Edit report at https://bugs.php.net/bug.php?id=67513&edit=1
ID: 67513
Updated by: le...@php.net
Reported by: phpbugs at kennel17 dot co dot uk
Summary: Visited links are indistinguishable from unvisited
links
Status: Assigned
Type: Bug
Package: Website problem
Operating System: N/A
PHP Version: 5.5.13
Assigned To: levim
Block user comment: N
Private report: N
New Comment:
There definitely was a problem, but only when another type of compromise had
been obtained (such as arbitrary JavaScript execution). Here's one such article
that explains it: http://dbaron.org/mozilla/visited-privacy
To be clear, I'm not opposed to different colors but I just want to make sure
all the security implications have all been taken care of first.
Previous Comments:
------------------------------------------------------------------------
[2014-06-25 23:15:37] phpbugs at kennel17 dot co dot uk
> I am not sure if the issues are resolved in all major versions
> of browsers, but it was an attack vector at one point to
> distinguish visited and unvisited links.
There is a potential information leak if the browser allows the site to know
which links have been visited, but the issue is only about the browser leaking
user information (history) to sites.
This is not, nor has it ever been, an 'attack vector' for websites and is
absolutely no reason not to style visited links. It just means that you are
limited in what styling you can apply. However, for most situations the only
thing you'll want to change is the colour, which is supported by all browsers.
------------------------------------------------------------------------
[2014-06-25 16:35:07] so...@php.net
Fix for your side report (connected with PHP versions) has been commited. It
will take some time until it will spread across all our mirrors.
------------------------------------------------------------------------
[2014-06-25 15:51:46] le...@php.net
I am not sure if the issues are resolved in all major versions of browsers, but
it was an attack vector at one point to distinguish visited and unvisited links.
------------------------------------------------------------------------
[2014-06-25 15:39:06] so...@php.net
"(On an unrelated note, the issue tracker refused to accept my submission if I
selected 'Irrelevant' as the PHP version. Therefore this bug is randomly
logged against a random PHP version)"
Thanks for the catch, I will look into it.
------------------------------------------------------------------------
[2014-06-25 14:54:23] phpbugs at kennel17 dot co dot uk
Description:
------------
The PHP.net documentation styles visited links to look the same as unvisited
links, which affects usability. Visited links should be styled differently so
that it is clear to returning users what they have already visited.
This serves two important purposes:
* Makes it easier to re-locate a page you have previously visited (useful when
returning to look for information you previously found).
* Helps you avoid revisiting pages you have already read (useful when looking
for specific information, to avoid frustration of repeatedly ending back on
same page).
Expected result:
----------------
That PHP.net follows usability best-practice.
Actual result:
--------------
This browser feature has been unnecessarily disabled, resulting in a decreased
user experience.
(On an unrelated note, the issue tracker refused to accept my submission if I
selected 'Irrelevant' as the PHP version. Therefore this bug is randomly
logged against a random PHP version)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=67513&edit=1
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
