Google has finally addressed a major privacy flaw in its Chrome browser that allowed websites to track a user’s browsing history. This issue, which has existed for more than 20 years, is now being resolved with the release of Chrome version 136.
The flaw is connected to how web browsers display visited links. When a user clicks on a link, browsers typically change its color—usually from blue to purple. This visual change is triggered by the CSS :visited selector, and while it improves user experience, it has also posed a significant privacy risk.
What Was the Privacy Problem?
The problem came from how websites could use the :visited CSS selector to detect which links a user had previously clicked—even if they were on a completely different website. This allowed malicious websites to run scripts that “probe” a user’s browser to find out what sites they’ve visited in the past.
This technique can be used to silently build a detailed profile of someone’s browsing habits, all without their consent or knowledge. It’s not just a theoretical issue—security researchers have shown that this vulnerability can be exploited through multiple types of attacks:
Timing attacks: Measure how long it takes to apply a style to detect visited links.
Pixel-based attacks: Use slight changes in rendering to detect styled links.
User interaction attacks: Trick users into interacting with links to confirm their history.
Process-level attacks: Use browser processes to gather sensitive data.
These methods have made it possible for advertisers, trackers, and potentially cybercriminals to collect users’ browsing histories. This poses serious concerns related to online privacy, data security, and even phishing attacks.
Chrome 136 Introduces a Robust Fix
Google’s solution in Chrome 136 is known as “triple-key visited link partitioning.” This method ensures that the browser only remembers visited links within the specific context they were clicked.
Here’s how the new system works:
Chrome will now store visited links using three key factors:
The URL of the link itself
The top-level site (the site shown in the address bar)
The origin of the frame where the link appears
This change means that a link will only appear as visited within the exact same website and context in which it was originally clicked. As a result, websites can no longer detect visited links from other sites—effectively blocking cross-site history leaks.
Why Not Remove :visited Completely?
Some might wonder why Google didn’t just remove the :visited feature altogether. According to the Chrome development team, doing so would negatively impact the user experience (UX). Visited links help users navigate websites more easily by showing them which pages they’ve already seen.
Instead of removing the feature, Google chose a more sophisticated fix that balances privacy with usability.
Self-Link Exception for Better Usability
To keep things convenient for users, Google added a “self-links” exception. This means that if you visit a page on a website, that link will still appear as visited when you’re browsing other parts of the same site—even if you originally clicked it from somewhere else.
This exception doesn’t create new privacy issues because the website already knows you visited its pages. It’s a smart compromise that preserves user functionality while still improving privacy protections.
When Will the Fix Be Available?
The new feature was first introduced as an experimental option in Chrome version 132. However, starting with Chrome 136, this privacy protection will be enabled by default for all users.
If you’re currently using Chrome versions 132 to 135 and want to activate the feature early, you can do so manually:
Open Chrome and type the following in the address bar:
chrome://flags/#partition-visited-link-database-with-self-linksSet the flag to “Enabled.”
Restart your browser.
Keep in mind that the feature may not work perfectly in all cases while it’s still experimental.
What About Other Browsers?
While Chrome is now leading the way in solving this issue, other major browsers are still lagging behind:
Firefox: Applies limitations on styling visited links and blocks JavaScript from reading them. However, it doesn’t use link partitioning, so some attack vectors remain.
Safari: Uses strong privacy protections like Intelligent Tracking Prevention (ITP), but still lacks partitioning for
:visitedlinks, leaving some risks on the table.
Google’s move to fully isolate visited link data sets a new standard for browser privacy, and other browser vendors may soon follow suit.
Conclusion
The release of Chrome 136 marks a major step forward in improving web privacy and user security. By fixing a two-decade-old flaw, Google is helping to protect users from silent tracking and potential misuse of their online history.
As digital privacy becomes more important than ever, improvements like this show how browser developers can evolve to meet modern security needs without sacrificing usability.
For best protection, users should always keep their browsers up to date and be cautious when visiting unfamiliar websites.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Microsoft Defender Now Blocks Unknown Devices to Stop Cyberattacks