Web browsing history powers helpful features like styling visited links differently, allowing users to see where they've been before. While this usability feature provides navigational benefits, it also introduces a privacy risk. The handling of visited links happened to be a silent backdoor of a kind, allowing malicious sites to detect users' browsing habits and user personal privacy. 

The CSS:visited pseudo-class enables browsers to style visited links differently than unvisited ones. This visual detail gave rise to side-channel attacks. Attackers could use JavaScript and CSS to detect styling changes or variations—such as differences in color or rendering time—and determine which links on a page a user has previously visited, even for domains they are not currently on. Namely, it was numerously demonstrated how web browsing history could have been leaking or stolen. This was indeed used against users.

Over time, a variety of increasingly sophisticated side-channel techniques have emerged: window.getComputedStyle and DOM inspection (directly examining the styles of anchor elements to detect visit status), user-interaction attacks (inferring visit history from user behavior such as clicks or hovers), timing attacks (measuring rendering times to distinguish visited from unvisited links), pixel color attacks (detecting subtle color variations even through mitigations), or process-level attacks (exploiting renderer compromises, such as SpectreJS, to leak internal visited link data).

Browsing habits can reveal sensitive information—such as health concerns or conditions, financial interests, or political affiliations. It also enables:

• Targeted profiling by advertisers, often without consent.
• Cross-site tracking, even in the absence of cookies.
• Enhanced fingerprinting, using the set of visited sites as a unique identifier.
• Phishing and social engineering tailored with greater precision.

We demonstrated the risks of web browsing history with a project called What The Internet Knows About You, and it was highly efficient. The following research also showed that browsing histories are often unique and stable over time—nearly biometric in their consistency, with up to 97% of browsing histories could uniquely identify individuals, with high stability. Subsequent large-scale browser telemetry studies have confirmed these findings, with 99% of users exhibiting distinct browsing patterns. The data demonstrated a clear potential for deanonymization and profiling. This proves that web browsing history is a type of personal data, and famously put under the GDPR radar.

Despite 2010 mitigations—lying about "unvisited" style during queries and restricting CSS styles applicable to :visitedlinks—the problem existed still. Furthermore, these defenses were complex and ultimately inadequate.

It is now time to fix it for good. A new solution has been proposed: partitioning visited link history. This approach fundamentally changes how browsers store and expose visited link data. Instead of maintaining a global list, web browsers will store visited links with a triple-key partition:

• Link URL. The destination of the visited link.
• Top-Level Site. The domain of the main browsing context.
• Frame Origin. The origin of the frame rendering the link.

A link is only styled as :visited if it was visited from the same top-level site and frame origin. For example, a user visiting https://w3.org from https://lukaszolejnik.com would not reveal this visit when browsing https://attacker.com, even if the attacker embedded a link to https://w3.org. This approach guarantees isolation and works well with the web's same-origin policy. The system records only navigations initiated by link clicks or scripts—excluding direct address bar entries or bookmark navigations.

Key benefits of this model include: strong protection against cross-site history leaks, solving for good of many known side-channel attacks, support for meaningful styling within trusted, same-context domains, conforming to established web privacy principles and data protection regulations.

This feature is already implemented in  Chrome (v132, behind a #partition-visited-link-database-with-self-links flag). I am confident that in 2025 we are going to have this privacy headache solved once and for all.

This approach represents a significant evolution in browser architecture. It breaks the decades-long arms race between privacy engineers and attackers. This marks a major step forward in building a more private and respectful web for all users.