Visited Links and Privacy

作者:frank 发表日期:2017-11-26 16:03:15 更新日期:2017-11-26 16:03:59 分类:猿文色


Visited Links and Privacy - CSS 权威指南 第四版


For well over a decade, it was possible to style visited links with any CSS properties available, just as you could unvisited links. However, in the mid-2000s several people demonstrated that one could use visual styling and simple DOM scripting to determine if a user had visited a given page. For example, given the rule :visited {font-weight: bold;}, a script could find all of the boldfaced links and tell the user which of those sites they’d visited—or, worse still, report those sites back to a server. A similar, non-scripted tactic uses background images to achieve the same result.

在 CSS 出现的前十几年, 由于可以为 visited links 设置任何 CSS 属性, 某些人发现可以通过 JS 获取到这些特性的属性值得知用户访问过那些网站...

While this might not seem terribly serious to you, it can be utterly devastating for a web user in a country where one can be jailed for visiting certain sites—opposition parties, unsanctioned religious organizations, “immoral” or “corrupting” sites, and so on. It can also be used by phishing sites to determine which online banks a user has visited. Thus, two steps were taken.

对大多数人来说, 被知晓访问过那些网站并不是多么恐怖的事情, 但是对于某些国家的人来说, 访问某些特定的网站属于违法行为, 可能因此获得牢狱之灾, 比如异党类网站, 种族主义网站... 因此, 出现了以下两步:

The first step is that only color-related properties can be applied to visited links: color, background-color, column-rule-color, outline-color, border-color, and the individual-side border color properties (e.g., border-top-color). Attempts to apply any other property to a visited link will be ignored. Furthermore, any styles defined for :link will be applied to visited links as well as unvisited links, which effectively makes :link “style any hyperlink,” instead of “style any unvisited hyperlink.”

第一步是只有颜色相关的 CSS 属性会被应用到 visited links: 颜色, 背景色, column-rule-color, 轮廓色, 边框色. 任何其他 CSS 属性都会被忽略. 更进一步, :link 伪类的样式会被同时应用到 unvisited links 和 visited links.

The second step is that if a visited link has its styles queried via the DOM, the resulting value will be as if the link were not visited. Thus, if you’ve defined visited links to be purple rather than unvisited links’ blue, even though the link will appear purple onscreen, a DOM query of its color will return the blue value, not the purple one.

第二步是通过 DOM 访问 visited links 的样式时, 其结果是 unvisited links 的结果.

As of late 2017, this behavior is present throughout all browsing modes, not just “private browsing” modes. Even though we’re limited in how we can use CSS to differentiate visited links from non-visited links, it is important for usability and accessibility to use the limited styles supported by visited links to differentiate them from unvisited links.