CSS tracking: Difference between revisions
m Flow of reading, tone moderation to neutrality (see Neutral POV / Editorial guidleines), etc. See Discussion page for more. |
mNo edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 6: | Line 6: | ||
CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"[https://www.gnu.org/philosophy/who-does-that-server-really-serve.html server]" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref> | CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"[https://www.gnu.org/philosophy/who-does-that-server-really-serve.html server]" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref> | ||
Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|finger printer]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}} | Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|finger-printer]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}} | ||
Either way, the attack has limitations, as [[wikipedia:Cache_(computing)|caching]] avoids (no guarantee) repeated requests from happening. | Either way, the attack has limitations, as [[wikipedia:Cache_(computing)|caching]] avoids (no guarantee) repeated requests from happening. | ||
==Why it is a problem== | ==Why it is a problem== | ||
Though CSS is widely believed to be "just a declarative styling | Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical virtually Turing-complete] programming language,<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> a fact which may leave even the most privacy-minded users vulnerable to tracking.{{Citation needed}} This mode of attack breaks the common belief that [[wikipedia:HTML|HTML]] and CSS can only be used to make static/passive documents, whilst [[JavaScript]] represents the real "threat" to be countered through disabling.{{Citation needed}}<!-- Chromium disables HTML-based lazy-loading when JS is disabled, for privacy reasons. But it doesn't disable lazy-load for CSS --> | ||
==Examples== | ==Examples== | ||
Latest revision as of 21:07, 26 April 2026
❗Article Status Notice: This Article is a stub
This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼
CSS-based tracking and CSS fingerprinting consist of abusing the semantics of CSS, a styling language used to present virtually all web-pages, in order to trick web-browsers to send data to servers.
How it works
[edit | edit source]CSS can declare that certain resources/assets be used if certain conditions are met.[1] Since browsers implement lazy-loading, this means that assets will only be requested when the conditions are met. This effectively allows pinging arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.[2][3]
Traditionally, CSS tracking was (and still is) implemented as a limited finger-printer, typically by enumerating installed fonts and checking window dimensions.[citation needed]
Either way, the attack has limitations, as caching avoids (no guarantee) repeated requests from happening.
Why it is a problem
[edit | edit source]Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a virtually Turing-complete programming language,[4][5] a fact which may leave even the most privacy-minded users vulnerable to tracking.[citation needed] This mode of attack breaks the common belief that HTML and CSS can only be used to make static/passive documents, whilst JavaScript represents the real "threat" to be countered through disabling.[citation needed]
Examples
[edit | edit source]