Considering the work needed by the website to convince the user to give away the data, and even with approaches like described with the article, we may be overestimating what websites could learn of us by checking if we've visited some random 2, or 4, or 15 sites.<p>Yes, it's an invasion of privacy and has to be sanitized, but it's not like that websites can see all of your history, view it in chronological order, or know if you've visited this link 6 months ago or today. And plus, you need to make the user somehow disclose what he sees on the screen, which may often look suspicious.<p>And what would an adversarial website do with these {visitedlinks, IP} tuples? Hit me with personalized ads or sell that modicum of my history to some ad company? Big shit, I hit the reset button on my router, and I get a new dynamic IP address from the ISP. The site now knows nothing.<p>These work more as proof-of-concepts. The inconvenience they require to be collected, paired with the limited utility of the results, makes for an unattractive attack vector.<p>I agree that if someone wants to target specifically you and knows something about you, they can put this class of exploits to a more threatening use, such as (if you're at work) seeing if you've visited some company LAN URL. Or perhaps they can see if you've accessed the admin pages on some website they're targeting, so they can determine if you have admin rights there.