Sneakily reading out your browser history

Via Stuart Colville I got a URL that uses a sneaky trick to see where you have been surfing. Jeremiah Grossman shows how you can check for visited sites.

The common complaint of developers who don’t see the security and privacy issues with that is that you can read out the history of the window with JavaScript but you only get the amount of visited sites, not their URLs. With this trick, you can.

The trick is pretty easy: He uses a whole array of sites to check against, writes out a style for visited links to the page, writes out a list of these links and checks their computedStyle color attribute against the colour he set in the style. If it is the same, the page is in cache and has been visited beforehand.

I already commented that it may be more stable if you set a different style to the visited links like display block and a height and read the offsetHeight instead of computedStyle. In any case, it is a clever and worrying trick.