While Eric Meyer was talking humorously about the "dark side" of CSS, he mentioned a really interesting fact: most modern browsers will "lie" to you when reporting properties of visited links via JavaScript. For instance, if your current stylesheet specifies that unvisited links are blue and visited links are purple, and your code try to access the color property of a link that's been visited, it won't return the value for purple; instead, it will report that the link's color is... blue. The same will happen for any property that you can access for a visited link: background image, background color, font face, size, etc. So why did browser makers do this?
Eric's example of why browser makers would do this was that in authoritarian countries which restrict and monitor Internet access, a government might be interested in trying to monitor which URLs people visit. If that government can inject a script into each page requested from their country, or if they can control the browser or operating system (let's think China), then they have one more method of tracking which URLs a particular user has visited. It doesn't sound efficient, but it's possible.
I think I have a more accurate guess as to why this has been done: XSRF, or cross-site request forgery. This was an exploit that was discovered a couple of years ago, and it works by a script causing your browser to request a URL, perhaps to a site that you're already logged in to, for someone else's benefit. For instance, if a malicious script created a link on a page you were browsing, and could detect that you had visited it, it could then initiate a JavaScript event that caused your browser to make a friend request on Facebook, or purchase something on eBay, or share your email address book on GMail, or reset your password on NYTimes.com to something the script owner knows about.
Post a comment