Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Your Browser History Is Showing

samzenpus posted more than 5 years ago | from the wasted-days-and-wasted-art dept.

Privacy 174

tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."

cancel ×

174 comments

Sorry! There are no comments related to the filter you selected.

Welfare Reform (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28557141)

I heard a great idea today! Every welfare line should have a guy who collects cell phones, disposes of them, and cancels the contracts. That way maybe the jigaboos will realize that one reason they're poor is that they buy luxury shit they can't really afford. What an idea!! Silly niggers.

Re:Welfare Reform (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28557187)

That and cut off all their access to fried chicken and watermelon so they just starve to death.

Re:Welfare Reform (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28557979)

No, all you have to so is to put the check under their work boots.

Microsoft actually did something right (2, Funny)

Absolut187 (816431) | more than 5 years ago | (#28557159)

With its "inprivate" browsing mode in IE8.
Since it doesn't track your history, I'm assuming that it your "inprivate" history can't be "sniffed".

Re:Microsoft actually did something right (3, Insightful)

calumtdalek (983493) | more than 5 years ago | (#28557185)

It all depends on if your inprivate browser history changes the color of links when they are displayed (or in general obey the css style sheets for visited links). Perhaps someone with IE8 can test it out for us [I lack access to a windows machine]?

Re:Microsoft actually did something right (4, Informative)

Absolut187 (816431) | more than 5 years ago | (#28557431)

Negative. Visited links are not a different color, and the history is not populated.

Re:Microsoft actually did something right (2, Insightful)

Freetardo Jones (1574733) | more than 5 years ago | (#28557267)

Microsoft actually did something right

You mean like the mode Safari had 4 years ago?

Re:Microsoft actually did something right (5, Informative)

sam0vi (985269) | more than 5 years ago | (#28557391)

I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!

Google did something right too (1)

memojuez (910304) | more than 5 years ago | (#28558105)

I tested it in Chrome's Incognito Window and the site was unable to detect my browser history. When I tested Chrome in regular mode, it found all kinds of good stuff.

Re:Microsoft actually did something right (2, Interesting)

haifastudent (1267488) | more than 5 years ago | (#28558563)

On a stock Firefox 3.0.11 on a fresh install and no extensions, I visited about 20 popular sites (facebook.com, digg.com, xnxx.com and the like), then tried the history site. Just a big black png. Either the script is /.ed or I don't know the right sites to visit.

Re:Microsoft actually did something right (1)

Krojack (575051) | more than 5 years ago | (#28558591)

Same for me only I don't have history disabled. NoScript just didn't allow the scanning.

Re:Microsoft actually did something right (1)

Geoffrey.landis (926948) | more than 5 years ago | (#28558227)

With its "inprivate" browsing mode in IE8. Since it doesn't track your history, I'm assuming that it your "inprivate" history can't be "sniffed".

The same as the Safari "private browsing" mode, I assume.

Something tells me (0)

Anonymous Coward | more than 5 years ago | (#28557171)

That I would not want to look at the browser history of the guy that is in the attached featured article picture.

...So.... (1)

Darkness404 (1287218) | more than 5 years ago | (#28557173)

So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.

Re:...So.... (4, Insightful)

MyLongNickName (822545) | more than 5 years ago | (#28557397)

So, the choice is

1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.

Somehow, this doesn't seem right...

Re:...So.... (5, Insightful)

Jurily (900488) | more than 5 years ago | (#28557519)

1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.

How about

3. treat this as a serious security risk and act accordingly (report the bug and use the browser that comes out first with a patch)

Re:...So.... (2, Informative)

Goaway (82658) | more than 5 years ago | (#28557631)

This has been known for several years, and none of the browsers have done anything to fix it.

Re:...So.... (4, Funny)

Minwee (522556) | more than 5 years ago | (#28557765)

And nobody will until someone constructs a detailed history of the porn sites that Steve Ballmer, Sergey Brin and Mitchell Baker have visited.

Re:...So.... (4, Funny)

MyLongNickName (822545) | more than 5 years ago | (#28557953)

I heard they collaborated and made their own.

Please mod: -1, Ewwwww.

