php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67513 Visited links are indistinguishable from unvisited links
Submitted: 2014-06-25 14:54 UTC Modified: 2017-10-24 08:11 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: phpbugs at kennel17 dot co dot uk Assigned:
Status: Open Package: Website problem
PHP Version: 5.5.13 OS: N/A
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: phpbugs at kennel17 dot co dot uk
New email:
PHP Version: OS:

 

 [2014-06-25 14:54 UTC] phpbugs at kennel17 dot co dot uk
Description:
------------
The PHP.net documentation styles visited links to look the same as unvisited links, which affects usability.  Visited links should be styled differently so that it is clear to returning users what they have already visited.

This serves two important purposes:
* Makes it easier to re-locate a page you have previously visited (useful when returning to look for information you previously found).
* Helps you avoid revisiting pages you have already read (useful when looking for specific information, to avoid frustration of repeatedly ending back on same page).


Expected result:
----------------
That PHP.net follows usability best-practice.

Actual result:
--------------
This browser feature has been unnecessarily disabled, resulting in a decreased user experience.

(On an unrelated note, the issue tracker refused to accept my submission if I selected 'Irrelevant' as the PHP version.  Therefore this bug is randomly logged against a random PHP version)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-25 15:37 UTC] sobak@php.net
-Assigned To: +Assigned To: levim
 [2014-06-25 15:39 UTC] sobak@php.net
"(On an unrelated note, the issue tracker refused to accept my submission if I selected 'Irrelevant' as the PHP version.  Therefore this bug is randomly logged against a random PHP version)"

Thanks for the catch, I will look into it.
 [2014-06-25 15:51 UTC] levim@php.net
I am not sure if the issues are resolved in all major versions of browsers, but it was an attack vector at one point to distinguish visited and unvisited links.
 [2014-06-25 16:35 UTC] sobak@php.net
Fix for your side report (connected with PHP versions) has been commited. It will take some time until it will spread across all our mirrors.
 [2014-06-25 23:15 UTC] phpbugs at kennel17 dot co dot uk
> I am not sure if the issues are resolved in all major versions
> of browsers, but it was an attack vector at one point to
> distinguish visited and unvisited links.

There is a potential information leak if the browser allows the site to know which links have been visited, but the issue is only about the browser leaking user information (history) to sites.

This is not, nor has it ever been, an 'attack vector' for websites and is absolutely no reason not to style visited links.  It just means that you are limited in what styling you can apply.  However, for most situations the only thing you'll want to change is the colour, which is supported by all browsers.
 [2014-06-26 17:24 UTC] levim@php.net
There definitely was a problem, but only when another type of compromise had been obtained (such as arbitrary JavaScript execution). Here's one such article that explains it: http://dbaron.org/mozilla/visited-privacy

To be clear, I'm not opposed to different colors but I just want to make sure all the security implications have all been taken care of first.
 [2014-06-27 09:00 UTC] phpbugs at kennel17 dot co dot uk
Well, if a site has already been hacked then there are lots of things that are compromised, and visited links are probably at the bottom of that list in terms of risk/severity.  It doesn't make it an attack vector in itself.

Indeed, if I have injected JS into a page and want to detect visited links, then the first thing I do is inject a <style> tag into the page which styles them how I want.

Therefore I still contend that there is never a reason for a site to worry about visited link styling from a security perspective.
 [2017-10-24 08:11 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: levim +Assigned To:
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 05 22:01:26 2024 UTC