For more than two decades, a quiet vulnerability inside the web’s styling engine allowed curious websites to peek into your private browsing patterns. It began with a familiar feature: the changing color of clicked links. But behind this simple behavior, websites could extract a surprising amount of information. Google has now reworked Chrome’s underlying structure to cut off this hidden channel.
Browsers have long supported special styling rules for links users have already visited. These links change color (typically to purple) giving users a cue about where they’ve been. The styling worked through a mechanism known as :visited, which applied even when links appeared on other sites. That behavior opened a door. Pages could load links to outside websites or blogs and then watch how those links appeared. If they looked visited, the site could infer what the user had clicked somewhere else.
This wasn’t just theoretical. Over the years, researchers built several ways to turn that detail into a tracking method. Some used pixel-level changes. Others measured tiny delays. Even user actions gave clues. None of these needed login data. The browser itself was quietly revealing past behavior.
Until now, visited-link data lived in a single memory pool. When someone clicked a link on one site, any other site showing the same address could detect that visit. With Chrome 136, Google has ended this legacy model. Instead of sharing one history list across the web, Chrome now stores visited status using three precise keys. Each key includes the destination address, the top-level site visible in the browser, and the internal source of the link. If any of these pieces don’t match, the link won’t look visited.
This shift breaks the logic behind cross-site detection. Now, if someone clicks a link while browsing Site A, the same link won’t show up as visited when it appears on Site B. Only the original context will style it differently. Sites no longer gain unearned visibility into activity that happened elsewhere.
One exception remains for user convenience. If a site displays links to its own pages, those links will still appear as visited — even if the clicks happened while browsing from a different site. Since each site already knows which of its own pages a visitor accessed, this behavior doesn’t add new privacy risks.
Google considered other paths, removing visited styling entirely or requiring permission, but rejected them. Removing styling would disrupt navigation, while a permission system could be gamed. The chosen solution balances privacy with familiarity.
Chrome users who want to try the fix early can activate it manually in versions 132 through 135. The setting is available by navigating to the experimental features page and enabling the visited-link partition flag. In version 136, the change becomes the default.
Other browsers have addressed parts of this issue but stopped short of full partitioning. Firefox restricts styling but does not isolate visited data. Safari uses privacy tools like tracking prevention, yet it still lacks context-based separation. Chrome, with this release, becomes the first browser to neutralize the root of the flaw.
This fix arrives late, but it closes a well-known weakness baked into how the web has worked since its earliest days. After years of patches and partial solutions, the door is finally shut.
Image: DIW-Aigen
Read next:
• When AI Meets Mobile Crashes: iOS Triumphs Over Android in Accuracy and Structure
• Instagram, TikTok, and Snapchat Are Teens’ Most Used Apps in 2025
Browsers have long supported special styling rules for links users have already visited. These links change color (typically to purple) giving users a cue about where they’ve been. The styling worked through a mechanism known as :visited, which applied even when links appeared on other sites. That behavior opened a door. Pages could load links to outside websites or blogs and then watch how those links appeared. If they looked visited, the site could infer what the user had clicked somewhere else.
This wasn’t just theoretical. Over the years, researchers built several ways to turn that detail into a tracking method. Some used pixel-level changes. Others measured tiny delays. Even user actions gave clues. None of these needed login data. The browser itself was quietly revealing past behavior.
Until now, visited-link data lived in a single memory pool. When someone clicked a link on one site, any other site showing the same address could detect that visit. With Chrome 136, Google has ended this legacy model. Instead of sharing one history list across the web, Chrome now stores visited status using three precise keys. Each key includes the destination address, the top-level site visible in the browser, and the internal source of the link. If any of these pieces don’t match, the link won’t look visited.
This shift breaks the logic behind cross-site detection. Now, if someone clicks a link while browsing Site A, the same link won’t show up as visited when it appears on Site B. Only the original context will style it differently. Sites no longer gain unearned visibility into activity that happened elsewhere.
One exception remains for user convenience. If a site displays links to its own pages, those links will still appear as visited — even if the clicks happened while browsing from a different site. Since each site already knows which of its own pages a visitor accessed, this behavior doesn’t add new privacy risks.
Google considered other paths, removing visited styling entirely or requiring permission, but rejected them. Removing styling would disrupt navigation, while a permission system could be gamed. The chosen solution balances privacy with familiarity.
Chrome users who want to try the fix early can activate it manually in versions 132 through 135. The setting is available by navigating to the experimental features page and enabling the visited-link partition flag. In version 136, the change becomes the default.
Other browsers have addressed parts of this issue but stopped short of full partitioning. Firefox restricts styling but does not isolate visited data. Safari uses privacy tools like tracking prevention, yet it still lacks context-based separation. Chrome, with this release, becomes the first browser to neutralize the root of the flaw.
This fix arrives late, but it closes a well-known weakness baked into how the web has worked since its earliest days. After years of patches and partial solutions, the door is finally shut.
Image: DIW-Aigen
Read next:
• When AI Meets Mobile Crashes: iOS Triumphs Over Android in Accuracy and Structure
• Instagram, TikTok, and Snapchat Are Teens’ Most Used Apps in 2025