Re:...So.... (1)

TitusC3v5 (608284) | more than 5 years ago | (#28558503)

That gives a whole new meaning to the phrase 'Spanking the monkey.'

Re:...So.... (1)

Jurily (900488) | more than 5 years ago | (#28558541)

And to "throw a chair".

Re:...So.... (0)

Anonymous Coward | more than 5 years ago | (#28558635)

Or just install noscript.

Re:...So.... (0)

Anonymous Coward | more than 5 years ago | (#28557763)

Or just use NoScript or better yet use Opera's version of NoScript, which is not spyware.

Re:...So.... (0)

Anonymous Coward | more than 5 years ago | (#28558469)

I've never understood why anyone would want to keep their browsing history? I've been deleting mine along with cookies since the 90's! It's something I have no value for.

Re:...So.... (3, Insightful)

causality (777677) | more than 5 years ago | (#28557399)

So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.

I think the point can be explained this way: "who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?" Speaking generally about all user data and all remote IP addresses, all remote hosts are on a need-to-know basis and 99.999% of the time, they don't need to know. They particularly don't need to know without prompting the user and asking "do you want to give out this information?" with that question defaulting to "No" and a box, checked by default, which says "Remember this preference".

You can subtly dismiss it as paranoia if you like. That doesn't excuse poor design. Also, globally disabling the browser history would deny the remote Web site access to the browser's history, sure, but it would also deprive the user of this local feature. There should be a more reasonable alternative to either "lose this feature" or "make this feature available to anyone who asks with no regard for privacy." Apparently NoScript provides such an alternative.

Re:...So.... (0)

Qzukk (229616) | more than 5 years ago | (#28557563)

who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?

Changing the color of a link you've visited has been around forever. Changing the style of a link you've visited to one that can send information back to the server eg "background-image:url(/visited.pl?site=slashdot)", that's newer.

Re:...So.... (1)

causality (777677) | more than 5 years ago | (#28557603)

who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?

Changing the color of a link you've visited has been around forever. Changing the style of a link you've visited to one that can send information back to the server eg "background-image:url(/visited.pl?site=slashdot)", that's newer.

Sorry but I don't think I fully understand how that relates to this story. Would you elaborate please? What you describe there sounds like a re-implementation of so-called "http ping."

Re:...So.... (4, Informative)

uglyduckling (103926) | more than 5 years ago | (#28557681)

Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already. Perhaps the best compromise would be to allow changes to link style only within the domain of the page that's attempting to set that style. But it's still a major backward step in usability. The other option might be to disable link styles for pages that have greater than a certain number of links (say 50).

Re:...So.... (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28557971)

There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.

Sure there is. Have your browser always pull the visited and unvisited styles, then just display the relevant one. Problem solved.

Re:...So.... (1, Informative)

Anonymous Coward | more than 5 years ago | (#28558421)

Then you investigate the DOM to see which is there...

Re:...So.... (0)

Anonymous Coward | more than 5 years ago | (#28558295)

Or another method, don't allow the javascript to see what color the link is. That might break some stuff.

Re:...So.... (1)

causality (777677) | more than 5 years ago | (#28558971)

Or another method, don't allow the javascript to see what color the link is. That might break some stuff.

I seriously cannot think of any Web site that would break without this functionality. Though, I may be biased as I have been using NoScript for a long time now and think that default-deny is a great idea. As in, it's borderline negligence that all browsers don't have something like NoScript built in as a standard feature.

Personally I think seeing the color of the link is likely to be a frivolous/cosmetic feature of dubious utility. But let's just assume for the sake of argument that it's a critical feature for some important Web site. In that case, why does JS need to be able to transmit this information back to the Web server?

Re:...So.... (1)

zippthorne (748122) | more than 5 years ago | (#28558393)

Of course there is. The easy workaround is to automatically load all of the link background images. Then the server can't sniff anything.

Re:...So.... (2, Insightful)

AtomicJake (795218) | more than 5 years ago | (#28558403)

Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.

The Web page (HTML, Javascript code, ...) should not be able to detect such differences and be able to report them back home; it's OK to tell the browser how to render visited links, but not to get the feedback by the browser how it rendered which links. The feedback is actually breaking the sandbox principle.

