You can do quite a bit of tracking with CSS by conditionally loading third party resources. Tracking pixels, loading different images on hover, active, focus, etc can effectively track users
The correct solution is enable a strict Content Security Policy (CSP) - so even when a user compromises your website with XSS/CSS they cannot extract any data they obtain. Note: this website has not configured a Content Security Policy :(
For example some controlled frameworks can even have CSS only keylogging https://css-tricks.com/css-keylogger/
The correct solution is enable a strict Content Security Policy (CSP) - so even when a user compromises your website with XSS/CSS they cannot extract any data they obtain. Note: this website has not configured a Content Security Policy :(