Mike Perry wrote: > Thus spake Mike Perry (mikepery@xxxxxxxxxx): > >> Also, it appears that we also need to hook >> document.defaultView.getComputedStyle(link,null).getPropertyValue(); >> somehow (perhaps by hooking getComputedStyle and clearing all >> properties for its return value if it is an "A" tag like I do with >> document.getElement*, or possibly by hooking the getPropertyValue >> method on the returned object) in order to defeat >> http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html > > No, this is stupid. The adversary can just walk the DOM and look for A > tags. You have to be pro-active and walk the whole DOM first yourself, > and strip the attributes off of each A tag as you find it. > > Or, perhaps getting the history clearing thing to work is the real > Ultimate Solution. Or maybe telling the Firefox developers to enforce a local/remote separation. The JS running from a remote server should not be able to determine computed properties of links. Think taint checking, like in Perl. > You can use fileio in javascript to read > history.dat (see jshooks.js), but the main issue is file locking on > windows may prevent you from writing it out again since it appears firefox > never actually closes the file. It's worth a shot though. Perhaps they > don't lock the file while they have it open, From what I remember when using TeX on windows is that file locking happens automagically. > and maybe they seek to the > beginning of it each time they read it out... > > Ok, I promise I won't reply to myself any more. ;) >
Attachment:
signature.asc
Description: OpenPGP digital signature