For over two decades, a subtle yet significant privacy vulnerability existed in web browsers, including Google Chrome. This issue allowed websites to infer users’ browsing histories by exploiting the styling of visited links through the CSS :visited selector.
With the release of Chrome 136, Google addresses this long-standing concern by implementing a robust solution: triple-key partitioning. This advancement marks a significant step forward in protecting user privacy online.
Understanding the Vulnerability
The :visited CSS selector enables browsers to style links differently once clicked, typically changing their color to indicate they have been visited. However, malicious websites could exploit this feature by embedding links and using scripts to detect if a user had previously visited certain sites, based on the styling changes. This technique, known as history sniffing, posed a considerable privacy risk.
Triple-Key Partitioning: A Robust Solution
Chrome 136 introduces triple-key partitioning, a method that determines the visited status of a link based on three parameters:
- Link URL: The specific address of the link.
- Top-Level Site: The domain displayed in the browser’s address bar.
- Frame Origin: The source of the content displaying the link.
By requiring all three parameters to match the context in which the link was originally clicked, Chrome effectively prevents cross-site history detection. This means that a link will only appear as visited if it was accessed within the same context, thwarting attempts by malicious sites to infer browsing history.
Balancing Privacy and Usability with Self-Links
Recognizing the importance of user experience, Chrome 136 includes a “self-links” exception. This allows websites to style their own internal links as visited, even if the user navigated to them from a different site. Since websites inherently know which of their pages a user has visited, this exception doesn’t introduce additional privacy concerns.
Implications for Web Privacy
Chrome’s implementation of triple-key partitioning sets a new standard for browser privacy. While other browsers like Firefox and Safari have implemented measures to mitigate similar risks, Chrome’s approach offers a more comprehensive solution. This update not only enhances user privacy but also reinforces Google’s commitment to building a safer web.