I actually think that the current direction to "the browser is the OS (or even worse, the Flash player in your browser is the OS)" is a security nightmare.

Re:...So.... (1)

nmoore (22729) | more than 5 years ago | (#28557731)

who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?

Changing the color of a link you've visited has been around forever. Changing the style of a link you've visited to one that can send information back to the server eg "background-image:url(/visited.pl?site=slashdot)", that's newer.

Sorry but I don't think I fully understand how that relates to this story. Would you elaborate please? What you describe there sounds like a re-implementation of so-called "http ping."

By putting this CSS under an a:visited selector, they only get the ping if the link points to a URL you have visited. Though they can't get your entire history list, they can query whether (your browser thinks) you've been to a specific page.

Re:...So.... (3, Informative)

vidarh (309115) | more than 5 years ago | (#28557761)

Whether or not you can *read* the history of a browser is irrelevant if you want to know whether or not a user has visited a specific site. In that case you can simply create a page that will set appropriate CSS rules to make the browser try to load a specific background image for visited URL's for each site you want to check for. Then when the user loads your page, you'll get a barrage of what you call http pings, and all you need to do is collate that information and you know which of the sites you care about that the user has visited recently.

It's less invasive than being able to wholesale dump the browser history (you don't know when the sites were visited, for example), but protecting against it also means disabling functionality (you'd need to prevent an app from being able to tell whether or not a link on it's own page has been clicked via CSS rules or other means, which means either disabling the distinction between visited or not completely or disabling reading back style information and/or preventing setting CSS rules that trigger loading of external resources).

Re:...So.... (1)

maxume (22995) | more than 5 years ago | (#28558895)

You are describing the pure CSS version of the attack. If you are using javascript (As the page in the story does), you can use getComputedStyle to check if a link has been visited and then just submit the info to the server.

Of course, the nearly 14,000 urls contained in the sitelist.js file from the site are a little more than 'a few popular web2.0' sites.

(There appears to be some user agent sniffing in place to protect that file from casual viewing, but the new link enabled source viewer in FireFox 3.5 doesn't care.)

black image (4, Funny)

Red Flayer (890720) | more than 5 years ago | (#28557191)

I tried it.

I got a black screen (apparently no history to be shown).

Either the engine is borked, or my privacy add-ins are working properly...

Or possible the Oracle of Browser History has determined that my history is darker than the darkest dark, and refused to show images.

Re:black image (1)

houghi (78078) | more than 5 years ago | (#28557643)

I also get a dark field in FF and IE.

worked for me (1)

itsamemario (1588719) | more than 5 years ago | (#28558119)

Although I get the impression its randomly failing what with the slashdot load and being written in an interperted language. I put up a picture here [photobucket.com] .

Not mine (4, Informative)

Monoman (8745) | more than 5 years ago | (#28557213)

No Script baby

Re:Not mine (1)

thedonger (1317951) | more than 5 years ago | (#28557307)

No Script baby

I second that emotion. I never browse at work without it.

Re:Not mine (1)

L4t3r4lu5 (1216702) | more than 5 years ago | (#28557705)

I second that emotion. I never browse without it.

Re:Not mine (3, Informative)

countertrolling (1585477) | more than 5 years ago | (#28558065)

I third it. I never browse at work.

Re:Not mine (2, Funny)

BigBlueOx (1201587) | more than 5 years ago | (#28558555)

I fourth it. I never work. I browse.

Re:Not mine (0, Redundant)

Yaa 101 (664725) | more than 5 years ago | (#28557521)

It is unbelievable how many sites try to cram your surfing session with all sorts of cross scripting and other nuisance from 3rd parties.

Noscript essentially gives back the decision of running scripts to the owner of the web client.

Re:Not mine (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28557615)

It can also be done using CSS and then grepping accesslog. NoScript will not help you there.

Re:Not mine (5, Informative)

gazbo (517111) | more than 5 years ago | (#28557641)

No Script may help in this case, but not in general. There was a story here only a couple of weeks back talking about a pure CSS method for doing exactly this.

