Google Chrome is finally addressing a longstanding privacy vulnerability that has potentially exposed users’ browsing history to websites for nearly two decades.
The upcoming Chrome 136 update will implement a new security measure to prevent websites from determining which other sites users have previously visited.
The vulnerability stems from the basic web feature that displays previously visited links in a different color (typically purple instead of blue). This CSS feature, known as the :visited selector, has been a standard part of web browsers since the early days of the internet.
The problem occurs because this styling was applied globally across all websites. If a user visited a specific URL on one site, that same URL would appear as “visited” on any other site as well. This created a significant privacy leak that websites could exploit to determine users’ browsing histories.
This isn’t just a theoretical privacy concern, but introduces real security liabilities enabling tracking, profiling, and targeted phishing attacks.
Over the years, researchers have demonstrated multiple techniques to exploit this vulnerability, including timing attacks, pixel attacks, user interaction attacks, and process-level attacks.
These methods could reveal sensitive information about users’ browsing habits.
After two decades, Chrome 136 will finally address this issue by implementing what Google calls “triple-key partitioning” of visited links.
Instead of storing link visits in a global database, Chrome will now partition each visited link using three distinct keys:
- Link URL (the target of the link)
- Top-level site (the domain shown in the address bar)
- Frame origin (the origin of the frame where the link is rendered)
To preserve usability, Google has added a “self-links” exception. This means visited links within a site will still be marked as visited on that site even if the user clicked them from elsewhere.
Since a website already knows which of its pages a user has visited, this exception doesn’t introduce new privacy concerns.
Google explored several approaches before settling on triple-key partitioning. Completely removing the :visited selector was ruled out as it would eliminate valuable user experience cues that help people navigate websites.
A permissions-based model was also considered but rejected because it could be easily bypassed or abused by manipulative websites seeking to trick users into granting access.
The new :visited isolation feature was introduced experimentally in Chrome version 132 and is expected to become the default setting in Chrome 136.
Google warns that the feature is still being stabilized, so it might not work perfectly in all situations.
While Chrome moves to close this privacy gap, other major browsers have only partially addressed the issue:
- Firefox limits what styles can be applied to :visited links and blocks JavaScript from reading them, but doesn’t implement partitioning to isolate them from sophisticated attack vectors.
- Safari applies similar restrictions and uses its Intelligent Tracking Prevention system to mitigate some leaks, but also lacks the comprehensive partitioning needed to block all potential attacks.
You must be logged in to post a comment.