You may be running some hotrodded addon suite that blocks the various attack vectors which the modern web likes to throw at you. But are you blocking quite enough? A colleague and I exchanged thoughts on the best defaults for which web resources to deny and he was surprised to learn that I even strip the style sheets (CSS) out of visited web pages.
Wybiral highlighted some use cases for this:
- Motion (gait) analysis is an active field of research
- People use different resting positions for the cursor
- Identifying mouse motion vs touchpad should be possible
- Can give insight into other behavioral traits of visitors
Similarly, it had been possible to fingerprint and gather a visitor’s related browsing history through the :visited selector. Browsers have since implemented mitigations (spoofing values) but there remain so many other ways to fingerprint users through CSS. Such as techniques using background images or fonts, in which the browser is instructed to request a completely unique asset from the site server. Oliver Brotchie elaborates:
Or such as by gathering canvas information, browser information and other metrics, for which author ‘jbtronics’ explains the only possible defenses:
What you can do to prevent tracking with this method? … is to disable CSS for a web page completely, you can do this via browser settings or with plugins like uMatrix (currently unmaintained), CSS Toggler (currently unmaintained), Stylus or uBlock.
Or exfiltrating user input (and doubtlessly more to come!). Mike Gualtieri, who penned these methods, refers to extensions as a possible defense:
Just a quick note: The CSS Exfil Protection Addon currently leaks requests for 3rd party stylesheets from behind blockers like uBlock Origin.
If you have the time, please consider reading through, in full, the excellent material that these researchers have produced. As the style sheet standard continues to get extended, we can only anticipate that the attack surface it presents will follow suit. At this point, I don’t trust anything without at least some layer of isolation and verification.
I suggest simply blocking CSS outright. It really isn’t much of a nuisance considering the majority of the time one spends on the web is just reading text. With style sheets stripped away, some sites will render large SVGs that fill your screen. You can either disable SVGs (in Firefox derived browsers that is at svg.disabled=true) or just scroll down to about 80% to the bottom and the textual content can almost always be found there. I basically only ever enable CSS on sites which I have used for a long time and have built a trustworthy rapport.