

Some harmless, old-fashioned fun with CSS - spindritf
http://lcamtuf.blogspot.com/2013/05/some-harmless-old-fashioned-fun-with-css.html

======
mattdw
"Sorry, this game works only in Firefox and Chrome."

Welcome back to 1998. For the record, it works fine in Safari too. Why do
people even do this?

~~~
kevingadd
Modern Safari is impossible to test against without buying a Mac ever since
Apple stopped releasing current nightlies. (Running Safari6 in a VM isn't
adequate since it disables webgl and changes some other behaviors)

~~~
mistercow
That is false. There are plenty of inexpensive services that let you use an
in-browser remote desktop client to test against many different web browsers,
including Safari.

~~~
kevingadd
I just told you why those don't work. They don't have a real GPU so WebGL and
other features don't work or don't behave like a real mac. Try it yourself
against a website that uses modern HTML5 features. Same goes for audio.

~~~
mistercow
But this doesn't use WebGL or audio, and in fact runs perfectly well in a VM,
so what exactly is your point?

Also, "modern HTML5 features" covers plenty of things that work well without a
GPU. It is only a tiny set of features that do not work. For the vast majority
of modern sites, testing via a VM works just fine.

------
comex
This is very cute, but I think the CAPTCHA attack it cites is more
interesting: a CAPTCHA can be inserted just about anywhere without raising
undue alarm, CSS allows the text to be warped almost (if not exactly, with CSS
shaders) like a real, image-based, CAPTCHA, and the user directly types back
what was seen rather than the site having to guess based on performance on an
asteroids game.

~~~
ygra
Even if text is not warped I doubt users are concerned. Some CAPTCHAs are
better than others, some warp the text more than others, so unwarped letters
not necessarily stand out.

------
jenius
Wait, how is he doing this? Wish there was a tiny bit more explanation in the
post...

~~~
gmurphy
CSS lets you color links based on whether the user has visited them or not.

Most of the Asteroids in the game are links - they use those same CSS rules to
color themselves based on whether you've visited them or not.

Script on the page can't tell what color the asteroids are, but it can tell
what asteroids you've clicked on. By making the visited-link color the same as
the background color of the webpage, we get the user to give away the color of
the links, because they'd only be clicking on the links that they can see -
the ones with a color different to the background.

~~~
chm
Thanks, that was a clearer explanation than his. Nifty.

Btw, why do they want to do this?

~~~
bigiain
Real life example - back when the CSS history snooping trick still worked, a
travel site I worked on used to offer additional discounts to people who'd
visited competitor sites that we knew were beating our regular pricing.

------
sbierwagen
<http://i.imgur.com/2fhLhPF.png>

That's cute.

~~~
DuskStar
I got the same, and I'm relatively sure I've visited Facebook and Twitter at
least once...

~~~
tlarkworthy
yeah it said I did not visit <http://www.facebook.com/home.php> when I have
and I shot all asteroids.

~~~
zeckalpha
https?

------
GhotiFish
Read that paper linked by the article.

Those attacks look so fun! I like the LCD attack in particular.

------
nijk
I hope this demo doesn't send any data back to a server, or else, Hello FBI.

------
chewxy
It tells me I need a higher resolution screen. Bummer. Guess my tiny bedside
netbook is safe then

