http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/csshistoryprobing.aspxBackground One of the interesting attacks which makes the rounds every few years concerns the ability of web pages to use CSS to detect whether or not certain URLs have been visited. Given a sufficiently large set of URLs to probe, a website may be ableen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/csshistoryprobing.aspx#10128332Fri, 11 Feb 2011 23:10:35 GMT91d46819-8472-40ad-a661-2c78acb4018c:10128332EricLaw [ex-MSFT]<p>IE9 Release Candidate has adopted CSS styling restrictions, interoperable with the protections introduced by other latest-version browsers. <a rel="nofollow" target="_new" href="http://blogs.msdn.com/b/ieinternals/archive/2011/02/11/ie9-release-candidate-minor-changes-list.aspx">blogs.msdn.com/.../ie9-release-candidate-minor-changes-list.aspx</a></p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10128332" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/csshistoryprobing.aspx#9988278Wed, 31 Mar 2010 18:00:31 GMT91d46819-8472-40ad-a661-2c78acb4018c:9988278EricLaw [ex-MSFT]<p>A future version of Firefox is taking a swipe at this problem by disabling all styling of :visited other than color.</p> <p><a rel="nofollow" target="_new" href="http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/">http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/</a></p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9988278" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/csshistoryprobing.aspx#9948789Fri, 15 Jan 2010 04:21:52 GMT91d46819-8472-40ad-a661-2c78acb4018c:9948789EricLaw [ex-MSFT]<p>Pretty cool test page for this probing: <a rel="nofollow" target="_new" href="http://www.whattheinternetknowsaboutyou.com/top20k">http://www.whattheinternetknowsaboutyou.com/top20k</a></p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9948789" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/csshistoryprobing.aspx#9799626Tue, 23 Jun 2009 18:32:24 GMT91d46819-8472-40ad-a661-2c78acb4018c:9799626EricLaw [ex-MSFT]<p>@Stephen: Sure, you could try to trade performance for privacy, but obviously you still would have to block JavaScript, which isn't workable for many major sites that users care about. &nbsp;</p> <p>Even with pure CSS, however, it would probably still be possible to execute the attack unless the user is willing wait forever for pages to load, because the CSS could be made to take nearly forever to run.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9799626" width="1" height="1">http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/csshistoryprobing.aspx#9799574Tue, 23 Jun 2009 18:12:33 GMT91d46819-8472-40ad-a661-2c78acb4018c:9799574Stephen Baker<p>Interesting security flaw. &nbsp;Of course there's another solution. &nbsp;If the browser didn't try to be as smart, and just prefetched all urls referred to in the css then the attacker wouldn't know if they had actually visited the site or not.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9799574" width="1" height="1">