On Mon, Apr 05, 2010 at 07:18:26PM +0000, corvid wrote:
Johannes wrote:
On Tue, Jan 05, 2010 at 03:36:24PM +0000, corvid wrote:
The other day, I saw another of those pages about using :visited and display in order to allow others to learn whether the user has visited a page. (I remember Johannes pointing to a page about this last year, too.)
I wonder whether it would be sensible to have a dillorc option defaulting to NO for whether to use :visited.
Yes, that sounds good. We should distinguish between remote / embedded CSS and user agent and user stylesheet though. For the latter two we don't need any restrictions.
Does this look right?
I'm also currently thinking about this issue - reminded by this article: http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/ Maybe the fix implemented in your patch is too drastic. I would hope that something like the solution presented in the article above would be enough. If so, I would simply hardcode it and not make an option to disable it. Cheers, Johannes