-
css_cache
a proof of concept for super cookie user tracking using css vars and browser cache making a user json object accessible in javascript. potentially cross site but chrome is now keying caches. future todo look into web workers or iframe postmessaging into a single cached domain
-
uMatrix
Discontinued uMatrix: Point and click matrix to filter net requests according to source, destination and type
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
https://github.com/dillondoyle/css_cache
> disabling xhr is not possible
uMatrix can do it, I'm sure there are others
> fetch
fetch is a Javascript API and covered by uMatrix's XHR setting[1].
> web rct
That can be disabled[2] and is also covered by uMatrix's XHR setting.
> iframes
Can be blocked in several ways, including the aformentioned uMatrix.
> At worst, this gives online tracking companies yet another tool in their toolbox
At worst CSS in the browser has had a CVE[3] and OWASP has some attacks[4] that seem old, but you know which of these have been fixed by all the browser vendors you use, right? Perhaps you've read this paper[5] on scriptless attacks and you know that all of these have been mitigated?
> The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive information from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrary data displayed on a given website.
Even better, you have the faith that there will never be a repeat of these kind of things and that no attackers will bother to go down this route in future. What part does faith have when deciding upon the risks of running things downloaded from untrusted sources?
Still, the anti-tracking is good enough reason for me.
> I am sure the boffins down at ublock are already working on detecting and mitigating this behaviour.
Let's hope so.
[1] https://github.com/gorhill/uMatrix/wiki/The-popup-panel#the-...
[2] https://www.ivacy.com/internet-privacy/disable-webrtc-leak/
[3] https://cve.circl.lu/cve/CVE-2011-0132
[4] https://owasp.org/www-community/xss-filter-evasion-cheatshee...
[5] https://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlich...