Clicking the button will open it in this browser - albeit in a new tab. Which means it can use the CSS link:visited stuff etc to determine where you've been! Hopefully same-origin means websites can't do timing probes - but they can, for most browsers, probe history. However, if using privacy mode, this may not be true. And it's hard to detect privacy mode - and does privacy mode disable css link:visited anyway? Maybe it only remembers history for present session but does remember it? Hmmm... Can we provide a tester? We could even integrate this in the button? Try to do the link:visited test, and if it works, warn the user? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20100422/03de27f8/attachment.pgp>
