This is because the security filters on my site, so the scanner will work in Firefox on all platforms.

If you mean as a protection against LAN scanning then I don’t think it would be make any difference unfortunately because if you reset all visited states, the scanner then creates a new set of history so therefore overwriting the rule.

The only way I could think to protect against this sort of attack would be to use something like stylish to disable the visited state altogether so the site in question cannot access the visited selector.

CSS allows to overrule previous set definitions. Isn’t it possible to overrule any ‘visited’ property with a default value? This way the url shouldn’t be requested.

Or am I wrong?

- Unomi -

I’ve also had enough with the biased media coverage of security blogs to the point now were I don’t even care. It is laughable that this article will never get coverage so I’m leaving up to the manufacturers to monitor my web site because why should I go to all the effort for nothing?

Yes any url that can be opened by iframes is available to be exploited.

Is every browser vulnerable?

BTW, this attack is not limited to HTTP requests. Any request to a URL supported by a browser can be logged. Say, FTP (ftp://), or port numbers (http://localhost:8080/) can be logged without notice.

Awesome if you want to exploit it, a nightmare if you want to prevent it.

- Unomi -

I’m just looking at the Firefox CSS features now and I can see huge scope for security problems, when I release the CSK (CSS Scripting Kit) you’ll see some of the issues.

Web security is certainly a myth, time they got their act together!