Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[compositing] mix-blend-mode circumvents browsing history privacy protection #18
'mix-blend-mode' appears to enable bypassing the browsing history protection browsers have for
(The measure commonly implemented I believe is to only allow foreground and background colors to be changed, and
See https://lcamtuf.blogspot.se/2016/08/css-mix-blend-mode-is-bad-for-keeping.html by @lcamtuf and http://lcamtuf.coredump.cx/whack/ for a demo of the attack.
@zcorpan Can you give more details about
This attack (in the demo) works by encouraging users to click on visibly distinct portions of the screen. I've seen similar demo attacks that use a fake CAPTCHA (with each letter being a link, and
In other words, so long as any
The solution I mused about on Twitter is for user agents to not apply
That's very creative and clever. It will be difficult to avoid without some drastic changes.
As Amelia said,
I feel that maybe browsers should move highlighting of visited links into an internal feature, where the user presses a hotkey and all visited links are highlighted somehow.
Also, I wonder if it's worth browsers displaying a warning for pages that have thousands of distinct URLs.