Browser history sniffing is still a thing

Tomaso · Unread post by **Tomaso** » 2018-11-04, 11:26

Browser history sniffing is still a thing:
https://www.ghacks.net/2018/11/04/brows ... l-a-thing/

The leak attacks affect all modern browsers that don't block the storing of the browsing history; in other words, Firefox, Chrome, Internet Explorer and Microsoft Edge are vulnerable while Tor Browser is not.

Unread post by **Moonchild** » 2018-11-04, 11:32

Nice in theory, cumbersome (the ones that can still be used, anyway) in practice, and I don't think it's used in the wild by anyone.

(Also, we don't use the non-standard moz-context-fill CSS, in case that is being used)

Sampei Nihira · Unread post by **Sampei Nihira** » 2018-11-04, 17:22

Does this problem also affect Pale Moon?

https://www.ghacks.net/2018/11/04/brows ... l-a-thing/

In the comments to the article we recommend:

"layout.css.visited_links_enabled" set to false.

What do you think about it?

TwoTankAmin · Unread post by **TwoTankAmin** » 2018-11-04, 17:43

If one always uses "Private Browsing Mode" would this not circumvent this issue?

Unread post by **Moonchild** » 2018-11-04, 20:38

Sampei Nihira wrote:In the comments to the article we recommend:
"layout.css.visited_links_enabled" set to false.
What do you think about it?

I think if you want to forego the convenience of having visually indicated visited links, then you can trade that for more perceived privacy. The bottom line remains that this feature can always be used to know links have been visited, in ever more convoluted ways if needed, (another "arms race" type situation) if and as long as it is rendered visually different in your browser.

Fedor2 · Unread post by **Fedor2** » 2018-11-04, 21:29

27 version of the Palemoon has settings something like history.allow.push... And if it was set to false sites couldn't mess you history, layout.css minor thing against that. Now these settings are removed, so does sites can do with the history everything they want?

gepus · Unread post by **gepus** » 2018-11-05, 09:59

browser.history.allowPushState is deprecated since Firefox 47.
Nevertheless - the history API lets websites interact with the browser history, trigger the browser navigation methods and change the address bar content.
https://flaviocopes.com/history-api/

Sampei Nihira · Unread post by **Sampei Nihira** » 2018-11-05, 17:33

The remedy does not work.

https://www.spinda.net/papers/smith-2018-revisited.pdf

Page 10:

Firefox with visited links disabled. Turning off Firefox’s
layout.css.visited links enabled configuration
flag should eliminate visited link styling
altogether [5, 46]. Not so: disabling the flag fails to
block either our visited-link attacks or Paul Stone’s
older one; we reported this bug to Mozilla.

Pale Moon forum