Clicking the button will open it in this browser - albeit in a new tab.
Which means it can use the CSS link:visited stuff etc to determine where you've 
been!
Hopefully same-origin means websites can't do timing probes - but they can, for 
most browsers, probe history.
However, if using privacy mode, this may not be true. And it's hard to detect 
privacy mode - and does privacy mode disable css link:visited anyway? Maybe it 
only remembers history for present session but does remember it?
Hmmm... Can we provide a tester? We could even integrate this in the button? 
Try to do the link:visited test, and if it works, warn the user?

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Devl mailing list
[email protected]
http://osprey.vm.bytemark.co.uk/cgi-bin/mailman/listinfo/devl

Reply via email to