Re:Not mine (0)

Anonymous Coward | more than 5 years ago | (#28558347)

There was a story here only a couple of weeks back talking about a pure CSS method for doing exactly this.

There's an example for a CSS-only implementation here:
http://making-the-web.com/misc/sites-you-visit/nojs/

Re:Not mine (1)

stickrnan (1290752) | more than 5 years ago | (#28557939)

A lot of sites need javascript allowed to see any content. Are you planning on browsing with absolutely no script?

Sensationalism in summary (1)

sys.stdout.write (1551563) | more than 5 years ago | (#28557223)

Being able to query whether or not I visit common sites is a far cry from my browser history being shown, but still this needs to be fixed.

How long until a politician gets busted for visiting a child pornography website?

Re:Sensationalism in summary (1)

poormanjoe (889634) | more than 5 years ago | (#28557429)

In regards to your sig, and only your sig, the mayor of my hometown has already been busted for child pornography/child entisement. He one of many articles. [jsonline.com]

Re:Sensationalism in summary (0)

Anonymous Coward | more than 5 years ago | (#28558795)

That wasn't his sig. It was a line he typed. Note the absence of the "--" found at the beginning of each and every sig.

So, you failed. Please try again. Thank you. Mmmkay?

I checked it out (1)

oodaloop (1229816) | more than 5 years ago | (#28557229)

And all it showed was pictures of raptors and deadbolts.

Re:I checked it out (1)

file_reaper (1290016) | more than 5 years ago | (#28557411)

Soo...you like dinosaur comics yes?

This methodology is actually quite old (5, Insightful)

Anonymous Coward | more than 5 years ago | (#28557231)

This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.

This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.

Re:This methodology is actually quite old (4, Informative)

Anonymous Coward | more than 5 years ago | (#28557537)

New about:config setting in FF 3.5:
layout.css.visited_links_enabled [mozilla.org]

If "visited" is a useful feature for you check out SafeHistory [mozilla.org] :

Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites

Re:This methodology is actually quite old (1)

jizziknight (976750) | more than 5 years ago | (#28558053)

Too bad that extension doesn't work for FF3.x

Re:This methodology is actually quite old (0)

Anonymous Coward | more than 5 years ago | (#28558821)

I have it working on my FF3.5 instance but had to disable compatibility checking.

There appears to be a newer version on their website [safehistory.com] than the one on the moz addons site.

Really no script (0)

Anonymous Coward | more than 5 years ago | (#28557559)

Thanks for pointing out! I now realize you can do the whole thing, including server communication, in CSS. Just combine the "visited" tag with a unique background image on the same server. The background image URL can then be the server-side script that handles the privacy violation.

Did not work for me (1)

danzona (779560) | more than 5 years ago | (#28557235)

I went to the sniffing page linked from the summary and it stayed on 0% for 5 minutes so I guess it does not work for me.

NoScript (I presume) saves the day again!

Re:Did not work for me (1)

MindStalker (22827) | more than 5 years ago | (#28557319)

Eh, noscript has become adware in the last year. The reason it keeps updating itself is for ads and to make sure you aren't blocking its own ads, and not for actual updates.

Re:Did not work for me (1)

swb (14022) | more than 5 years ago | (#28557491)

Are you sure about that?

It seems to work fine and I don't notice any additional ads, and when it does update there almost always seems to be something "new" that has been added.

Re:Did not work for me (3, Informative)

radtea (464814) | more than 5 years ago | (#28557609)

Eh, noscript has become adware in the last year.

This is an out-dated claim: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net] It pertains to an ugly episode for which the NoScript author is rightfully apologetic.

It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.

Re:Did not work for me (1)

catmandi (995992) | more than 5 years ago | (#28557645)

After the outcry over the adblock plus filter snafu, NoScript has stopped adding any filters to adblocking extensions.

IIRC, there was a movement to vote NoScript down so that it would be required to undergo a full code review of each update. The author apologised and removed the offending code.

You show me a better protection from JS and other plugins and I'll install it. But you can't, because there isn't anything in NoScript's league.

