CSS tracking: Difference between revisions

Line 4:

==How it works==

CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref>

CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"[https://www.gnu.org/philosophy/who-does-that-server-really-serve.html server]" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref>

Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|fingerprinter]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}}

Line 11:

==Why it is a problem==

This is an insidious practice, as CSS is widely believed to be "just a declarative styling language", even though it's [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical practically Turing-complete].<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> Even privacy-minded users have this misconception, which makes them equally vulnerable to this class of tracking.{{Citation needed}} Most people believe that simply disabling [[JavaScript|Javascript]] is enough. This attack breaks the expectation that HTML and CSS can only be used to make static/passive documents.

This is an insidious practice, as CSS is widely believed to be "just a declarative styling language", even though it's [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical practically Turing-complete].<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> Even privacy-minded users have this misconception, which makes them equally vulnerable to this class of tracking.{{Citation needed}} Most people believe that simply disabling [[JavaScript|Javascript]] is enough. This attack breaks the expectation that [[wikipedia:HTML|HTML]] and CSS can only be used to make static/passive documents.

==Examples==

@@ Line 4: / Line 4: @@
 ==How it works==
-CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref>
+CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"[https://www.gnu.org/philosophy/who-does-that-server-really-serve.html server]" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref>
 Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|fingerprinter]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}}
@@ Line 11: / Line 11: @@
 ==Why it is a problem==
-This is an insidious practice, as CSS is widely believed to be "just a declarative styling language", even though it's [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical practically Turing-complete].<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> Even privacy-minded users have this misconception, which makes them equally vulnerable to this class of tracking.{{Citation needed}} Most people believe that simply disabling [[JavaScript|Javascript]] is enough. This attack breaks the expectation that HTML and CSS can only be used to make static/passive documents.<!-- Chromium disables HTML-based lazy-loading when JS is disabled, for privacy reasons. But it doesn't disable lazy-load for CSS -->
+This is an insidious practice, as CSS is widely believed to be "just a declarative styling language", even though it's [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical practically Turing-complete].<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> Even privacy-minded users have this misconception, which makes them equally vulnerable to this class of tracking.{{Citation needed}} Most people believe that simply disabling [[JavaScript|Javascript]] is enough. This attack breaks the expectation that [[wikipedia:HTML|HTML]] and CSS can only be used to make static/passive documents.<!-- Chromium disables HTML-based lazy-loading when JS is disabled, for privacy reasons. But it doesn't disable lazy-load for CSS -->
 ==Examples==