In a privacy advancement, Google Chrome will patch a long-standing web security flaw that has allowed websites to spy on users’ browsing histories for more than two decades.
Chrome 136, recently released to the beta channel, introduces a new “partitioning” mechanism that fundamentally changes how the browser handles visited links to eliminate this vulnerability.
The Privacy Problem with Visited Links
Since the early days of the web, browsers have used the CSS :visited Pseudo-class to style links differently once a user has visited them.
This feature helps users navigate by distinguishing between visited and unvisited pages, typically rendering visited links in purple:
:visited {
color: purple;
}However, this seemingly innocent feature created a serious privacy vulnerability.
For 23 years, malicious websites have exploited this mechanism to determine which sites users have previously visited, potentially exposing sensitive information about health concerns, finances, or political views.
How the Attack Works
The technique, known as “browser history sniffing,” allows websites to detect which links a user has visited by analyzing how the browser renders them.
Originally, attackers could simply check the computed style of links using JavaScript methods like window.getComputedStyle() to determine if a user had visited specific sites.
While browsers implemented various mitigations over the years, researchers continued developing increasingly sophisticated methods to bypass these protections.
These included timing attacks (measuring rendering speed differences), pixel color analysis, and advanced techniques like SpectreJS to extract internal browser data.
Chrome’s Revolutionary Solution: Partitioning
Chrome’s solution involves fundamentally changing how visited links are tracked through a technique called “partitioning”.
Instead of maintaining a global list of visited links accessible to any website, Chrome will now store each visited link with additional contextual information – a “triple key” consisting of:
- The link’s URL
- The top-level site where the link was clicked
- The frame origin where the link was rendered
Under this system, a link will only appear as :visited if the user previously clicked it from the same site and frame context.
For example, if you visit Site A and click a link to Site B, that link will only appear as visited when viewing it again on Site A – not when you encounter the same link on a different website.
“It breaks the decades-long arms race between privacy engineers and attackers,” security researcher Lukasz Olejnik told The Register.
“This marks a major step forward in building a more private and respectful web for all users”.
The Self-Links Exception
Chrome’s implementation includes one important exception: “self-links” to pages within the same site.
Without this carveout, navigating within a website would be confusing, as links to the site’s pages wouldn’t appear as visited even if the user had accessed them previously.
This exception allows sites to display their subpages as :visited if the user didn’t click them in that exact context before.
Since websites can already track which of their pages a user has visited through other means, this doesn’t compromise the privacy benefits of partitioning.
Implementation Timeline
Chrome 136, which includes this privacy enhancement, is already available in the beta channel and will soon reach stable release.
Google is the first major browser to implement this protection, potentially setting a new standard for web privacy that other browsers may follow.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Chrome 136, recently released to the beta channel, introduces a new "partitioning" mechanism that fundamentally changes.){kind=link}