Leaking browser history

The problem is that you can deduce the status of visited links indirectly without accessing
the link in the dom.  This is because a link which contains text is rendered in a way that
takes up space on the page.  If a visited link changes the size of its container you'd be able
to deduce that a link was visited by examining the container.  You'd need to taint the entire
dom at that point.