Open mikeg-de opened 8 years ago
True. It is still possibly exploitable and I'm open to suggestions or updates. HSTS is also worth looking into, although there have been some fixes there too: https://github.com/diracdeltas/sniffly
I have tried it with:
but no effect could be accesed by getComputedStyle as stated on developer.mozilla.org.
Though I had the idea of using the HTML5 Resource Timing API. By assuming someone has visited a particular website, i.e. a company wide login page, it's resources or connection information should be cached. Attaching the resource to the DOM and checking the resource timing metrics would reveal if the user has visited the website.
The limitations I could not probe completely at present but I think the major limitations are:
Check it out: User identification with HTML5 Resource API
In my prove of concept it seems to work:
Good testing. Have you tried seeing if you could glean information by using the visited css attribute to adjust the size of one object, but then obtaining information on a different object on the page which would have been affected? For example, if something is larger because it was visited, the object next to it should be in a different position on the page (or perhaps wrap).
Another thing I'd suggest investigating, though this is on a per-page basis, is if a resource behaves differently if a cookie is already set (user already visited or logged into the site), using that resource in a script tag or CSS tag. If you can use the remote resource as a CSS object style (even if it's not entirely valid), and some of the page is different based on whether the user has visited or logged into it before, then you may be able to glean if they've been to that site or more likely are logged in.
Also worth investigating: https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html
Obtaining the computed color of visited links seems to be fixed back in 2010: http://stackoverflow.com/questions/5394099/detect-visited-link-in-chrome
Visited colors may be visible but the standard value is retrieved / provided by the browser.