CSS tracking: Difference between revisions

Revision as of 21:07, 26 April 2026

❗This article is a stub. You can help by expanding it.

A moderator needs to check the page before this notice can be removed. Visit the noticeboard or the #appeals channel in either Zulip or Discord to request removal.

More info ▼

An article may be flagged as a stub when it is missing major elements needed to make it useful to a reader. You can help by adding missing sections, verifiable sources, relevant company policies and communications, etc. to make the article more complete.

CSS-based tracking and CSS fingerprinting consist of abusing the semantics of CSS, a styling language used to present virtually all web-pages, in order to trick web-browsers to send data to servers.

How it works

CSS can declare that certain resources/assets be used if certain conditions are met.^[1] Since browsers implement lazy-loading, this means that assets will only be requested when the conditions are met. This effectively allows pinging arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.^[2]^[3]

Traditionally, CSS tracking was (and still is) implemented as a limited finger-printer, typically by enumerating installed fonts and checking window dimensions.^{[citation needed]}

Either way, the attack has limitations, as caching avoids (no guarantee) repeated requests from happening.

Why it is a problem

Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a virtually Turing-complete programming language,^[4]^[5] a fact which may leave even the most privacy-minded users vulnerable to tracking.^{[citation needed]} This mode of attack breaks the common belief that HTML and CSS can only be used to make static/passive documents, whilst JavaScript represents the real "threat" to be countered through disabling.^{[citation needed]}

Examples

Some examples of CSS tracking include:

*
*
*

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

References

[1] ttps://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries

[2] ttps://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense

[3] ttps://portswigger.net/research/inline-style-exfiltration

[4] ttps://lyra.horse/x86css/

[5] ttps://lyra.horse/css-clicker/

[1]

[2]

[3]

[4]

[5]

@@ Line 6: / Line 6: @@
 CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement [[wikipedia:Lazy_loading|lazy-loading]], this means that assets will only be requested ''when'' the conditions are met. This effectively allows [[wikipedia:Ping_(networking_utility)|pinging]] arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"[https://www.gnu.org/philosophy/who-does-that-server-really-serve.html server]" to gather more data about user behavior.<ref>https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense</ref><ref>https://portswigger.net/research/inline-style-exfiltration</ref>
-Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|finger printer]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}}
+Traditionally, CSS tracking was (and still is) implemented as a limited [[Fingerprinting|finger-printer]], typically by enumerating installed fonts and checking window dimensions.{{Citation needed}}
 Either way, the attack has limitations, as [[wikipedia:Cache_(computing)|caching]] avoids (no guarantee) repeated requests from happening.
 ==Why it is a problem==
-Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a virtually [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical Turing-complete] programming language,<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> a fact which may leave even the most privacy-minded users vulnerable to tracking.{{Citation needed}} This mode of attack breaks the common belief that [[wikipedia:HTML|HTML]] and CSS can only be used to make static/passive documents, whilst [[JavaScript]] represents the real "threat" to be countered through disabling.{{Citation needed}}<!-- Chromium disables HTML-based lazy-loading when JS is disabled, for privacy reasons. But it doesn't disable lazy-load for CSS -->
+Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical virtually Turing-complete] programming language,<ref>https://lyra.horse/x86css/</ref><ref>https://lyra.horse/css-clicker/</ref> a fact which may leave even the most privacy-minded users vulnerable to tracking.{{Citation needed}} This mode of attack breaks the common belief that [[wikipedia:HTML|HTML]] and CSS can only be used to make static/passive documents, whilst [[JavaScript]] represents the real "threat" to be countered through disabling.{{Citation needed}}<!-- Chromium disables HTML-based lazy-loading when JS is disabled, for privacy reasons. But it doesn't disable lazy-load for CSS -->
 ==Examples==