Google’s latest update to its Chrome browser, version 136, signifies a pivotal advancement in user privacy protection. For over twenty years, a subtle yet significant vulnerability existed in how browsers handled visited links, potentially exposing users’ browsing histories to malicious entities.
The issue stemmed from the CSS :visited selector, which changes the appearance of links once clicked. While beneficial for user navigation, this feature inadvertently allowed websites to detect if a user had previously visited certain links by observing the styling changes. This loophole opened doors for potential privacy breaches, enabling sites to compile portions of a user’s browsing history without consent.
Implementing Triple-Key Partitioning
Chrome 136 addresses this vulnerability by implementing a triple-key partitioning system. This method ensures that the visited status of a link is determined by a combination of:
- The actual link URL
- The top-level site (e.g., example.com)
- The origin of the frame displaying the content
If all three don’t match, the browser treats the link as unvisited, eliminating the effectiveness of style-based history probing.
Enhancing Usability with Self-Links Exception
To maintain usability for legitimate site navigation, Chrome introduces a “self-links” exception. This allows websites to maintain the visited styling for their internal links, even if accessed from external sources. For instance, if a user visits a page on Wikipedia from another site, links to other Wikipedia pages will still appear as visited. This ensures that users can benefit from visual cues when navigating within a site without compromising their privacy.
Setting a New Standard for Browser Security
This development not only enhances Chrome’s privacy features but also sets a new standard for browser security. By effectively closing a decades-old loophole, Google reaffirms its commitment to safeguarding user data and privacy in an increasingly interconnected digital landscape.
Note: For users eager to benefit from this privacy enhancement before the official rollout, Chrome offers an experimental feature that can be enabled manually. Navigate to chrome://flags/#partition-visited-link-database-with-self-links and enable the feature. Please be aware that as this is an experimental setting, it may not function as expected in all situations.
