Edit report at https://bugs.php.net/bug.php?id=67513&edit=1
ID: 67513 Updated by: [email protected] Reported by: phpbugs at kennel17 dot co dot uk Summary: Visited links are indistinguishable from unvisited links -Status: Assigned +Status: Open Type: Bug Package: Website problem Operating System: N/A PHP Version: 5.5.13 -Assigned To: levim +Assigned To: Block user comment: N Private report: N Previous Comments: ------------------------------------------------------------------------ [2014-06-27 09:00:37] phpbugs at kennel17 dot co dot uk Well, if a site has already been hacked then there are lots of things that are compromised, and visited links are probably at the bottom of that list in terms of risk/severity. It doesn't make it an attack vector in itself. Indeed, if I have injected JS into a page and want to detect visited links, then the first thing I do is inject a <style> tag into the page which styles them how I want. Therefore I still contend that there is never a reason for a site to worry about visited link styling from a security perspective. ------------------------------------------------------------------------ [2014-06-26 17:24:33] [email protected] There definitely was a problem, but only when another type of compromise had been obtained (such as arbitrary JavaScript execution). Here's one such article that explains it: http://dbaron.org/mozilla/visited-privacy To be clear, I'm not opposed to different colors but I just want to make sure all the security implications have all been taken care of first. ------------------------------------------------------------------------ [2014-06-25 23:15:37] phpbugs at kennel17 dot co dot uk > I am not sure if the issues are resolved in all major versions > of browsers, but it was an attack vector at one point to > distinguish visited and unvisited links. There is a potential information leak if the browser allows the site to know which links have been visited, but the issue is only about the browser leaking user information (history) to sites. This is not, nor has it ever been, an 'attack vector' for websites and is absolutely no reason not to style visited links. It just means that you are limited in what styling you can apply. However, for most situations the only thing you'll want to change is the colour, which is supported by all browsers. ------------------------------------------------------------------------ [2014-06-25 16:35:07] [email protected] Fix for your side report (connected with PHP versions) has been commited. It will take some time until it will spread across all our mirrors. ------------------------------------------------------------------------ [2014-06-25 15:51:46] [email protected] I am not sure if the issues are resolved in all major versions of browsers, but it was an attack vector at one point to distinguish visited and unvisited links. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=67513 -- Edit this bug report at https://bugs.php.net/bug.php?id=67513&edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
