Pure CSS browser fingerprinting and cross-origin CSS 'supercookie'.
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
People
(Reporter: o.brotchie, Unassigned)
References
()
Details
(Keywords: privacy, testcase)
Steps to reproduce:
I have found a method of exfiltrating a browser, device and font fingerprint using only CSS. I have also found a cross-origin CSS 'supercookie' that can only be removed by clearing the browser cache.
Methodology here: https://github.com/OliverBrotchie/CSS-Fingerprint
Actual results:
Demonstration: https://csstracking.dev/fingerprint
Updated•3 years ago
|
Comment 1•3 years ago
|
||
So this is not particularly about the CSS implementation, but about how we treat some loads that redirect using a 308 status, right?
In particular, that's the background-image: url("http://127.0.0.1:8000/some/url/308")
in the example, right?
Seems like the issue is that that request isn't partitioned by origin? Or maybe that the requester origin is the stylesheet's origin rather than the final page's origin?
I think the relevant request would be this one where we indeed use data.Principal()
as the loading / triggering principal, which is indeed the stylesheet's principal. Maybe we should use the document's principal instead...
Reporter | ||
Comment 2•3 years ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #1)
So this is not particularly about the CSS implementation, but about how we treat some loads that redirect using a 308 status, right?
The number of characteristics that can be fingerprinted using CSS is not overly worrying but the 308 status defiantly is.
Even if you were to partition it by origin, when cookies and Javascript are disabled this will still act as a unique identifier.
Comment 3•3 years ago
|
||
If we partition it by origin the identifier would only be unique for a single origin, so you can't use it to track users across origins, right?
Comment 4•3 years ago
|
||
(In reply to o.brotchie from comment #2)
Even if you were to partition it by origin, when cookies and Javascript are disabled this will still act as a unique identifier.
that's the purview of fingerprinting protection - such as layout.css.font-visibility
protections or RFP
emilio, we should consider any partitioning here to also include FPI for Tor Browser
Reporter | ||
Comment 5•3 years ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)
If we partition it by origin the identifier would only be unique for a single origin, so you can't use it to track users across origins, right?
Yes, that is correct.
Updated•2 years ago
|
Updated•2 years ago
|
Description
•