After two decades of persistent concern among privacy advocates and web security researchers, Google is finally rolling out a fix for a long-standing vulnerability in Chrome that has silently exposed users’ browsing history.
The issue stems from how browsers have traditionally handled the :visited CSS selector, allowing websites to visually distinguish between links a user has previously clicked and those they haven’t. While intended as a user experience enhancement, this feature has been repeatedly exploited to perform stealthy history-sniffing attacks.
The Privacy Leak Explained
At the heart of the problem lies the browser’s ability to style links as :visited, typically changing their color from blue to purple, based solely on whether a user has clicked the link before. This styling occurred regardless of the original website where the interaction took place, meaning any website could potentially deduce the user’s browsing history through clever scripting.
Over the years, researchers have demonstrated a range of attacks leveraging this vulnerability, including timing-based techniques, pixel-level scans, interaction-based tracking, and even exploiting underlying browser processes. These attacks allowed malicious websites to detect which URLs a user had previously visited, leading to potential profiling, targeted phishing, and invasive tracking.
Chrome 136 Introduces Triple-Key Partitioning
With the release of Chrome version 136, Google is introducing a major architectural change to address the issue once and for all. The browser will now use a triple-key partitioning system to isolate visited link data. This system considers:
- The target link URL
- The top-level site (i.e., domain in the address bar)
- The frame origin where the link is rendered
This update means that a link will only appear as visited if it was clicked within the same site and frame origin—effectively eliminating cross-site tracking through :visited styles.
To maintain usability, Google has included a “self-links” exception. This ensures that links a user clicked within a site will still appear as visited when returning to that same site, even if the link was originally clicked elsewhere. Since the site already knows which pages were visited, this exception doesn’t pose additional privacy risks.
Google ruled out more radical approaches like deprecating :visited entirely—due to the loss of helpful UX indicators—or permission-based models, which could be abused or easily bypassed.
How to Enable the Feature Before Chrome 136
Although full deployment is expected with Chrome 136, users on versions 132 through 135 can manually enable the feature by navigating to:
chrome://flags/#partition-visited-link-database-with-self-links
Set the flag to “Enabled” to turn on the new isolation system. Note, however, that the feature is still experimental and may not behave consistently across all websites or use cases.
As of now, competing browsers such as Firefox and Safari offer partial protections, such as restricting style changes and script access, but do not implement the same kind of partitioning, leaving some room for sophisticated attacks. If widely adopted, Chrome’s new approach may set a new benchmark in browser privacy.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: