A recent security update for the Chrome browser has addressed a vulnerability related to how browsing history is handled, a flaw that has persisted for over two decades. This "history leak bug" potentially allowed websites to discern a user's browsing history without explicit permission, raising significant privacy concerns. The update, rolling out with Chrome version 136, introduces a new mechanism called ":visited link partitioning" to mitigate this risk.

The core of the issue stemmed from the way Chrome, and indeed most web browsers, traditionally handled visited links. Web browsers use CSS to style the links so users can see which links they've visited. This is done via the “:visited” pseudo-class in CSS, which allows developers to change the color of visited links, usually to purple. The flaw resided in the fact that this information about visited links was not properly isolated between different websites. This meant that if a user visited "Site B" from "Site A," a malicious website ("Site Evil") could detect this visit simply by checking the styling of a link pointing to "Site B." This technique, known as "browser history sniffing," has been a known problem for many years, with various mitigations implemented over time, none of which completely solved the underlying issue.

Google characterizes this as a core design flaw where browser cookies indicating whether or not you click on a link were “unpartitioned.” This meant that if you clicked a link, it would show as visited on every website displaying that link, even if it was completely unrelated.

Chrome's new approach, :visited link partitioning, fundamentally alters how visited links are tracked and managed. Instead of maintaining a global list of visited links accessible to any website, Chrome will now store each visited link with contextual details such as the link URL, the top-level site, and the frame origin. This ensures that a link is only identified as "visited" within the specific context where it was actually clicked. In the previous example, "Site Evil" would no longer be able to determine if the user had visited "Site B" from "Site A," as the visited status would be specific to the "Site A" context.

The implications of this update are significant. By isolating browsing history in this way, Chrome 136 effectively eliminates a long-standing privacy risk. Malicious websites can no longer exploit the ":visited" CSS pseudo-class to infer a user's browsing habits, preventing potential exposure of sensitive information related to health, finances, or political views.

It is worth noting that this particular vulnerability has been a known issue for a considerable time. Bug reports related to this have existed in Chromium's issue tracker for years. The fact that Google has now addressed this issue head-on demonstrates a renewed commitment to user privacy and security.

While previous mitigations slowed down history detection attacks, they did not eliminate them. Chrome 136's new system renders these attacks obsolete. According to Google, this update is a defining moment for browser security. The company is committed to building a safer web for everyone.

Users are encouraged to update to Chrome 136 to take advantage of this enhanced privacy protection. The update is currently available through the Chrome Beta channel and is expected to roll out to the stable channel soon. Keeping your browser up to date is essential for maintaining a secure browsing experience and protecting your privacy online.