CSS History Hack Without JavaScript


Now click here to see that your information has been logged.

This is an example of how the original CSS history hack found by Jeremiah Grossman can be modified to work without a single line of JavaScript. It uses the fact that properties within display: when combined with a:visited creates conditional logic. That condition will not fire certain things within the block. In this case I am including a nonexitant background image background: url(...); set in the CSS itself that is seemless to the user. The image actually points to a CGI script with the information about the URL that has been visited and is then logged along with the IP address of the user for later retrieval.

This should be mitigated by the SafeHistory plugin in Firefox but turning off JavaScript has no effect on the technique in the browsers tested (Internet Explorer 7.0 and Firefox 2.0.0.2). This did not work in Opera 9.02 when tested. Note: I chose this list because it is the Alexa top 5 in the United States. I also added one that's on the same site as this demo so it should not be blocked by cross domain restrictions imposed by SafeHistory. Download the source to the script here.

- By RSnake