On 24 September 2014 13:11, Hans-Christoph Steiner <[email protected]> wrote: > But as far > as I understand it, browsers always make the browsing history available to all > sites that run javascript.
That's not true. You cannot simply call an API and get a list of sites that have been visited. There is a limited capacity for making queries and getting an answer if a user has visited a site, but this isn't a supported API, it's using tricks, hacks, and side channels. These attacks are 8 years old, and browsers have been working to close the holes since. The simplest of holes have been closed[0]. I'm confident that more complicated ones exist, but they probably rely on timing information or other weirdness - TBH I stopped keeping track of it. There are also tricks that can be used to target individual websites, like scrolling and status codes.[1] One of Tor Browser's design goal is to "prevent a user's activity on one site from being linked to their activity on another site". [2] This is related to what you're after although not quite the same. -tom [0] See http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html https://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ [1] http://webdevwonders.com/css-history-hack-alternatives/ [2] https://www.torproject.org/projects/torbrowser/design/#identifier-linkability _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
