Slashdot ran an interesting story titled: “76% Web Users Affected by Browser History Stealing“. NoScript alone can’t save you from this one. The truly amazing part is that it’s been around for 10 years and it’s STILL a known problem with modern web browsers.
There’s a great proof-of-concept site here which will conduct the history leak on your browser. There’s 2 ways it can do this: Javascript and CSS. I’ve been aware of the Javascript method for years, but I’ve only heard about a possible way of doing this with CSS (I’ve never seen it in action before). That’s the part I found really cool.
From http://whattheinternetknowsaboutyou.com/docs/details.html with regard to conducting this using CSS:
Using the :visited pseudoclass on a elements, it is possible to specify a background-url attribute which will make a request to the server if a particular link has been visited. We can thus achieve the same goal of determining visited links without using Javascript. For example:
<style> a#link1:visited { background-image: url(/log?link1_was_visited); } a#link2:visited { background-image: url(/log?link2_was_visited); } </style> <a href="http://google.com" id="link1"> <a href="http://yahoo.com" id="link2">
The site even does a write up on solutions to help avoid this (here):
For a quick fix: Firefox or Chrome users, you have private browsing mode or incognito mode respectively.
If you run Internet Explorer (which you should never do), there’s not a whole lot you can do aside from disabling CSS, which will break most websites today. For prevention methods in IE, Microsoft has an MSDN article for you here.
ChristopherKois.com 