This is an experiment in browser history extraction using cache timing technology, made according to specifications for a coding challenge. Using this method I can check which websites (and some individual pages) you have visited recently with your browser, using a pre-configured list of web assets. This is a browser exploit, and one which likely will not be going away anytime soon. This particular algorithm is meant to work only on webkit-based browsers (Chrome, Safari); the pages linked below have some versions available for Firefox.
This application is available live at checkingyourbrowserhistory.herokuapp.com/. To test it out, I recommend opening an incognito window, visiting news.ycombinator.com/ and github.com/, then signing up for an account at the url given above (or localhost). You should see those applications highlighted in green, likely along with a ‘fake application’. The rest of the applications should appear below those.
The original scripts are available at lcamtuf.coredump.cx/cachetime/ and oxplot.github.io/visipisi/visipisi.html. The Visipisi algorithm relies on loading assets as images and is far more efficient than the lcamtuf algorithm, which uses iFrames. The algorithm seems to work sometimes, but its reliability is most questionable. I refactored the visipisi algorithm to use the setInterval function; I believe this is more readable than the original algorithm and (hopefully) just as accurate in determining if you have visited a site.
Cache timing algorithm: github.com/bjornlinder/WhereHaveIBeen/blob/master/app/assets/javascripts/history-extraction.js