Hi Dave, Thanks for the question! This intent only covers the partitioning of the VisitedLink hashtable by a partition key, and does not include plans to limit what keys are stored by each renderer in its VisitedLinkReader instance. However, we are aware that this would be an area of future work to further improve security (whether by only sending the visited links relevant AgentSchedulingGroup/SiteInstanceGroup or another method).
Thanks and let me know if you have any other questions, Kyra On Wed, Jun 28, 2023 at 8:05 AM Dave Tapuska <dtapu...@chromium.org> wrote: > I look forward to this. Will this include an implementation whereby the > visited links are only sent to the relevant > AgentSchedulingGroup/SiteInstanceGroup? My recollection is that the visited > link map was propagated to each renderer unconditionally. > > Dave > > On Wed, Jun 28, 2023, 3:21 AM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> Amazing work that we should've done long ago. Thanks for taking this on!! >> >> On Tue, Jun 27, 2023 at 10:46 PM Kyra Seevers <kyraseev...@chromium.org> >> wrote: >> >>> Contact emails >>> >>> kyraseev...@chromium.org >>> >>> Explainer >>> >>> https://github.com/kyraseevers/Partitioning-visited-links-history >>> >>> Specification >>> >>> TBD >>> >>> Summary >>> >>> To eliminate user browsing history leaks, anchor elements will be styled >>> as :visited if and only if they have been visited from the same top-level >>> site and frame origin before. On the browser-side, this means that the >>> VisitedLinks hashtable will now be partitioned via "triple-keying", or by >>> storing the following for each visited link: <link URL, top-level site, >>> frame origin>. By only styling links that have been visited from this site >>> and frame before, the many side-channel attacks that have been developed to >>> obtain :visited links styling information will be obsolete, as they no >>> longer provide sites with new information about users. >>> >>> Blink component >>> >>> Blink>History>VisitedLinks >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EHistory%3EVisitedLinks> >>> >>> Motivation >>> >>> Since 2010, the number of side-channel attacks to leak the user’s >>> browsing history by abusing :visited links styling has grown, including user >>> interaction attacks, timing attacks, pixel color attacks, and process-level >>> attacks >>> <https://github.com/kyraseevers/Partitioning-visited-links-history#citations>. >>> While these attack vectors are slowed down by the 2010 mitigations >>> <https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector>, >>> they are not eliminated; browsers are still actively leaking user browsing >>> history today. >>> >>> Triple-keyed history partitioning only styles links have been visited >>> from the same top-level site and frame origin before. As a result, the many >>> side-channel attacks that have been developed to obtain the global :visited >>> links state will now be obsolete, as they will no longer provide sites with >>> new information about users. >>> >>> This feature will improve user privacy and security. The resulting >>> implementation will be relevant to users who will see slight changes to >>> which links appear styled on their screens, and to bad actors who will no >>> longer be able to use side-channel attacks to reveal user browsing history. >>> >>> Initial public proposal >>> >>> https://github.com/WICG/proposals/issues/100 >>> >>> Search tags >>> >>> visited links <https://chromestatus.com/features#tags:visited%20links>, >>> :visited >>> selector <https://chromestatus.com/features#tags::visited%20selector>, >>> partitioning >>> history <https://chromestatus.com/features#tags:partitioning%20history> >>> >>> TAG review >>> >>> TBD >>> >>> TAG review status >>> >>> Not Started >>> >>> Risks >>> >>> Interoperability and Compatibility >>> >>> Gecko: Positive initial signals from presentation at WebAppSec >>> <https://github.com/w3c/webappsec/blob/main/meetings/2023/2023-06-21-minutes.md> >>> >>> WebKit: Positive initial signals from presentation at WebAppSec >>> <https://github.com/w3c/webappsec/blob/main/meetings/2023/2023-06-21-minutes.md> >>> >>> Web developers: Feedback from UX that CSS extensibility is in-demand >>> from developers right now, and this work would pave the way for less >>> restricted CSS on anchor elements. In addition, support from various >>> developers who believe that taking care of this long-standing privacy leak >>> will allow their own security and privacy solutions to advance once history >>> sniffing is no longer an issue. >>> >>> Other signals: N/a >>> >>> WebView application risks >>> >>> No - this feature deals with platform-specific code, and Android WebView >>> does style :visited links based on user browsing history, but we do not >>> expect significant challenges for WebView users. >>> >>> >>> Debuggability >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? >>> >>> No >>> >>> Flag name >>> >>> (Tentatively) base::features::PartitionVisitedLinks >>> >>> Requires code in //chrome? >>> >>> False >>> >>> Tracking bug >>> >>> https://bugs.chromium.org/p/chromium/issues/detail?id=1448609 >>> >>> Launch bug >>> >>> https://launch.corp.google.com/launch/4259382 >>> >>> Estimated milestones >>> >>> No milestones specified yet >>> >>> Link to entry on the Chrome Platform Status >>> >>> https://chromestatus.com/feature/5101991698628608 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXbbLWwmRYH5SWx0%2BMWkfB2UY2miOAq4r0MZc34i_sWqBw%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXbbLWwmRYH5SWx0%2BMWkfB2UY2miOAq4r0MZc34i_sWqBw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUc0KFyXgQ0LMWQnj3AT363td0k1LJSgsZp8pXvCxPZ7A%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUc0KFyXgQ0LMWQnj3AT363td0k1LJSgsZp8pXvCxPZ7A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- Kyra Seevers (she/her) | Software Engineer | kyraseev...@google.com | 859-537-9917 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANyVgfAQNy0-0FLAKKD9vq67c6emcYafgYtij4CbjZWsH0%2BGpA%40mail.gmail.com.
