Web designers: how do you use CSS with :link and :visited ?
March 12, 2010 11:05 PM Subscribe
Web designers and developers: Mozilla wants to know how you use CSS properties and selector constructs regarding visited links and :link so they can fix a privacy issue. Asking for a friend.
On behalf of a friend who's working at Mozilla:
Mozilla is looking into a permanent fix for the infamous ":visited leaks history" bug, recently made very visible by sites such as http://www.whattheinternetknowsaboutyou.com/ and http://didyouwatchporn.com/. Unfortunately, we have not been able to come up with a solution that does not place severe restrictions on how :visited styles can differ from the corresponding :link styles. We would therefore like to ask web designers at large:
* what CSS properties you have used to distinguish visited from unvisited links
* what complex CSS selector constructs you have used involving :link and/or :visited
* if possible, links to public, non-demo web sites that exemplify your answers
We already know that text, background, and border color distinctions are very widely used for this; you don't have to tell us that those should keep working.
To be clear, there is no intention to restrict how links in general can be styled, only the styles that can be used to make visited and unvisited links differ.
On behalf of a friend who's working at Mozilla:
Mozilla is looking into a permanent fix for the infamous ":visited leaks history" bug, recently made very visible by sites such as http://www.whattheinternetknowsaboutyou.com/ and http://didyouwatchporn.com/. Unfortunately, we have not been able to come up with a solution that does not place severe restrictions on how :visited styles can differ from the corresponding :link styles. We would therefore like to ask web designers at large:
* what CSS properties you have used to distinguish visited from unvisited links
* what complex CSS selector constructs you have used involving :link and/or :visited
* if possible, links to public, non-demo web sites that exemplify your answers
We already know that text, background, and border color distinctions are very widely used for this; you don't have to tell us that those should keep working.
To be clear, there is no intention to restrict how links in general can be styled, only the styles that can be used to make visited and unvisited links differ.
It's a legitimate question seeking to solve a real problem. It's not the kind of poll where every answer is equally valid. I think it's a fine question.
Brainwane, is there a Mozilla Request For Comments page somewhere?
My suggestion: never style cross-domain links :visited. It's the simple, good-enough solution.
posted by ryanrs at 1:30 AM on March 13, 2010 [3 favorites]
Brainwane, is there a Mozilla Request For Comments page somewhere?
My suggestion: never style cross-domain links :visited. It's the simple, good-enough solution.
posted by ryanrs at 1:30 AM on March 13, 2010 [3 favorites]
Best answer: we have not been able to come up with a solution that does not place severe restrictions on how :visited styles can differ from the corresponding :link styles
For the most part, I think severe restrictions on this would actually be OK. It wouldn't bother me at all if you couldn't use any CSS rule that invoked a URL on a :visited anchor, which would eliminate one class of hacks. And if you weren't able to use javascript to read computed properties from :visited anchors, that'd eliminate the other class of hacks available
I suppose it's possible that the later could potentially cause some unfortunate corner cases in a javascript library or two somewhere, but I think they'd be minor enough that might be an acceptable tradeoff.
ryanrs's idea is simple and comprehensive, but it is sometimes really nice to know if you've visited an off-site link. Particularly on a site like MetaFilter.
I guess the other thing you could do is combine ryanrs's solution with a whitelist of sites you trust to use :visited wisely, but I don't know if that's a solution for a wide audience.
posted by weston at 3:36 AM on March 13, 2010
For the most part, I think severe restrictions on this would actually be OK. It wouldn't bother me at all if you couldn't use any CSS rule that invoked a URL on a :visited anchor, which would eliminate one class of hacks. And if you weren't able to use javascript to read computed properties from :visited anchors, that'd eliminate the other class of hacks available
I suppose it's possible that the later could potentially cause some unfortunate corner cases in a javascript library or two somewhere, but I think they'd be minor enough that might be an acceptable tradeoff.
ryanrs's idea is simple and comprehensive, but it is sometimes really nice to know if you've visited an off-site link. Particularly on a site like MetaFilter.
I guess the other thing you could do is combine ryanrs's solution with a whitelist of sites you trust to use :visited wisely, but I don't know if that's a solution for a wide audience.
posted by weston at 3:36 AM on March 13, 2010
I thought Private Browsing was the real answer to the didyouwatchporn problem.
As a user, I am driven absolutely mad when visited links aren't styled differently from the others.
posted by advicepig at 7:32 AM on March 13, 2010 [1 favorite]
As a user, I am driven absolutely mad when visited links aren't styled differently from the others.
posted by advicepig at 7:32 AM on March 13, 2010 [1 favorite]
Best answer: Beyond just text color:
posted by misterbrandt at 1:03 PM on March 13, 2010
- Mike D. (among others) uses generated content to add a "checkmark".
- I have also seen the "
strikethrough" of visited links a number of places.
posted by misterbrandt at 1:03 PM on March 13, 2010
advicepig: As a user, I am driven absolutely mad when visited links aren't styled differently from the others.
Well, it depends on the situation. For web-based applications, I think it's almost always inappropriate to distinguish links this way.
posted by mkultra at 1:05 PM on March 13, 2010
Well, it depends on the situation. For web-based applications, I think it's almost always inappropriate to distinguish links this way.
posted by mkultra at 1:05 PM on March 13, 2010
Best answer: And if you weren't able to use javascript to read computed properties from :visited anchors, that'd eliminate the other class of hacks available
Why can't this be solved by coding the browser to refuse to tell JavaScript which links were marked Visited when the page was rendered?
