CRW

Home Wiki

CSS tracking

View on consumerrights.wiki ↗

Work in progress
This article has been flagged for additional work. Treat its claims as provisional.
Stub
This article is a stub. The wiki community is still building it out.
Citations needed
Some claims in this article have not been independently sourced.
Verification concerns
Editors have raised concerns about the verifiability of one or more claims.
Contents4
  1. How it works
  2. Why it is a problem
  3. Examples
  4. References

Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

Issues may include:

  • This article needs to be expanded to provide meaningful information
  • This article requires additional verifiable evidence to demonstrate systemic impact
  • More documentation is needed to establish how this reflects broader consumer protection concerns
  • The connection between individual incidents and company-wide practices needs to be better established
  • The article is simply too short, and lacks sufficient content

How you can help:

  • Add documented examples with verifiable sources
  • Provide evidence of similar incidents affecting other consumers
  • Include relevant company policies or communications that demonstrate systemic practices
  • Link to credible reporting that covers these issues
  • Flesh out the article with relevant information

This notice will be removed once the article is sufficiently developed. Once you believe the article is ready to have its notice removed, please visit the Moderator's noticeboard, or the Discord (join here) and post to the #appeals channel, or mention its status on the article's talk page.

CSS-based tracking and CSS fingerprinting consist of abusing the semantics of CSS, a styling language used to present virtually all web-pages, in order to trick web-browsers to send data to servers.

How it works

CSS can declare that certain resources/assets be used if certain conditions are met.[1] Since browsers implement lazy-loading, this means that assets will only be requested when the conditions are met. This effectively allows pinging arbitrary URLs when a client-side event happens. Instead of referencing a single endpoint for all events, each event can be associated to a different URL, allowing the tracking-"server" to gather more data about user behavior.[2][3]

Traditionally, CSS tracking was (and still is) implemented as a limited finger-printer, typically by enumerating installed fonts and checking window dimensions.[citation needed]

Either way, the attack has limitations, as caching avoids (no guarantee) repeated requests from happening.

Why it is a problem

Though CSS is widely believed to be "just a declarative styling system" with no practical compute power, it is actually a virtually Turing-complete programming language,[4][5] a fact which may leave even the most privacy-minded users vulnerable to tracking.[citation needed] This mode of attack breaks the common belief that HTML and CSS can only be used to make static/passive documents, whilst JavaScript represents the real "threat" to be countered through disabling.[citation needed]

Examples

Some examples of CSS tracking include:

*
*
*

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


References

  1. https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Media_queries
  2. https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense
  3. https://portswigger.net/research/inline-style-exfiltration
  4. https://lyra.horse/x86css/
  5. https://lyra.horse/css-clicker/
Filed under