For almost 20 years, all web browsers have suffered from a privacy issue that can leak your browsing history. Thankfully, Google is leading the charge to render this issue obsolete.

Chrome Fixes Cross-Site Leaks

Every time you visit a site in Chrome (or a Chromium-based browser), the browser styles its links with a “:visited” flag that makes them appear purple in search results. This is a nice visual indicator to remind you that you’ve been somewhere before.

However, the browser renders this color change regardless of the site you’re on when you click the link. This allows other websites to write creative JavaScript and steal your browsing history, even if you’ve made your browser more private.

The problem predates Chrome and has caused leaks for over 20 years, with browsers rolling out various fixes to mitigate the risk.

Google’s Kyra Seevers explained more in a blog post announcing the new update. For example, Firefox limits which CSS styles can be applied to sites marked “:visited” and blocks JavaScript from reading them. Safari uses features like Intelligent Tracking Prevention to mitigate the risk, but neither of these solutions blocks all attacks.

Related

I Can’t Leave Google Chrome, So This Is How I Protect My Privacy

If you’re locked into Google Chrome, there are a few ways you can protect your privacy.

Starting from its next release, version 136, Chrome is the “first major browser to render these attacks obsolete.” This is achieved by dividing the “:visited” link history into three parts. Going forward, instead of storing link visits globally, Chrome will divide each visited link using the following three keys:

1. Link URL
2. Top-Level Site
3. Frame Origin

This division ensures that a link will only appear as visited on the same site and in the same frame origin (meaning the page where you clicked the link) where you previously clicked it. There is a “self-links” exception, meaning visited links of a site will be marked accordingly, even if you click them from a different site.

In other words, a link will only be displayed as “:visited” if you’re on a site where you’ve clicked that link before. This prevents malicious websites from tracking your browser history by mapping out all sites marked as visited by the browser.

Start Protecting Yourself Now

Chrome Version 136 hasn’t rolled out to the public at the time of writing, but the feature has been in Chrome as an experimental flag since version 132. To enable it, follow these steps:

1. Copy and paste the following address in Chrome’s URL bar: chrome://flags/#partition-visited-link-database-with-self-links
2. Set the flag to Enabled.

The feature isn’t stable yet, so it might not work as expected on all websites and might even break a few pages that try to access your browsing history. Starting from version 136, it’ll be enabled by default. The old functionality won’t be completely deprecated, though—Google claims removing it will erase valuable user interface clues.

If you’re using a Chromium-enabled browser, you’re likely going to have to wait for the feature to arrive. In the meantime, you can copy-paste the URL above to check if your browser supports the feature.