Tom Ritter wrote: > On 24 September 2014 13:11, Hans-Christoph Steiner > <[email protected]> wrote: >> But as far >> as I understand it, browsers always make the browsing history available to >> all >> sites that run javascript. > > That's not true. You cannot simply call an API and get a list of > sites that have been visited. > > There is a limited capacity for making queries and getting an answer > if a user has visited a site, but this isn't a supported API, it's > using tricks, hacks, and side channels. These attacks are 8 years old, > and browsers have been working to close the holes since. The simplest > of holes have been closed[0]. I'm confident that more complicated > ones exist, but they probably rely on timing information or other > weirdness - TBH I stopped keeping track of it. > > There are also tricks that can be used to target individual websites, > like scrolling and status codes.[1] > > > One of Tor Browser's design goal is to "prevent a user's activity on > one site from being linked to their activity on another site". [2] > This is related to what you're after although not quite the same. > > -tom > > [0] See > http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html > https://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ > [1] http://webdevwonders.com/css-history-hack-alternatives/ > [2] > https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
Thanks for that. I didn't think there was necessarily a direct API for getting the history, but as you pointed out, the browsers did allow for a method for getting the history. Glad to see that is no longer the case, more or less. But it seems far from guaranteed. .hc -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
