New Chrome update to fix a long-standing bug in user privacy for visited links

It only took 20 years: Browsers have long exposed visited link history to malicious websites, enabling attackers to profile users or run phishing campaigns. By isolating link history with a new partitioning model, Chrome could close off an entire class of privacy attacks – potentially setting a new standard for safer web browsing.

Browsers have mishandled visited site tracking since the early days of the internet. Google is now working to fix the issue with Chrome. The browser’s next update will improve how it manages visited history, potentially rendering an entire class of exploits obsolete.

Google says Chrome 136 will be the first major browser to partition visited link history. Traditionally, the CSS “:visited” selector has let websites style visited links – typically changing them from blue to purple. Modern design enables far more customization, which attackers have exploited to extract users’ browsing history through side-channel attacks.

Cyber-criminals have exploited this issue by developing creative techniques to unmask users’ visited URL history, leading to serious security threats such as tracking, profiling, and phishing campaigns. Chrome 136 aims to shut down these exploits by restricting how websites apply styles through the visited selector.

The visited history has traditionally been unpartitioned, with no specific restrictions on where the selector could display previously clicked links. The new partitioning approach will ensure that a link appears as “visited” (default purple) only on the original site and within the frame where the user first clicked it.

Partitioning prevents cross-site leakage of visited link history, though Google plans to allow an exception for self-referencing links to preserve usability. The company also decided against fully deprecating the visited selector, arguing that it provides essential visual feedback for users.

Chrome 132 initially introduced partitioning as an experimental feature, and Google expects to enable it by default in Chrome 136. Other browsers have taken steps to prevent URL history leaks, but none have implemented partitioning or history isolation. If Chrome’s approach proves effective without degrading the user experience, rival browsers may adopt similar measures.