I don’t want browsers to fix this. I like styling links, and the usability improvements I get by using links instead of css hacking on buttons is worth a site possibly stealing information from me.
You don’t have to throw out styling links to fix this. :visited is the problem. If it went away, almost nothing of value would be lost. If it got scoped to the origin of the site serving the markup, even less would be lost.
A minor note about :visited is that it is actually quite a limited pseudo-element. The only usable CSS properties for :visited are:
Notably, these are all colour related; you cannot extend this to images, due to the privacy restrictions on this pseudo element. So don’t do captchas that are just colour based!
That said, I could certainly see someone like my father falling for a captcha like this.
I built my first web site in 1994. I’ve spent a stupid amount of time from 1999 until now thinking about web security, with quite a chunk of that focused on how that applies to privacy. And I would very likely have fallen for a CAPTCHA like this a couple of days ago. I’d have thought it was odd, but there are many odd and ineffective CAPTCHAs out there. I’d not have given it much thought.
I just realized that my comment insinuates that only a particular kind of person would fall for this… and I also insinuated that my dad is stupid, and neither is true.
What I meant was that this is clever, and lots of people may fill it out as a CAPTCHA because it is very compelling and looks like a CAPTCHA. Given this article, there are now a group of savvy web-users that would be less likely to fall for it, and every time something like this proof of concept is shared, the number of people who will fall for it drops. But no matter what we do, there’s going to be a small subset of people who are not particularly web literate, who trust sites more than they should, and who will never be able to not fall for a trick like this. That’s the point that I was trying to get at - how insidious issues around :visited can be, because no matter what, it’ll trick some of the people all of the time.
While I’d never considered this specific approach, I’m not surprised. I think it’s probably time for :visited to be scoped to an origin or just go away.