In May 2002, David Baron, a Mozilla engineer, discovered a privacy flaw in the web. This vulnerability is located in the browser's :visited CSS selector. This function allows the styling of hyperlinks already visited by the user, that is, those whose URL appears in their browsing history. The selector makes navigation easier by indicating to the user which addresses they have already read. In short, this is why the sites you have visited are colored purple rather than blue.
Browsing history at risk since the 2000s
Unfortunately, this function was hijacked in the context of history sniffing attacks. In short, sites used the selector to find out which sites the user had visited. A site could insert a mountain of links to other sites into the page and use the :visited pseudo-selector to check if a link had already been clicked. Since browsers applied different styling (e.g., text color), a JavaScript script could test the color of a link to guess if the user had visited it. This allowed part of one's browsing history to be reconstructed, without consent.
Jeremiah Grossman, security researcher and founder of WhiteHat Security, was one of the first to publicize the flaw in 2006. He demonstrated how a site could, using CSS and JavaScript, detect the links visited by a user. Despite warnings from researchers, Google Chrome, the world's most widely used browser, has consistently refused to fix the issue, repeatedly stating that the problem "cannot be fixed." In fact, Google considered the bug to be inextricably linked to the way the web works. In response, several browsers, starting with Firefox, have decided to patch the breach, but without completely correcting it. Google emphasizes that the measures taken "slow down attacks, they do not eliminate them.".
Google is preparing to fix the flaw
More than 20 years after the first disclosure, Google is finally getting ready to take the problem seriously and fix the flaw. In a blog post published on April 2, 2025, the Mountain View giant begins by admitting that there has been "an increasing number of attacks" exploiting the CSS :visited selector over time. This is why Google finally agreed to look into this bug, which has been "affecting the web for over 20 years."
Specifically, Chrome will review the way it handles links that have already been visited by the user. The :visited selector has always relied on a unique list of URLs shared by all sites. The result: if a user has already visited an address, any site could tell by displaying a link to that same address. From now on, Chrome will partition the storage of all the links visited by the user. Partitioning "protects your history by only showing a link as visited if you've already clicked on it from the same site," Google explains.
If you "have never interacted with this site before, its links will not be styled." A link will be marked as "visited" only if it appears in the same environment as the one where it was opened: same site, same address, same display frame. If it appears elsewhere, it will be considered a new link, even if it has already been viewed. Partitioning consists of storing "visited links with information about the precise location where they were clicked," such as the site or display context. This method prevents all sites from being able to view your browsing history without your consent.
An exception to the new rule
In order to "improve the user experience", Google says it has made an exception for internal links within a website. A site can mark its own links as "already visited," even if the user has never opened them in that specific context. In any case, sites "have other methods of knowing whether a user has visited its subpages, so no new information is provided.".
This major change will be implemented starting with Chrome version 136. Currently available in beta, this iteration will be deployed as early as April 23, 2025. Google proudly emphasizes that "Chrome is the first browser to implement these protections for users."
0 Comments