Google Chrome to Seal Decades-Old Privacy Leak with Upcoming Security Patch

Google is set to enhance Chrome’s security by closing a 23-year-old loophole with version 136. This update targets a vulnerability that previously allowed malicious entities to explore users’ browsing histories undetected.

Introducing :Visited Link Partitioning

As an innovative first among major browsers, Chrome’s upcoming “:visited link partitioning” feature is designed to shore up privacy protections by eliminating a ubiquitous security risk that has troubled web browsers since the inception of CSS.

The Legacy of The Purple Link

The CSS :visited selector traditionally styles links that users have already clicked, usually coloring them purple. However, this standard practice has concealed a significant security flaw for decades, with security researchers continually highlighting the risk.

Prior implementations enabled websites to verify if a visitor had clicked specific URLs by observing if links appeared as “visited,” thus potentially exposing the user’s browsing history across various websites.

How Chrome’s Partitioning Solution Enhances Security

Chrome’s partitioning method significantly enhances security by associating visited links with their originating context. Instead of a single global history list, Chrome will now segregate visited links by the following criteria:

• URL of the link
• Top-level site origin
• Frame origin

This restructuring means that a link will only appear as “visited” if the user has engaged with it on the same site previously, effectively neutralizing the risk of cross-site history leakage while retaining the benefits of the :visited styling.

Exceptions for Self-Links

To ensure usability, Chrome introduces an exception for self-links, allowing sites to label their own subpages as visited regardless of the access route. This adjustment presents no additional privacy risks as websites possess alternative methods to track subpage visits.

With version 136, Chrome not only pioneers a comprehensive solution to a long-standing security problem but also sets a new standard in balancing web compatibility with robust user privacy protections.