Re:Did not work for me (0)

Anonymous Coward | more than 5 years ago | (#28557935)

You show me a better protection from JS and other plugins and I'll install it. But you can't, because there isn't anything in NoScript's league.

Here you go [opera.com]

Re:Did not work for me (1)

Krneki (1192201) | more than 5 years ago | (#28557417)

Same story here, it does not work.

Re:Did not work for me (1)

causality (777677) | more than 5 years ago | (#28557451)

I went to the sniffing page linked from the summary and it stayed on 0% for 5 minutes so I guess it does not work for me. NoScript (I presume) saves the day again!

Well, yeah. The whole thing is JavaScript powered, so if you're not executing their JavaScript it's going to stay at 0% for a lot longer than 5 minutes ...

This is defnitely not the first time I was glad I use NoScript.

Re:Did not work for me (0)

Anonymous Coward | more than 5 years ago | (#28558523)

Does not work with Opera. The page just loads for a while, then endlessly reloads itself without result. Once again it looks like Opera is immune to yet another web "vulnerability".

I love that Opera continues to be the most secure and standards compliant web browser ever made.

It's slashdotted (3, Informative)

tepples (727027) | more than 5 years ago | (#28557249)

Twice in a row, all I get is

Expired

This URL has expired. Please return to the home page.This is likely because of increased load. It shouldn't happen again.

Re:It's slashdotted (0)

Anonymous Coward | more than 5 years ago | (#28557371)

The man's restarting the process with a higher memory threshold...

Awesomeness... (0)

Anonymous Coward | more than 5 years ago | (#28557277)

The whole world can see my pr0n and um...blogs....and it totally dosen't crash all mai machinez!

Another security hole (1)

Scutter (18425) | more than 5 years ago | (#28557341)

Can we please just have something that doesn't give up our privacy every three seconds? If you like having a browser history or enjoy the benefits of javascript, you're screwed. The only answer is to disable one or both of those.

Re:Another security hole (1)

Krneki (1192201) | more than 5 years ago | (#28557443)

Most of the people here are getting errors, while still enjoining the benefits of history or Java scripts.

 

Broken or Slashdotted? (1)

stry_cat (558859) | more than 5 years ago | (#28557469)

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://web2.0collage.com/app/;((%22k%22%20.%20%22(1970%201%2079269687)%22)) [0collage.com]

The following error was encountered:

        * Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

        * The cache administrator does not allow this cache to make direct connections to origin servers, and
        * All configured parent caches are currently unreachable.

Your cache administrator is webmaster.
Generated Thu, 02 Jul 2009 14:23:14 GMT by nullsleep.csclub.uwaterloo.ca (squid/2.7.STABLE3)

Re:Broken or Slashdotted? (1)

coffeeisclassy (991791) | more than 5 years ago | (#28557587)

slashdotted most likely. According to #scheme, where the creatore is hanging out, the webserver ran out of virtual memory and shat its self. Its been re-configured so it might be running better now.

wommens (2, Funny)

psergiu (67614) | more than 5 years ago | (#28557579)

Quote from the final page of the script:

You can get your web2.0collage as a mug,wommens ...

I can have it as WHAT ? Okay, then can i have my wommens without the /. favicon all over them ?

who the hell (0)

Anonymous Coward | more than 5 years ago | (#28557583)

who the hell is that guy in the picture?

Another link with similar technique. (1)

vieux schnock (146044) | more than 5 years ago | (#28557605)

Maybe it's an old story but I found this site that uses the same technique:
http://www.schillmania.com/random/humour/web20awareness/

The guy in the picture of this artical. (1)

orsty3001 (1377575) | more than 5 years ago | (#28557633)

He just typed, "15/f/CA".

ooooh! (1)

gandhi_2 (1108023) | more than 5 years ago | (#28557675)

It's like a collage of my favorite porn sites.

Duh (1)

Akira Kogami (1566305) | more than 5 years ago | (#28557715)

Am I the only person who simply doesn't keep a browser history? I set my Firefox not to and it works fine.

It's pretty obvious (1)

phantomcircuit (938963) | more than 5 years ago | (#28557789)

I am using Firefox 3.0.11 on Ubuntu 9.04 with a T7500 CPU (Core 2 Duo 2.2 GHz).

That site pegged one core of my CPU.

Really? That would be damn obvious, not to mention most people would see the slow down and close the browser.

workaround in firefox (5, Informative)

denominateur (194939) | more than 5 years ago | (#28557797)

in firefox:

  set layout.css.visited_links_enabled to FALSE in about config

This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.

Re:workaround in firefox (1)

stry_cat (558859) | more than 5 years ago | (#28557975)

This is not a good work around for me. I like being able to tell which links I've already visited. I suspect a lot of people like it too.

Re:workaround in firefox (2, Insightful)

Qzukk (229616) | more than 5 years ago | (#28558131)

This is not a good work around for me. I like being able to tell which links I've already visited. I suspect a lot of people like it too.

Then perhaps a better idea for you is to set a local style for a:visited that includes background, background-image, size, and so on in addition to the text color.

Re:workaround in firefox (1)

haifastudent (1267488) | more than 5 years ago | (#28558629)

That workaround is a myth. See here for all about:config entries: http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries [mozillazine.org] So by using that method, not only is the user not protected, but he _thinks_ that he is protected. That's worse.

Re:workaround in firefox (1)

denominateur (194939) | more than 5 years ago | (#28558987)

That workaround is a myth.

Interesting, testing it with firefox 3.5 on http://www.making-the-web.com/misc/sites-you-visit/nojs/ [making-the-web.com] and http://www.making-the-web.com/misc/sites-you-visit/ [making-the-web.com] it clearly works!

But you are right that it fails to provide protection with firefox 3.0.xx. Not sure about the 3.1 and 3.2 series.

I see London, (4, Funny)

smackenzie (912024) | more than 5 years ago | (#28558133)

I see France,
I see you shopping online at Victoria's Secret for underpants...

Four Things (1)

jason.sweet (1272826) | more than 5 years ago | (#28558159)

The results are rather disappointing.
A t-shirt!?!?!?
Why does this jackass misspell 'women'?
Why the fuck is this even possible?!?!?

This is what I got: (1)

XxtraLarGe (551297) | more than 5 years ago | (#28558317)

ERROR

The requested URL could not be retrieved

While trying to retrieve the URL: http://web2.0collage.com/app/ [0collage.com] ;...

The following error was encountered:

Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

Being on slashdot!

imagemagick bindings that leak memory

a hard limit of 4gb in a 64bit version of mzscheme for reason's I don't know

Your cache administrator is webmaster.

Generated Thu, 02 Jul 2009 15:32:25 GMT by nullsleep.csclub.uwaterloo.ca (squid/2.7.STABLE3)

isn't this what Safari and Chrome are for? (1)

alen (225700) | more than 5 years ago | (#28558339)

use the niche browsers for your private surfing and IE/Firefox for important things

Site is 404'ing "Slashdot" (0, Redundant)

rotide (1015173) | more than 5 years ago | (#28558341)

Not a joke, look down at the possible reasons for the error, one is being on slashdot.

.

ERROR The requested URL could not be retrieved

While trying to retrieve the URL: http://web2.0collage.com/app/;(a12v) [0collage.com]

The following error was encountered:

* Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

* Being on slashdot!
* imagemagick bindings that leak memory
* a hard limit of 4gb in a 64bit version of mzscheme for reason's I don't know

Your cache administrator is webmaster.
Generated Thu, 02 Jul 2009 15:32:25 GMT by nullsleep.csclub.uwaterloo.ca (squid/2.7.STABLE3)

It uses javascript (1, Funny)

Anonymous Coward | more than 5 years ago | (#28558485)

Javascript runs locally on my own computer; so I'm sniffing myself?

Nice (1)

tsnorquist (1058924) | more than 5 years ago | (#28558685)

The following error was encountered:

        * Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

        *
            Being on slashdot!
        * imagemagick bindings that leak memory
        * a hard limit of 4gb in a 64bit version of mzscheme for reason's I don't know

OLD (1)

user24 (854467) | more than 5 years ago | (#28558939)

I'm stunned this is still exploitable. This bug is YEARS old.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?