There are a bunch of these exploits — I remember one a few weeks ago that posed as a mind-reading survey — and I think they can only be well and truly solved by a same-domain policy for :visited links. In short, don't apply :visited styling to a link unless that link is the same domain as the host page. This is the general security model on the rest of the web and it'd work here.
Considering the work needed by the website to convince the user to give away the data, and even with approaches like described with the article, we may be overestimating what websites could learn of us by checking if we've visited some random 2, or 4, or 15 sites.<p>Yes, it's an invasion of privacy and has to be sanitized, but it's not like that websites can see all of your history, view it in chronological order, or know if you've visited this link 6 months ago or today. And plus, you need to make the user somehow disclose what he sees on the screen, which may often look suspicious.<p>And what would an adversarial website do with these {visitedlinks, IP} tuples? Hit me with personalized ads or sell that modicum of my history to some ad company? Big shit, I hit the reset button on my router, and I get a new dynamic IP address from the ISP. The site now knows nothing.<p>These work more as proof-of-concepts. The inconvenience they require to be collected, paired with the limited utility of the results, makes for an unattractive attack vector.<p>I agree that if someone wants to target specifically you and knows something about you, they can put this class of exploits to a more threatening use, such as (if you're at work) seeing if you've visited some company LAN URL. Or perhaps they can see if you've accessed the admin pages on some website they're targeting, so they can determine if you have admin rights there.
Oh neat, I thought this was broken at first since it said that I hadn't visited news.ycombinator.com. Then I remembered that after seeing a similar (though less clever) exploit a few weeks ago, I'd changed Firefox to not show visited styles. I'd call that a success.
>[...] for those using non-WebKit browsers, here's a slightly modified version that will do the trick for you [...]<p>All four are grey in Firefox for Android.
Wow. Lcamtuf is such a king of side-channel attacks.<p>Using opacity quantization/rounding errors to get around CSS :visited restrictions ... crazy brilliant.