Crooked Style Sheeding – Webpage tracking using only CSS

If you&#x27;re concerned as a user of a malicious site:<p>* Link click tracking - So what, the site could route you through a server side proxy anyways<p>* Hover tracking - Can track movements of course, but doesn&#x27;t really help fingerprinting. This is still annoying though and not an easy fix<p>* Media query - So what, user agent gives this away mostly anyways<p>* Font checking - Can help fingerprinting...browsers need to start restricting this list better IMO (not familiar w&#x2F; current tech, but would hope we could get it down to OS-specific at the most)<p>If you&#x27;re concerned as a site owner that allows third party CSS:<p>* You should have stopped allowing this a long time ago (good on you, Reddit [0] though things like this weren&#x27;t one of the stated reasons)<p>* You have your Content-Security-Policy header set anyways, right?<p>Really though, is there an extension that has a checkbox that says &quot;no interactive CSS URLs&quot;? I might make one, though still figuring out how I might detect&#x2F;squash such a thing. EDIT: I figure just blocking url() for content and @font-face.src would be a good compromise not to break all sorts of background images for now.<p>0 - <a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;modnews&#x2F;comments&#x2F;66q4is&#x2F;the_web_redesign_css_and_mod_tools&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;modnews&#x2F;comments&#x2F;66q4is&#x2F;the_web_red...</a>

Whose going to be first to make the &#x27;I always browse the Web with CSS disabled&#x27; post?

I don&#x27;t see what&#x27;s problematic about this. The tracking is not really done in CSS, so much as on the server. You could accomplish the same thing with 1x1 images, or loading any remote resource. Effectively the only difference is you&#x27;re loading the URL conditionally via CSS, as opposed to within a `&lt;script&gt;` or `&lt;img&gt;` tag. Furthermore, this can be blocked in the same way as any tracking URL.<p>I concede this is a novel way of fingerprinting the browser from within the client, without using JS. However, I think a better way to describe this would be &quot;<i>initiating</i> tracking on the frontend without the use of javascript.&quot;

About 8 years ago, a colleague and I interviewed a nervous kid fresh from undergrad. He was applying for a junior front-end position at our fast-growing startup. Dressed in a shiny, double-breasted suit and wingtip shoes, he followed us into a tiny office (space was so limited) where we conducted interviews.<p>&quot;Tell us about your CSS experience,&quot; we asked him.<p>&quot;Ah, yes. I, well, haha, of course. The CSS is where you make your calls, to the database, ah, server, ah, of course.&quot;<p>Unsurprisingly, we did not hire the applicant, though his answer to our question lived on in infamy for many years. But all that changed, today, reading this. The joke was on us. That kid was clearly from a future of which we had no awareness. Starting today, I&#x27;ll always trust programmer applicants donning double-breasted suits.

Reminds me of similar techniques that could be used several years ago to sniff browser history via a collection of a:visited rules.

Any part of a browser that can make a request can be used to do this sort of thing. Any part of a browser that can alter the view and its related DOM attributes can cause a user to interact with it and give up data involuntarily.<p>Turn off JavaScript and CSS media queries can cause resources to load based on a number of parameters. Have canvas enabled and you can be fingerprinted. Use one browser over another and get feature detected. Anchor states give away browsing history. Hell even your IP address sacrifices privacy, and that&#x27;s before the page gets rendered.<p>So with that being said, if you&#x27;re browsing the web, you&#x27;re giving up information.

Very smart! This is a few line of code away from a css class based mini tracking framework...<p>Aside from the obvious, this could also be used as a fallback (restricted) A&#x2F;B testing for no js users ? I&#x27;m thinking data about just what was hovered, clicked, and media query allows for some basic UI testing of responsive websites.

This doesn’t mention my personally favorite css tracking trick, timing attacks that can be used to detect what sites you have loaded. This can be done by interweaving requests to a remote URL (say background-image) with requests to your server script, which times these differences.

But how many users disable JavaScript in their browser to prevent tracking? And is the fact that a website can track all your clicks and mouse movements a privacy&#x2F;security issue to begin with? Isn’t it by design that the website you’re visiting can track you?

