Thus spake Mike Perry ([EMAIL PROTECTED]): > Also, it appears that we also need to hook > document.defaultView.getComputedStyle(link,null).getPropertyValue(); > somehow (perhaps by hooking getComputedStyle and clearing all > properties for its return value if it is an "A" tag like I do with > document.getElement*, or possibly by hooking the getPropertyValue > method on the returned object) in order to defeat > http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
No, this is stupid. The adversary can just walk the DOM and look for A tags. You have to be pro-active and walk the whole DOM first yourself, and strip the attributes off of each A tag as you find it. Or, perhaps getting the history clearing thing to work is the real Ultimate Solution. You can use fileio in javascript to read history.dat (see jshooks.js), but the main issue is file locking on windows may prevent you from writing it out again since it appears firefox never actually closes the file. It's worth a shot though. Perhaps they don't lock the file while they have it open, and maybe they seek to the beginning of it each time they read it out... Ok, I promise I won't reply to myself any more. ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
