When you click a link, it turns purple. However, this neat feature has been leaking browsing history data for decades – that is, until the next Chrome version, 136, rolls out.
Google Chrome version 136, currently in beta, prevents bad actors from tracking internet users’ browsing history using “purple link” exploits involving the “:visited” CSS selector.
Previously, malicious websites could use this selector to check styles and determine if a user had clicked on certain links, effectively leaking private browsing history.
“Purple links” have been around for over 20 years, and attackers have abused this security problem, bypassing previously deployed various stop-gaps by browsers.
A simple example attack would be including a link on a malicious website and then checking if it turned “purple” for the visitor.
“To eliminate user browsing history leaks, anchor elements are styled as “:visited” only if they have been clicked from this top-level site and frame origin before,” Google announced.
This means that only the website you visited can know if you’ve clicked on any of its links. This will eliminate the browsing history leakage, enhancing privacy and security online.
How will it appear on the websites you visit?
If you go to website A and click on some links, say, to website B, the links you clicked will turn purple when you come back to website A. However, if the same links are present elsewhere, say, on malicious sites, they will remain blue.
This is accomplished by partitioning the link history – Chrome will save the combination of “Site A + Site B.” Only the top-level domain and frame origin will see if a certain link has been visited.
“Since there’s no browsing history displayed on Site Evil, it can’t take advantage of any exploits. Therefore, your browser history is safe!” Google Chrome developer’s blog post reads.
There is one exception – websites can see if a user has “visited” any of the pages on the same domain. For example, if you click some Wikipedia links from some third-party website, these links will turn purple when you see them on Wikipedia.
“Since sites can already track visits to their own pages, this change doesn't reveal any new information,” the blog post explains.
“This exception only applies to a site’s own subpages, not to links to third-party sites or iframes.”
It will take a few weeks for Chrome to be promoted from the beta channel to stable. If you don’t want to wait, the new feature can be enabled by changing the Chrome flag “Partition the Visited Link Database, including 'self-links.'” Enter chrome://flags/#partition-visited-link-database-with-self-links in the address bar to access it.
Chrome is the first browser to implement these protections. Other browsers are likely to follow.
Your email address will not be published. Required fields are markedmarked