Overview

By observing the way the browser renders links, a site can query the browser’s history database and determine whether the user has visited URLs at other sites. The CSP HistoryModule lets web sites block this privacy threat.

Dependencies

This module depends on the BaseModule.

Threat Model

The HistoryModule is concerned with defending against an attacker with the following abilities:

• The attacker owns and operates a malicious web site (e.g., attacker.com).
  
• The attacker can cause the user to visit the attacker's web page.
  

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

• The attacker must not be able to determine whether a particular URL on the developer's web site has been visited previously.

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.

Syntax

The HistoryModule introduces the following directives:

directive               = "safe-history"

Semantics

The safe-history directive is designed to prevent leakage of history information via the :visited CSS pseudoclass.  If the csp-policy contains at least one safe-history directive, the browser MUST NOT attach the :visited CSS pseudoclass to hyperlinks to the current web page unless the hyperlink is contained in a web page from the same origin as the current web page.

Open Issues

• What about cache timing? Maybe we should add a directive for isolating the cache per origin, or maybe we should fold the behavior into the same directive as visited links...