New css attack

[xr200dirtrider1121]

Seriously, you just need to know how to set up your browser... no addons, plugins, or VPNs to the Caymen Islands needed.

 

[Maribelle]

So what precisely is this detecting?

background:url plus a randomstring? You can check the source out here:
http://ha.ckers.org/weird/CSS-history.tar.gz

 

[Arik F]

As I understand it, disabling history prevents this attack, so that would explain it.

Is there a CSS fix you'd be able to employ against this, or is disabling history the only fix?

My history isn't disabled and it still can't detect what sites I visited.

 

[volleyball4life]

Is there a CSS fix you'd be able to employ against this, or is disabling history the only fix?

Can you check if setting layout.css.visited_links_enabled to false in about:config fixes the leak in Firefox with history enabled?

 

[Deanna[:]

The following sites were visited:

That's what he gives me ... nothing more.

 

[Yazid M]

That appears to block the script's detection, yes.

 

[trumpeterny]

layout.css.visited_links_enabled

I love you. I wanted to go peeking inside the settings to find exactly that, but was too lazy. :wub:

 

[fryeguy82]

Thank you both for letting me know.