Contact emails kyraseev...@chromium.org
Explainer https://github.com/kyraseevers/Partitioning-visited-links-history Specification TBD Summary To eliminate user browsing history leaks, anchor elements will be styled as :visited if and only if they have been visited from the same top-level site and frame origin before. On the browser-side, this means that the VisitedLinks hashtable will now be partitioned via "triple-keying", or by storing the following for each visited link: <link URL, top-level site, frame origin>. By only styling links that have been visited from this site and frame before, the many side-channel attacks that have been developed to obtain :visited links styling information will be obsolete, as they no longer provide sites with new information about users. Blink component Blink>History>VisitedLinks <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EHistory%3EVisitedLinks> Motivation Since 2010, the number of side-channel attacks to leak the user’s browsing history by abusing :visited links styling has grown, including user interaction attacks, timing attacks, pixel color attacks, and process-level attacks <https://github.com/kyraseevers/Partitioning-visited-links-history#citations>. While these attack vectors are slowed down by the 2010 mitigations <https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector>, they are not eliminated; browsers are still actively leaking user browsing history today. Triple-keyed history partitioning only styles links have been visited from the same top-level site and frame origin before. As a result, the many side-channel attacks that have been developed to obtain the global :visited links state will now be obsolete, as they will no longer provide sites with new information about users. This feature will improve user privacy and security. The resulting implementation will be relevant to users who will see slight changes to which links appear styled on their screens, and to bad actors who will no longer be able to use side-channel attacks to reveal user browsing history. Initial public proposal https://github.com/WICG/proposals/issues/100 Search tags visited links <https://chromestatus.com/features#tags:visited%20links>, :visited selector <https://chromestatus.com/features#tags::visited%20selector>, partitioning history <https://chromestatus.com/features#tags:partitioning%20history> TAG review TBD TAG review status Not Started Risks Interoperability and Compatibility Gecko: Positive initial signals from presentation at WebAppSec <https://github.com/w3c/webappsec/blob/main/meetings/2023/2023-06-21-minutes.md> WebKit: Positive initial signals from presentation at WebAppSec <https://github.com/w3c/webappsec/blob/main/meetings/2023/2023-06-21-minutes.md> Web developers: Feedback from UX that CSS extensibility is in-demand from developers right now, and this work would pave the way for less restricted CSS on anchor elements. In addition, support from various developers who believe that taking care of this long-standing privacy leak will allow their own security and privacy solutions to advance once history sniffing is no longer an issue. Other signals: N/a WebView application risks No - this feature deals with platform-specific code, and Android WebView does style :visited links based on user browsing history, but we do not expect significant challenges for WebView users. Debuggability Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? No Flag name (Tentatively) base::features::PartitionVisitedLinks Requires code in //chrome? False Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1448609 Launch bug https://launch.corp.google.com/launch/4259382 Estimated milestones No milestones specified yet Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5101991698628608 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXbbLWwmRYH5SWx0%2BMWkfB2UY2miOAq4r0MZc34i_sWqBw%40mail.gmail.com.
