Google has announced a significant security enhancement in Chrome version 136, effectively resolving a 23-year-old vulnerability that allowed malicious websites to access users’ browsing histories. This update introduces a feature called :visited link partitioning, positioning Chrome as the first major browser to fully eliminate this longstanding privacy issue that has affected web browsers since the early days of CSS.
The Purple Link Issue
Since the inception of the web, browsers have utilized the CSS :visited selector to style links that users have previously clicked, typically changing their color to purple. While this feature enhances user experience by indicating visited links, it has also harbored a significant security flaw. Security researchers have long warned that this mechanism could be exploited by malicious websites to detect whether a visitor had previously accessed specific URLs. This detection is possible because browsers traditionally maintained a global, unpartitioned list of visited URLs.
In this traditional implementation, if a user visited Site B through a link on Site A, any other website could later determine that the user had visited Site B, even if the user never clicked a link to Site B from that third site. Malicious websites could create invisible links to thousands of popular websites and use various techniques to detect which ones the browser styled as :visited, effectively creating a fingerprinting mechanism that revealed users’ browsing patterns.
How Partitioning Fixes the Problem
Chrome’s solution involves partitioning the visited links, associating them with their original context. Instead of maintaining a single global history list, Chrome now stores visited links alongside information about where they were clicked, including:
– The link URL
– The top-level site
– The frame origin
This partitioning ensures that a link is only displayed as visited if the user has clicked on that link from the same site before. This effectively prevents cross-site history leaks while preserving the user experience benefit of visited link styling.
Self-Links Exception
To maintain usability, Chrome has implemented a self-links carveout that allows websites to display their own subpages as visited, even if the user accessed them from a different site. Google justifies this exception by noting that sites have other methods of tracking whether a user has visited its subpages, so no new privacy risk is introduced. This carveout only applies to a site’s own subpages. Links to third-party sites or in third-party iframes remain strictly partitioned, enforcing proper security boundaries.
The fix is launching with Chrome version 136, making Google’s browser the first to solve this decades-old security vulnerability completely. Other browsers have previously implemented partial mitigations that slowed down such attacks but did not eliminate them entirely.
