The 23‑Year‑Old CSS :visited Leak: How Link Color Exposes Your Browsing History and Chrome’s Recent Fix

When a user visits a webpage, browsers automatically apply the CSS pseudo‑class :visited to links that appear in the user's history, typically changing their color to purple; this visual cue, while convenient, unintentionally reveals which URLs a user has previously opened.

Attackers can exploit this behavior by loading a page containing many links and using JavaScript functions such as getComputedStyle() to test the computed color of each link, thereby reconstructing a victim’s browsing history and correlating it with personal interests, employment activity, or health queries.

The vulnerability was first identified in 2002 by developer David Baron and has persisted for over two decades, with various partial mitigations—such as browsers lying about link styles or disabling visited‑link coloring—either harming performance or being bypassed by clever attackers.

In April 2024, Chrome 136 introduced a comprehensive fix by partitioning the :visited history into three dimensions: the link URL, the top‑level site, and the frame source. Only when all three components match does the browser apply the visited style, preventing cross‑site history leakage.

Although this partitioning greatly reduces the risk, the article warns that other timing‑based attacks (e.g., measuring cache or rendering times) still exist, and privacy‑focused developers should stay vigilant about emerging side‑channel techniques.