Chrome to patch decades-old flaw that let sites peek at your history

April 7, 2025 TH Author

A 23-year-old side-channel attack for spying on people’s web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel.

At least that’s the hope.

The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously.

Websites commonly consist of HTML files that describe page structure, JavaScript files that contain code for interactivity, and CSS files that describe page styling.

CSS includes a pseudo-class – :visited – that can be applied to anchor (<a>) or area elements that have an href property (a link or URL).

When :visited is defined in a CSS file, the browser renders links to pages previously visited in the designated color, based on the presence of those links in the browser history file.

/* CSS code */ :visited { color: purple; }

Web publishers, and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor’s browser set the color for those links on the rendered web page.

When this technique first emerged, this could be done by including a script on the page that iterates through all the links on the page using the browser’s window.getComputedStyle method and records the color used to render them. If a visited page included a link and the visitor’s browser rendered that link in purple, the site owner or script provider would gain access to that information.

The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed.

“These attacks can reveal which links a user has visited and leak details about their web browsing activity,” explained Kyra Seevers, Google software engineer, in a blog post on Wednesday. “This security problem has plagued the web for over 20 years, and browsers have deployed various stop-gaps to mitigate these history detection attacks. While the attacks are slowed down by these mitigations, they are not eliminated.”

Chrome 136, due to see stable channel release on April 23, 2025, “is the first major browser to render these attacks obsolete,” said Seevers.

This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as “won’t fix.”

David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002. This was a few months after security researcher Andrew Clover posted a proof-of-concept attack to the Bugtraq mailing list, citing the paper “Timing Attacks on Web Privacy” [PDF] from Princeton researchers Edward Felten and Michael Schneider in 2000.

It took about eight years for people to realize that link color inferences presented a serious privacy problem. Around April 11, 2009, a now-vanished website called StartPanic was published. It demonstrated how a visitor’s browsing history could be inferred from the colors of web links and urged the visitor to petition Apple, Microsoft, Mozilla, and Opera to patch the privacy problem.

Around February 21, 2010, another since-abandoned website called haveyourfriendsbeenthere.com appeared, advertising itself as a way to “See what naughty websites your friends have been looking at!”

On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations.

Three weeks later, Mozilla published its own post, noting that the difference in the default colors for visited (color: #551A8B;) links and unvisited (color: #0000EE;) links can be read by websites displaying web links.

The attack involves evaluating the CSS :visited pseudo-class, which can be done in a variety of ways, including the window.getComputedStyle method, direct DOM inspection, making inferences from user interaction like click and hover events, and other means.

The Firefox maker committed to implementing the defenses outlined by Baron, aiming to address layout, timing, and computed style-based attacks. For example, the window.getComputedStyle method will lie by returning the same value whether a link has been visited or not.

In May 2010, a paper by researchers Artur Janc and Lukasz Olejnik, which explored how Cascading Style Sheets (CSS) could be abused for browser history detection, was presented at the Web 2.0 Security and Privacy 2010 workshop in Oakland, California.

Yet a year later, it was clear there was still work to be done. In a 2011 paper [PDF] titled “I Still Know What You Visited Last Summer,” researchers from Carnegie Mellon University demonstrated six history sniffing exploits that bypassed the mitigations proposed by Baron.

Many years without privacy followed. Given all that has happened since then in terms of location history and the privacy implications of location data from mobile devices, it’s perhaps understandable how browser history privacy got pushed to the back burner. But finally, a fix is at hand.

On April 1, Olejnik published an update to his blog, hailing the anticipated resolution of this long standing privacy gap. “A new solution has been proposed: partitioning visited link history,” he explained. “This approach fundamentally changes how browsers store and expose visited link data. Instead of maintaining a global list, web browsers will store visited links with a triple-key partition.”

These keys – the link URL, the top-level domain of the website, and the origin of the frame rendering the link – all need to match in order for a link to be styled with the :visited CSS selector.

The partitioning mechanism thus prevents websites from assessing the visited status of other sites because their respective domains do not match.

“In brief, partitioning refers to storing your links with additional information about where they were clicked,” explains Seevers. “In Chrome, this is: link URL, top-level site, and frame origin. With partitioning enabled, your :visited history is no longer a global list that any site can query. Instead, your :visited history is ‘partitioned’ or separated by the context where you visited that link from in the first place.”

Olejnik said this approach shows the evolution of browser architecture.

“It breaks the decades-long arms race between privacy engineers and attackers,” he said. “This marks a major step forward in building a more private and respectful web for all users.”

Well, that may be overstating the willingness of ad and AI firms, Google among them, to moderate their data gathering, but we can hope. ®