> > Now, Jeremiah Grossman found a way around that: > > http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html > > Very nice indeed, but not *quite* finding a way to get the URLs out of > the browser window (session) history. Actually further research (aka asking Stuart Langridge) revealed that it is not a new vulnerability at all: http://seclists.org/bugtraq/2002/Feb/0271.html The difference is that nowadays it'll be more common to add an Ajax request to store the retrieved data on the server with a script or something like that. -- Chris Heilmann Book: http://www.beginningjavascript.com Blog: http://www.wait-till-i.com Writing: http://icant.co.uk/