Call me naive but, as a dev, I don&#x27;t see why this would be any better than using JS. The group of people that block JS is likely to do the same for this and, as mentioned by others, common sources of such mucking are blocked by a good ad blocker.<p>Then, there is the whole, <i>&quot;how could it be integrated into an existing site with minimal fuss&quot;</i> issue. With JS you can specify targets and the like for actions and observations, the only comparable thing would be to offer <i>sass</i> &#x2F; <i>less</i> integration so that it works with clients that disable or block JS, which is arguably much more difficult.<p>While it is definitely clever, I just don&#x27;t see a practical use for it. It would really only benefit those willing to put the work into using it and only work so long as their logging URL is available and not blocked. I just don&#x27;t see the real value.

At least in Safari 11.0.2 (macOS 10.12.6) link tracking does not work. The selector<p><pre><code> #link2:active::after </code></pre> appears to always exist in Safari 11.0.2 (&quot;active&quot; is being disregarded).<p>I clicked on none of those links, I have never visited google.de, but results.php page told me all 3 links had been clicked.<p>EDIT: formatting, remove word.

Alright lads, let&#x27;s all go back to RSS feeds and scrap that whole &quot;browser&quot; experiment.

Interesting trick. But I think adBlockers block requests to entire tracking domains. So even css calls would be blocked?

I&#x27;m surprised browsers wouldn&#x27;t prefetch stuff like this given it&#x27;s an easy performance win. Which would then also make these stats useless.

Very interesting, it&#x27;s always intriguing to see how much of a cat and mouse game this privacy stuff is. I&#x27;m always thinking that this needs an overhaul and slightly different approach altogether, sadly I can&#x27;t produce any viable solutions.<p>With this huge and complex kind of issues I don&#x27;t think we have to find one solution but rather point in the right direction, but I&#x27;m not even sure we&#x27;re doing that.

This is where the talent, funds, and resources will go as ads and marketing are industries with lots of funding available. Even more tracking and of even more pervasive kind. We hate tracking while we bet our time and money on it. The web is cancelled, go back home everyone.

Is there a way to turn off CSS media queries in Firefox, or fake their conditions? Apart from the security issues, it&#x27;s plain annoying when the page layout will change completely because a few pixels of window size are missing for the perfect experience.

Well this is depressing.

This could easily be stopped by a change in browser behavior. If web browsers downloaded contacted every address specified with `url()` automatically on page load, without considering the conditions, this type of conditional requests would be impossible.<p>Conceivably, you could solve it through a simple browser extension that looks through all of the page’s stylesheets and calls all URLs present in the CSS before the page is rendered.<p>In an ideal implementation, though, URLs dependant on “static”, non-identifiable conditions, such as an image with `display: none`, would be left alone.

The obvious solution is to block the server-side pages that the CSS elements link to. This kind of tracking can be mitigated the same way any other kind of tracking is already handled by uBlock or uMatrix.

I think it is time to split the web into:<p>* user and machine readable content (text with hyperlinks, pictures, audio, video, rest)<p>* universal app store (javascript, css, intents, permissions...)<p>Every user could consume or style content as he wishes. If my IDE has dark theme, I want all web pages to have dark theme. Why do I need javascript to read news or browse pictures.<p>If user wants to installs app from app store he should accept software license and give permissions to that application.

This is an interesting concept, but I&#x27;m not seeing anything that couldn&#x27;t already be done with a properly set up website and server logging.<p>Things like &quot;@supports (-webkit-appearance:none)&quot; doesn&#x27;t give you chrome detection. It gives you webkit detection, which is a rather large subset of the whole. Plus some of the other browsers started supporting webkit prefixes.

<i>”Interesting is, that this resource is only loaded when it is needed (for example when a link is clicked).”</i><p>The resource is retrieved using GET, so I wouldn’t think that is required by the http standard. If so, browsers can mitigate this kind of attack by pre-fetching these resources (even pre-fetching a fraction at random already might be enough)<p>It is a neat hack, though.

Do browsers really need to allow fetching URLs in the &quot;after&quot; event of a link?

Tracking seems to only really be server side. The css just dispatches requests with qs params. Probably not an ideal production tracking solution as it severely limits the data you can send back for better analytics

What&#x27;s &quot;sheeding&quot;?

How does &#x27;check spelling as you type&#x27; work, via a dictionary that is previously downloaded, or is this an online service that leaks all&#x2F;or some of your key presses?

Nice POC! I love the project name :)

The demo shows that this technique doesn&#x27;t work for &quot;Privacy Browser&quot; on Android. It can be obtained from F-Droid.

very good. I wonder if somebody really needs this.

Wow, CSS is the new JS :D

A lot of css is fluff masking low information content. Turning off css helps me not have to page down x times to see a noncathartic one-liner.