History information leak -- try a if it doesn't work first time.
This demo places an <a>
anchor tag for each history sniffing attempt in an SVG document, then draws that SVG image in a <canvas>
, finally looking through the pixels to find the a:visited
colour. Additionally, it renders to a (PNG) Blob
to see if there is a file size difference (as the unvisited colour is the same as the background colour). Normal browser security would not be to not render a:visited
differently to the normal anchor colour when drawing through an SVG.