Guys, please give the Mozilla developers some credit; the issue is much more involved. For example, suppose I create a test div off-screen in which I set the font-height of :visited to 2px and regular anchors to 200px. Then I create a link to the target site whose anchor text is a single character and take the resulting width of the containing box. I now know whether the link was followed or not and I did not have to access any of the anchor's styles or attributes through js.
posted by Rhomboid at 4:54 PM on March 13, 2010
Why can't this be solved by coding the browser to refuse to tell JavaScript which links were marked Visited when the page was rendered?
Guys, please give the Mozilla developers some credit; the issue is much more involved. For example, suppose I create a test div off-screen in which I set the font-height of :visited to 2px and regular anchors to 200px. Then I create a link to the target site whose anchor text is a single character and take the resulting width of the containing box. I now know whether the link was followed or not and I did not have to access any of the anchor's styles or attributes through js.
posted by Rhomboid at 4:54 PM on March 13, 2010
Best answer: (And hopefully after that example it's now clear why they're trying to come to a consensus of what attributes should be allowed to be set for :visited and which shouldn't.)
posted by Rhomboid at 4:58 PM on March 13, 2010
posted by Rhomboid at 4:58 PM on March 13, 2010
Huh. Well, I'd prefer that the visited status is not visible outside of the domain itself by default, but it could be enabled by the visited site. So if digg wants the world to know I visit digg, it's up to digg to enable that.
The legitimate uses of this feature seem trivial when compared to the possible damage this kind of data leak presents.
posted by chairface at 8:48 PM on March 13, 2010
The legitimate uses of this feature seem trivial when compared to the possible damage this kind of data leak presents.
posted by chairface at 8:48 PM on March 13, 2010
Best answer: suppose I [style a :visited link in any way that might affect computed styles of a container]. I now know whether the link was followed or not and I did not have to access any of the anchor's styles or attributes through js.
That's quite true. Of course, they're still going to have to lock down access to computed styles on :visited to keep out one class of hacks, so what it really means is that I didn't go far enough on this statement:
It wouldn't bother me at all if you couldn't use any CSS rule that invoked a URL on a :visited anchor, which would eliminate one class of hacks.
It wouldn't actually bother me at all if you couldn't do anything with :visited links other than style the attributes mentioned in the post: text, background, and border color distinctions (well, and text-decoration).
I can't think of a single site I've worked on (out of hundreds) where I'd ever wanted to change any other attribute. Generally, it's just text color. Sometimes text-decoration. Occasionally background color. I can't actually remember having used border-color, but I guess I can imagine employing it (though I don't think I'd miss it).
And I can't think of a single example of a site that I've encountered as a mere visitor, where anyone used anything else but those attributes and it was anything other than really annoying.
posted by weston at 1:31 PM on March 15, 2010
That's quite true. Of course, they're still going to have to lock down access to computed styles on :visited to keep out one class of hacks, so what it really means is that I didn't go far enough on this statement:
It wouldn't bother me at all if you couldn't use any CSS rule that invoked a URL on a :visited anchor, which would eliminate one class of hacks.
It wouldn't actually bother me at all if you couldn't do anything with :visited links other than style the attributes mentioned in the post: text, background, and border color distinctions (well, and text-decoration).
I can't think of a single site I've worked on (out of hundreds) where I'd ever wanted to change any other attribute. Generally, it's just text color. Sometimes text-decoration. Occasionally background color. I can't actually remember having used border-color, but I guess I can imagine employing it (though I don't think I'd miss it).
And I can't think of a single example of a site that I've encountered as a mere visitor, where anyone used anything else but those attributes and it was anything other than really annoying.
posted by weston at 1:31 PM on March 15, 2010
Response by poster: Thanks for all your responses.
Brainwane, is there a Mozilla Request For Comments page somewhere?
I'm afraid at the moment there is no such RFC page.
My friend writes:
It might be worth mentioning in the thread that we are concerned
about four different ways of implementing the attack, all of which
have been proven to be practical:
1) Javascript access to computed styles.
2) Javascript inspection of page layout.
3) Javascript inspection of page *rendering time*.
4) Server-side knowledge of which resources have been retrieved (e.g.
background images).
(1) is obviously pretty easy to fix, and so is (4) [just retrieve all
the resources required by *both* the :link and :visited styles -- this
won't be a problem for any site that isn't trying to do the attack
;-)] (2) and (3) are really hard, and they are why we are looking at
severe restrictions on how :visited can differ from :link. Even
really simple things that you might think are no problem, like
toggling text-decoration lines, can make enough of a rendering-time
difference to matter.
posted by brainwane at 5:23 AM on March 19, 2010
Brainwane, is there a Mozilla Request For Comments page somewhere?
I'm afraid at the moment there is no such RFC page.
My friend writes:
It might be worth mentioning in the thread that we are concerned
about four different ways of implementing the attack, all of which
have been proven to be practical:
1) Javascript access to computed styles.
2) Javascript inspection of page layout.
3) Javascript inspection of page *rendering time*.
4) Server-side knowledge of which resources have been retrieved (e.g.
background images).
(1) is obviously pretty easy to fix, and so is (4) [just retrieve all
the resources required by *both* the :link and :visited styles -- this
won't be a problem for any site that isn't trying to do the attack
;-)] (2) and (3) are really hard, and they are why we are looking at
severe restrictions on how :visited can differ from :link. Even
really simple things that you might think are no problem, like
toggling text-decoration lines, can make enough of a rendering-time
difference to matter.
posted by brainwane at 5:23 AM on March 19, 2010
Response by poster: The RFC is now up! You can see more comments there:
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/
posted by brainwane at 6:42 PM on April 18, 2010
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/
posted by brainwane at 6:42 PM on April 18, 2010
« Older Love spells, hexes, curses: is there a guide for a... | I can't seem to stop singing wherever I am. Newer »
This thread is closed to new comments.
posted by Chocolate Pickle at 11:12 PM on March 12, 2010