Paid Advertising
web application security lab

SafeHistory Stops CSS History Hack

I found a pretty interesting tool surfing around some various websites (I wish I could cite the source) but I came across Stanford’s SafeHistory Firefox plugin. I’ve been testing it for the last day or so and it looks pretty good, despite a few issues with usability. It’s designed to stop Jeremiah’s CSS history hack by keeping not changing link color to other origins.

SafeHistory does change the links for same origins, so the hack is still possible if you are using it for your own domain, however for cross domains it appears pretty useful in stopping the attack. The major issue I see with this is that sometimes I really do like to know where I’ve clicked, and this changes the page in doing so. I haven’t tested how CSS effects this but I suspect it doesn’t change as a result of clicked on, which could actually change the layout of the page in some circumstances. It’ll be interesting to see any future bugs that this software introduces. However, it’s a pretty interesting take on the problem, and I’m glad to see people are working on it.

3 Responses to “SafeHistory Stops CSS History Hack”

  1. maluc Says:

    The old accessibility versus security war is unavoidable, and i agree..

    I’m glad to see that when i can’t have both my cakes, atleast i can have the choice of which one to eat.


  2. Martin J. Says:

    Hey RSnake, I am disappointed in you - you should devote more attention to your audience ;) I posted a link to SafeHistory in the comment section of this blog quite a while ago ( Never mind though, there is always to much information anyway.

  3. RSnake Says:

    Oh crap, I’m sorry, Martin… I said I was going to look into them and I didn’t. I sincerely appologize! I actually re-found the same links through another site, days ago and again forgot the name of THAT site even, which is why I couldn’t remember where I had found it originally. I’ve got too many things going on in my brain at once.