Consumer Rights Wiki

CSS tracking

Revision as of 01:05, 26 April 2026 by Rudxain (talk | contribs) (Created page with "{{StubNotice}} '''CSS-based tracking''' and '''CSS fingerprinting,''' consist on abusing the semantics of CSS, in order to trick web-browsers to send data to servers. ==How it works== CSS can declare that certain resources/assets be used ''if'' certain conditions are met.<ref>https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries</ref> Since browsers implement lazy-loading, thi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

CSS-based tracking and CSS fingerprinting, consist on abusing the semantics of CSS, in order to trick web-browsers to send data to servers.

How it works

CSS can declare that certain resources/assets be used if certain conditions are met.[1] Since browsers implement lazy-loading, this means that assets will only be requested when the conditions are met. This effectively allows pinging arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.[2][3]

Traditionally, CSS tracking was (and still is) implemented as a limited fingerprinter, typically by enumerating installed fonts and checking window dimensions.[citation needed]

Either way, the attack has limitations, as caching avoids (no guarantee) repeated requests from happening.

Why it is a problem

This is an insidious practice, as CSS is widely believed to be "just a declarative styling language", even though it's practically Turing-complete.[4][5] Even privacy-minded users have this misconception, which makes them equally vulnerable to this class of tracking.[citation needed] Most people believe that simply disabling Javascript is enough. This attack breaks the expectation that HTML and CSS can only be used to make static/passive documents.

Examples

Some examples of CSS tracking include:

*
*
*

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


References

  1. https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries
  2. https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense
  3. https://portswigger.net/research/inline-style-exfiltration
  4. https://lyra.horse/x86css/
  5. https://lyra.horse/css-clicker/
Retrieved from "https://consumerrights.wiki/index.php?title=CSS_tracking&oldid=52314"