Originally published at: https://boingboing.net/2019/05/07/chat-client-made-entirely-with.html
…
4 Likes
Agree completely. It is a total abomination and you do seem to love it.
4 Likes
Some people have way way way too much free time.
3 Likes
Gross
3 Likes
For being made with CSS you’d think it’d look nicer…
1 Like
At least the first part of that seems to be a common reaction, since I saw the headline, and literally my first thought was that I should leave a comment pointing out that it’s an abomination.
1 Like
Neat trick and abomination as it may be, I think this is the bigger take-home message:
It occurred to me that you can remotely monitor the cursor location without JS by using some CSS :hover selectors to change hidden background images (causing a GET request).
This should work on Tor as well and could be an interesting approach to tracking visitors.
2 Likes
There was a similar trick to leak the contents the browser history by exploiting the difference of style between visited and unvisited links. The takeaway, I think, was: always preload resources. This was more than 15 years ago.
Apparently we’ve learned nothing.
2 Likes
This is a relatively minor security hole, in that it can only leak information about mouse movements (not history or other state information beyond the scope of the current page) – and it’s a strict subset of what the server can already obtain if javascript is turned on – but it’s still a leak.
I guess the moral is “when scripting is disabled, UAs should (must) load all referenced resources immediately, and not reload them via HTTP while the page is displayed, regardless of cache expiry headers”.
This topic was automatically closed after 5 days. New replies are no longer allowed.
