Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Ready for Developer Testing: Partitioning :visited links history

37 views
Skip to first unread message

Kyra Seevers

unread,
Jan 15, 2025, 2:56:07 PMJan 15
to blink-dev

Contact emails

kyras...@chromium.org

Explainer

https://github.com/kyraseevers/Partitioning-visited-links-history

Specification Issue

https://github.com/w3c/csswg-drafts/issues/11151

Summary

To eliminate user browsing history leaks, anchor elements are styled as :visited if and only if they have been clicked from this top-level site and frame origin before. On the browser-side, this means that the VisitedLinks hashtable is now partitioned via "triple-keying", or by storing the following for each visited link: <link URL, top-level site, frame origin>. By only styling links that have been clicked on this site and frame before, the many side-channel attacks that have been developed to obtain :visited links styling information are now obsolete, as they no longer provide sites with new information about users.


Blink component

Blink>History>VisitedLinks

Search tags

visited links:visited selectorpartitioning history

TAG review

https://github.com/w3ctag/design-reviews/issues/896

TAG review status

Issues addressed

Chromium Trial Name

N/a

WebFeature UseCounter name

N/a

Risks



Interoperability and Compatibility

There has been lots of word-of-mouth interest from the Web Platform in adopting this feature cross-browser. We have interest from members of the CSSWG in specifying this solution in CSS Selectors, and we have a positive signal from Firefox that they are interested in implementing partitioning soon as well.


Gecko: Positive (https://github.com/mozilla/standards-positions/issues/1040)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/363)

Web developers: No signals

Other signals: Positive initial signals from presentation at WebAppSec from both Apple and Firefox. At the XS Leaks Summit, Firefox stated exploration of :visited links partitioning in their privacy goals for the upcoming year at the XS-Leaks Summit. Positive or neutral initial signals from security and privacy researchers at the XS-Leaks summit. No security concerns about this design. Lots of interest in finally resolving this exploit. Feedback from UX that CSS extensibility is in-demand from developers right now, and this work would pave the way for less restricted CSS on anchor elements. In addition, support from various developers who believe that taking care of this long-standing privacy leak will allow their own security and privacy solutions to advance once history sniffing is no longer an issue.

Ergonomics

This design is asynchronous and not used in tandem with other APIs.


Activation

Since this is a Finch roll-out, there are no additional activation risks.


Security

For this design we worked with the Chrome Security Architecture team to ensure reasonable precautions were taken against leaks via renderer compromise.


WebView application risks

N/a this feature will not launch on WebView.



Goals for experimentation

The goal of this dev trial is to allow those interested to test out the partitioned :visited links model (with self links) by flipping a flag. This functionality is available beginning in Chrome Version 132.

Ongoing technical constraints

None


Debuggability

No DevTools support is required.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

This feature is not currently supported on iOS or Android Webview. For iOS, this feature requires WebKit to alter its CSS parsing to support triple-key partitioning. Android Webview relies on an entirely different system to populate history, so it will require a separate design.



Is this feature fully tested by web-platform-tests?

No

This feature is not tested by Web Platform Tests because the :visited selector, in its current state, cannot be queried via JavaScript (https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector). As a result, we can only test :visited-ness via manual tests which rely on users visually confirming the correct links are :visited, or unit and integration tests internal to Chrome.


DevTrial instructions

https://github.com/explainers-by-googlers/Partitioning-visited-links-history?tab=readme-ov-file#how-to-experiment

Flag name on about://flags

Partition the Visited Link Database, including 'self links'

Finch feature name

PartitionVisitedLinkDatabaseWithSelfLinks

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1448609

Launch bug

https://launch.corp.google.com/launch/4330864

Estimated milestones

DevTrial on desktop132
DevTrial on Android132


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5101991698628608

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXbbLWwmRYH5SWx0%2BMWkfB2UY2miOAq4r0MZc34i_sWqBw%40mail.gmail.com
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXYy4CSMuPLY0HJuTbZt0qPz5ZUsGUToFJuCE%2BTfC86umA%40mail.gmail.com
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/U5AX0OXaxM8/m/tIGr4bJJBgAJ?utm_medium=email&utm_source=footer


This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages