CSS tracking

CSS-based tracking and CSS fingerprinting consist of abusing the semantics of CSS, a styling language used to present virtually all web-pages, in order to trick web-browsers to send data to servers.

CSS can declare that certain resources/assets be used if certain conditions are met.^[1] Since browsers implement lazy-loading, this means that assets will only be requested when the conditions are met. This effectively allows pinging arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.^[2][3]

Traditionally, CSS tracking was (and still is) implemented as a limited finger-printer, typically by enumerating installed fonts and checking window dimensions.^{[citation needed]}

Either way, the attack has limitations, as caching avoids (no guarantee) repeated requests from happening.

Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a virtually Turing-complete programming language,^[4][5] a fact which may leave even the most privacy-minded users vulnerable to tracking.^{[citation needed]} This mode of attack breaks the common belief that HTML and CSS can only be used to make static/passive documents, whilst JavaScript represents the real "threat" to be countered through disabling.^{[citation needed]}