to save state or be aware of previous activity there are mechanisms in place to do that. Using a presentation element to do what cookies or server side persistence should is just bad problem solving. Persistence and application awareness should not be mixed with presentation.

I’m not liking these styling limitations.

Why not limit getComputedStyle to URLs that have the same domain as the site that the JavaScript is running on? If the domains don’t match, then ‘lie’ and return a value as if the link is unvisited. If it’s the same domain, should be no problem.

Why does CSS have to be crippled like this?

This change breaks “hide visited” type bookmarklet functionality, for example the one from:
https://www.squarefree.com/bookmarklets/pagelinks.html

If someone has a solution how to make “hide visited” work on FF4/SM2.1 then I’d really appreciate it.

Bug 147777 – :visited support allows queries into global history – https://bugzilla.mozilla.org/show_bug.cgi?id=147777

This is about as good an idea as school uniforms are… and continuing to have to wear them once you graduate; but, yeah, sure… lets break accessibility for everyone, too. At the very least you should allow both user and user agent CSS to modify WTH it wants to (pssst: that’s why it’s called “cascading”).

@The Neighbourhood Nerd because that is near impossible, it gets this info from different places where you least expect it.

@Carl: I concur, external links are what is causing the whole problem, right? Then those links can suffer the consequences if any. There might be a problem with web hosts that share the same domain but that should be easy to work around with regards to URL hierarchy.

But I still thinks that just fooling the script with false values (color, border, images, layout – everything will “look” like it would if all links would be unvisited) are the best way to go.

I want the :visited functionality back too!
I agree with Tom:
“This should be configurable via about:config (and disabled by default, of course).”
Ranimi

I run a website that doesn’t do much more than tell people about their browsing history, and – ofcourse – people are fully aware of how this works when they enter the site and run the diagnosis tool, I have no choice but to let this site “go to history” now. :-(

I don’t really care about this “feature” nor am I worried that some site knows where I’ve visited. Please give us the option to disable it.

Hi there. I never used the :visited tag until today because of lazyness. Still the question arises if it wouldn’t have been enough to restrict the usage of :visited to links pointing to the same domain / site, instead of disabling the functionality alltogether. To determine if a user clicked on some link in ones own domain is possible by other means, so there’s no real security problem there.

if anyone cares, I addeda bkmklet with this javascript and it seems to work in ff 5.0 on xp
javascript:(function(){var%20newSS,%20styles=’a:visited%20{color:%20white;%20background-color:%20white;%20display:%20none}’;%20if(document.createStyleSheet)%20{%20document.createStyleSheet(“javascript:'”+styles+”‘”);%20}%20else%20{%20newSS=document.createElement(‘link’);%20newSS.rel=’stylesheet’;%20newSS.href=’data:text/css,’+escape(styles);%20document.documentElement.childNodes[0].appendChild(newSS);%20}%20})();
I just added “color:%20white;%20background-color:%20white;%20” right before “display:%20none”, which may be safely removed
links with photos still show, but the related text gets *hidden*

Evrix,

Thank you for trying to help! But that bookmarklet isn’t working for me either. I did exactly as you instructed, but the links do not change at all when I click on the bookmarklet I created.

Is it working for anyone else?

(By the way, I just installed Chrome to see if it replaces this lost functionality. Apparently, similar restrictions have been put in place in recent versions of Chrome, so that’s not an option for us.)

Hi,
I have a page with lots of links marked with images. This is the page:
http://luis.impa.br/foto/index1.html
As you can see, I use yellow box-shadows around img links. Since this does not combine with the blue/magenta usual borders for unvisited/visited, I wanted the box-shadow to change colors accordingly to the unvisited/visited status, but this don’t work. I tried everything I could think of using CSS :visited.
Is my problem related to the issue described in this page? Is it solvable with CSS?
Thanks!
L.

1. louisremi

   Yes, our problem is likely to be related to the changes described in this page.
   Please read the article carefully.

   July 25th, 2011 at 00:47

I guess they aren’t reading the comments.

The consensus seems to be that some sort of opt in toggle would be preferable to us being told “this is what you want, this is what you get”.

I found the comment regarding the issue this creates for colour blind people to be very relevant.

The road to hell is paved with good intentions.

1. Christopher Blizzard

   Sorry, sometimes we miss comments. We’re not ignoring, just really busy sometimes.

   Let me check with David Baron, who wrote the original patch. (It actually might be a huge amount of work to support this, to be clear.)

   October 7th, 2011 at 07:06

2. Christopher Blizzard

   Also is there a bug on file about this? It would help a lot.

   cc me and drop me mail – blizzard@mozilla.com

   October 7th, 2011 at 07:09

There are lots of innocent uses of :visited, none of which are supported by FF 7, it seems. I understand the privacy concern, but why target the problem at the CSS-level? I use :visited to show users which parts of a website they have already been to, by changing the background-color of the link. Looks like now I need to change the text itself to provide this information – i.e. HOME (visited). Not the most elegant way – unless, of course, you use JS. Lots of JS. Which opens up all the JS-related security issues, of course.

So, for security reasons, you are forcing people away from using just HTML and CSS to using javaScript to achieve the same effect? Please tell me this is a joke.

1. chee

   You can still use background-color to style the visited links.
   You cannot use JavaScript to determine which links have been visited.

   The opposite of what you think happened happened.

   October 26th, 2012 at 09:30

Oh, Klasse! ‘<
Ich habe jetzt einen ganzen Nachmittag mit dem Versuch vertrödelt besuchte Links im FF unsichtbar zu machen – und eben zu meinem Entsetzen diesen Artikel gefunden.
Wahnsinnsidee, Mann! Was soll der Mist?! :@

I am taking a college course an this has crashed a lot
I cant have that and lose all my work I updated the latest firefox there is no bar
to let you print what am I supposed to do can you give me any suggestions

1. Eric

   What does that have to do with CSS security?

   March 26th, 2012 at 10:54