Overview

By observing the way the browser renders links, a site can query the browser’s history database and determine whether the user has visited URLs at other sites. The CSP HistoryModule lets web sites block this privacy threat.

Threat Model

The HistoryModule is concerned with defending against an attacker with the following abilities:

• The attacker can cause the user to visit the attacker's web page.
• The attacker owns and operates a malicious web site (e.g., attacker.com).

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

• The attacker must not be able to determine whether a particular URL on the developer's web site has been visited previously.

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.

Syntax

The HistoryModule introduces the following directives:

directive               = "safe-history"

Semantics

A hyperlink to a CSP site that has specified the safe-history directive should not have the :visited CSS pseudoclass unless the hyperlink is on the CSP site itself.