CSS tracking: Difference between revisions

Latest revision as of 21:07, 26 April 2026

❗Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

CSS-based tracking and CSS fingerprinting consist of abusing the semantics of CSS, a styling language used to present virtually all web-pages, in order to trick web-browsers to send data to servers.

How it works

CSS can declare that certain resources/assets be used if certain conditions are met.^[1] Since browsers implement lazy-loading, this means that assets will only be requested when the conditions are met. This effectively allows pinging arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.^[2]^[3]

Traditionally, CSS tracking was (and still is) implemented as a limited finger-printer, typically by enumerating installed fonts and checking window dimensions.^{[citation needed]}

Either way, the attack has limitations, as caching avoids (no guarantee) repeated requests from happening.

Why it is a problem

Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a virtually Turing-complete programming language,^[4]^[5] a fact which may leave even the most privacy-minded users vulnerable to tracking.^{[citation needed]} This mode of attack breaks the common belief that HTML and CSS can only be used to make static/passive documents, whilst JavaScript represents the real "threat" to be countered through disabling.^{[citation needed]}

Examples

Some examples of CSS tracking include:

*
*
*

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

References

[1] ttps://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries

[2] ttps://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense

[3] ttps://portswigger.net/research/inline-style-exfiltration

[4] ttps://lyra.horse/x86css/

[5] ttps://lyra.horse/css-clicker/

[1]

[2]

[3]

[4]

[5]

@@ Line 1: / Line 1: @@
 {{StubNotice}}
-'''[[wikipedia:CSS|CSS]]-based tracking''' and '''[[wikipedia:CSS_fingerprinting|CSS fingerprinting]],''' consist on abusing the semantics of CSS, in order to trick web-browsers to send data to servers.
+'''[[wikipedia:CSS|CSS]]-based tracking''' and '''[[wikipedia:CSS_fingerprinting|CSS fingerprinting]]''' consist of abusing the semantics of CSS, a styling language used to present virtually all web-pages, in order to trick web-browsers to send data to servers.
 ==How it works==
 CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"[https://www.gnu.org/philosophy/who-does-that-server-really-serve.html server]" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref>
-Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|fingerprinter]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}}
+Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|finger-printer]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}}
 Either way, the attack has limitations, as [[wikipedia:Cache_(computing)|caching]] avoids (no guarantee) repeated requests from happening.
 ==Why it is a problem==
-This is an insidious practice, as CSS is widely believed to be "just a declarative styling language", even though it's [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical practically Turing-complete].<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> Even privacy-minded users have this misconception, which makes them equally vulnerable to this class of tracking.{{Citation needed}} Most people believe that simply disabling [[JavaScript|Javascript]] is enough. This attack breaks the expectation that [[wikipedia:HTML|HTML]] and CSS can only be used to make static/passive documents.<!-- Chromium disables HTML-based lazy-loading when JS is disabled, for privacy reasons. But it doesn't disable lazy-load for CSS -->
+Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical virtually Turing-complete] programming language,<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> a fact which may leave even the most privacy-minded users vulnerable to tracking.{{Citation needed}} This mode of attack breaks the common belief that [[wikipedia:HTML|HTML]] and CSS can only be used to make static/passive documents, whilst [[JavaScript]] represents the real "threat" to be countered through disabling.{{Citation needed}}<!-- Chromium disables HTML-based lazy-loading when JS is disabled, for privacy reasons. But it doesn't disable lazy-load for CSS -->
 ==Examples==