Mozilla to Modify How CSS :visited Works

Mozilla logoIf you know CSS, then you know that the :visited pseudo-class is a method to determine if a user has already been to the link it targets. For example, you may have styles for a:link and a:visited in your CSS file to help users see a difference between links they’ve clicked and links they haven’t. Combine this with the getComputerStyle method in JavaScript and an author can conceivably figure out all the sites you’ve visited. This issue has prompted Mozilla to announce changes to how the :visited selector will work.

The Mozilla Hacks blog outlines how these changes will affect web sites and web developers. At the high level:

They also note some subtle changes to how selectors will work. Mozilla acknowledges that these two items might be confusing and has promised some examples in the near future.

The blog post points out a couple of areas that will probably require changes to existing sites:

Right now Mozilla cannot say what version of Firefox will get this change, but the post is intended to get us all ready for the impact in advance of that release.

Mozilla does admit that this won’t fix all the potential security leaks of your browsing history (see the bug report). They do offer an option for minimizing your exposure to the other leaks, or to minimize yourself in your current release of Firefox until they get the fixes out:

…[V]ersion 3.5 and newer versions of Firefox already allow you to disable all visited styling (immediately stops this attack) by setting the layout.css.visited_links_enabled option in about:config to false. While this will plug the history leak, you’ll no longer see any visited styling anywhere.

Read more:

No comments? Be the first!

Leave a Comment or Response

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>