I'm marking this severity-low for the history leak, but it's definitely a privacy concern.

Adding ojan since he's worked on stuff like this before.

Given that this was a public disclosure (by a Googler) from last year, any reason to view-restrict this?

I agree we don't need to view-restrict this.

Having chatted with our Predictability effort leads there really isn't much we can do at this stage. The usage is too high and the security impact low to warrant a deprecation/removal. 

All we can do is take this as one other sign that we should rethink how :visited works. 

I assume you mean the usage of :visited is too high to remove it entirely.  But could there be a more targeted mitigation, like using the non-visited background color in mix-blend-mode computations?

Sorry no I meant mixed-blend-mode usage here. 

I'm not too sure what the best way forward is. rbyers@, do you have any thoughts?

IMHO it's time someone took a serious look at overhauling how :visited behaves to try to solve these issues.  It's been discussed a lot but I couldn't find an existing bug so filed bug 713521.

In that case, what is the action required on this bug (as opposed to bug 713521)?

Dropping the update frequency on this to match the blocking bug 713521, since there doesn't seem to be anything for us to do until that is resolved. Also removing the "Privacy" component, since that's captured by the blocking bug.

+msramek for Privacy and +some more CSS OWNERS.

I certainly vote for issue 713521 as a "once and for all" solution.