Google is finally closing a long-standing privacy loophole in Chrome that has allowed websites to determine users’ browsing history through styled :visited links.
The vulnerability, active for over two decades, has been exploited by malicious actors to track users across websites.
This issue stems from how browsers display previously visited links in a different color, regardless of the site where they were first clicked. While visually helpful, this behavior allowed clever scripts to check which links were styled as visited, leaking sensitive browsing history.
With Chrome 136, Google is implementing triple-key partitioning for visited links. Now, visited status will only apply if all three match: the link URL, the top-level site, and the frame origin. This change effectively prevents cross-site tracking by isolating visited states per context.
To balance privacy and user experience, Chrome will still allow “self-links” to show visited status within the same site, even if clicked elsewhere. Google rejected fully removing the :visited selector, as it provides important UX cues, and also ruled out permissions-based alternatives due to potential abuse.
Users can manually enable the feature now in Chrome 132–135 by visiting chrome://flags/#partition-visited-link-database-with-self-links and setting it to Enabled. The feature will be turned on by default in Chrome 136.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
While Chrome is leading with this privacy upgrade, Firefox and Safari currently use partial mitigations without full partitioning, leaving some attack vectors still open.
