Contact emailskyraseev...@chromium.org Explainerhttps://github.com/kyraseevers/Partitioning-visited-links-history
Specification Issuehttps://github.com/w3c/csswg-drafts/issues/11151 Summary To eliminate user browsing history leaks, anchor elements are styled as :visited if and only if they have been clicked from this top-level site and frame origin before. On the browser-side, this means that the VisitedLinks hashtable is now partitioned via "triple-keying", or by storing the following for each visited link: <link URL, top-level site, frame origin>. By only styling links that have been clicked on this site and frame before, the many side-channel attacks that have been developed to obtain :visited links styling information are now obsolete, as they no longer provide sites with new information about users. Blink componentBlink>History>VisitedLinks <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHistory%3EVisitedLinks%22> Search tagsvisited links <https://chromestatus.com/features#tags:visited%20links>, :visited selector <https://chromestatus.com/features#tags::visited%20selector>, partitioning history <https://chromestatus.com/features#tags:partitioning%20history> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/896 TAG review statusIssues addressed Chromium Trial NameN/a WebFeature UseCounter nameN/a Risks Interoperability and Compatibility There has been lots of word-of-mouth interest from the Web Platform in adopting this feature cross-browser. We have interest from members of the CSSWG in specifying this solution in CSS Selectors, and we have a positive signal from Firefox that they are interested in implementing partitioning soon as well. *Gecko*: Positive ( https://github.com/mozilla/standards-positions/issues/1040) *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/363) *Web developers*: No signals *Other signals*: Positive initial signals from presentation at WebAppSec from both Apple and Firefox. At the XS Leaks Summit, Firefox stated exploration of :visited links partitioning in their privacy goals for the upcoming year at the XS-Leaks Summit. Positive or neutral initial signals from security and privacy researchers at the XS-Leaks summit. No security concerns about this design. Lots of interest in finally resolving this exploit. Feedback from UX that CSS extensibility is in-demand from developers right now, and this work would pave the way for less restricted CSS on anchor elements. In addition, support from various developers who believe that taking care of this long-standing privacy leak will allow their own security and privacy solutions to advance once history sniffing is no longer an issue. Ergonomics This design is asynchronous and not used in tandem with other APIs. Activation Since this is a Finch roll-out, there are no additional activation risks. Security For this design we worked with the Chrome Security Architecture team to ensure reasonable precautions were taken against leaks via renderer compromise. WebView application risks N/a this feature will not launch on WebView. Goals for experimentation The goal of this dev trial is to allow those interested to test out the partitioned :visited links model (with self links) by flipping a flag. This functionality is available beginning in Chrome Version 132. Ongoing technical constraints None Debuggability No DevTools support is required. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?No This feature is not currently supported on iOS or Android Webview. For iOS, this feature requires WebKit to alter its CSS parsing to support triple-key partitioning. Android Webview relies on an entirely different system to populate history, so it will require a separate design. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No This feature is not tested by Web Platform Tests because the :visited selector, in its current state, cannot be queried via JavaScript ( https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector). As a result, we can only test :visited-ness via manual tests which rely on users visually confirming the correct links are :visited, or unit and integration tests internal to Chrome. DevTrial instructions https://github.com/explainers-by-googlers/Partitioning-visited-links-history?tab=readme-ov-file#how-to-experiment Flag name on about://flagsPartition the Visited Link Database, including 'self links' Finch feature namePartitionVisitedLinkDatabaseWithSelfLinks Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1448609 Launch bughttps://launch.corp.google.com/launch/4330864 Estimated milestones DevTrial on desktop 132 DevTrial on Android 132 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5101991698628608 Links to previous Intent discussionsIntent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXbbLWwmRYH5SWx0%2BMWkfB2UY2miOAq4r0MZc34i_sWqBw%40mail.gmail.com Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXYy4CSMuPLY0HJuTbZt0qPz5ZUsGUToFJuCE%2BTfC86umA%40mail.gmail.com Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/U5AX0OXaxM8/m/tIGr4bJJBgAJ?utm_medium=email&utm_source=footer This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BmmbXbXMzzwR15PkpvLKZTW%3D9x2zmB4sZgF1Hp%2Bm8DnRgAW_Q%40mail.gmail.com.
