Open Bug 1743305 Opened 3 years ago Updated 2 years ago

Pure CSS browser fingerprinting and cross-origin CSS 'supercookie'.

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
Firefox 96
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: o.brotchie, Unassigned)

References

(
URL
)

Details

(Keywords: privacy, testcase)

Steps to reproduce:

I have found a method of exfiltrating a browser, device and font fingerprint using only CSS. I have also found a cross-origin CSS 'supercookie' that can only be removed by clearing the browser cache.

Methodology here: https://github.com/OliverBrotchie/CSS-Fingerprint

Actual results:

Demonstration: https://csstracking.dev/fingerprint

URL: https://csstracking.dev/fingerprint
Component: Untriaged → CSS Parsing and Computation
Keywords: privacy, testcase
Product: Firefox → Core

So this is not particularly about the CSS implementation, but about how we treat some loads that redirect using a 308 status, right?

In particular, that's the background-image: url("http://127.0.0.1:8000/some/url/308") in the example, right?

Seems like the issue is that that request isn't partitioned by origin? Or maybe that the requester origin is the stylesheet's origin rather than the final page's origin?

I think the relevant request would be this one where we indeed use data.Principal() as the loading / triggering principal, which is indeed the stylesheet's principal. Maybe we should use the document's principal instead...

(In reply to Emilio Cobos Álvarez (:emilio) from comment #1)

So this is not particularly about the CSS implementation, but about how we treat some loads that redirect using a 308 status, right?

The number of characteristics that can be fingerprinted using CSS is not overly worrying but the 308 status defiantly is.
Even if you were to partition it by origin, when cookies and Javascript are disabled this will still act as a unique identifier.

If we partition it by origin the identifier would only be unique for a single origin, so you can't use it to track users across origins, right?

(In reply to o.brotchie from comment #2)

Even if you were to partition it by origin, when cookies and Javascript are disabled this will still act as a unique identifier.

that's the purview of fingerprinting protection - such as layout.css.font-visibility protections or RFP

emilio, we should consider any partitioning here to also include FPI for Tor Browser

Flags: needinfo?(sysrqb)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)

If we partition it by origin the identifier would only be unique for a single origin, so you can't use it to track users across origins, right?

Yes, that is correct.

Flags: needinfo?(sysrqb)
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.