New Chrome update to fix a long-standing bug in user privacy for visited links

[Alfonso Maruccia]

It only took 20 years: Browsers have long exposed visited link history to malicious websites, enabling attackers to profile users or run phishing campaigns. By isolating link history with a new partitioning model, Chrome could close off an entire class of privacy attacks – potentially setting a new standard for safer web browsing.

Browsers have mishandled visited site tracking since the early days of the internet. Google is now working to fix the issue with Chrome. The browser's next update will improve how it manages visited history, potentially rendering an entire class of exploits obsolete.

Google says Chrome 136 will be the first major browser to partition visited link history. Traditionally, the CSS ":visited" selector has let websites style visited links – typically changing them from blue to purple. Modern design enables far more customization, which attackers have exploited to extract users' browsing history through side-channel attacks.

Cyber-criminals have exploited this issue by developing creative techniques to unmask users' visited URL history, leading to serious security threats such as tracking, profiling, and phishing campaigns. Chrome 136 aims to shut down these exploits by restricting how websites apply styles through the visited selector.

The visited history has traditionally been unpartitioned, with no specific restrictions on where the selector could display previously clicked links. The new partitioning approach will ensure that a link appears as "visited" (default purple) only on the original site and within the frame where the user first clicked it.

Partitioning prevents cross-site leakage of visited link history, though Google plans to allow an exception for self-referencing links to preserve usability. The company also decided against fully deprecating the visited selector, arguing that it provides essential visual feedback for users.

Chrome 132 initially introduced partitioning as an experimental feature, and Google expects to enable it by default in Chrome 136. Other browsers have taken steps to prevent URL history leaks, but none have implemented partitioning or history isolation. If Chrome's approach proves effective without degrading the user experience, rival browsers may adopt similar measures.

Permalink to story:

New Chrome update to fix a long-standing bug in user privacy for visited links

 

[seeprime]

Years ago Chrome was updated so that any new website you visit in a new tab could not track you. Was this broken, or still a thing?

 

[skierpage]

Every web request your browser makes to a site allows that site to track you. The HTTP request includes the "referrer" (the web page where the request originated) and your IP address. If the request is for JavaScript then that site can run code in the web page that watches everything you do on the page and sends a summary over the network; this is why every ad you see loads kilobytes of tracking JavaScript. In addition, unless you browse in an Incognito tab (called "Private" in Firefox) tab, web sites can save local cookies and local data so that they next time you visit they remember "seeprime" is back, and also build up a browsing history locally. In addition to private browser tabs, you can reduce this garbage by using Firefox's Enhanced Tracking Protection, uBlock Origin or some other ad blocker, other privacy extensions, etc.

I don't think anything Chrome has done prevents new web sites from doing this tracking. _Always_ open links in private tabs unless it's a site which you need to be logged in to operate.

The exploit referred to in this lets JavaScript code look at the special styling of ":visited" links on a page so it can tell which of those links you've visited.