[MrJohz]

The browser does follow your settings, and it doesn't necessarily directly tell the website what's going on. The problem is that the website can observe a lot of things indirectly.

For example, with the dark mode/light mode "attack", the browser will download the necessary HTML and CSS in as unidentifiable a way as possible, but then it needs to render that for your machine. But the CSS file might contain a media query line that says something like "if the user wants dark mode, load this dark image as a background for this element". And to correctly respond to the query, the browser then needs to send another request to the server to download that image, that effectively indicates whether the user is using dark mode or not.

This principle can be used to detect a lot of your user settings. For example, your zoom level will effectively change how wide the browser window appears to be from the perspective of a CSS file*, which means that it's possible to use more media queries to detect that. Likewise a lot of accessibility queries like prefers-reduced-motion, while really useful for many people, can be used alongside other information to create your unique browser fingerprint.

This is just with HTML and CSS. If you add Javascript to the mix, it's even easier to fingerprint you based on various settings.

* there are technically other ways of performing zooming that wouldn't necessarily be visible, but they have poor usability. For example, you could have the classic PDF-style zoom where the PDF is rendered in a fixed size, and the user simply views a small, viewport-sized portion of the file. But this is a pain if you want to read text that's wider than your screen, because now you need to scroll back and forth. The browser approach allows text to be reflowed to match the viewport width, but this reflow will always be observable, and therefore can always contribute to a fingerprint.

[pdonis]

> The problem is that the website can observe a lot of things indirectly.

If the browser insists on doing those things, yes. But why does the browser have to do that?

For example, if I set privacy.resistFingerprinting = true, why can't the browser just locally have a "light mode" and a "dark mode" that does the best it can to render the site locally in those modes without making any additional requests that it didn't already make for the default version of the page? Yes, I'm sure the website designer has lots of wonderful stuff to customize the look and feel in those modes--and I might like that if I could be sure that the website wasn't also using that stuff to fingerprint me. But if I'm telling my browser to resist fingerprinting, clearly I don't trust that website, so why would I want all of its customizations for light mode/dark mode?

[MrJohz]

Sorry, I didn't see this earlier. The problem is that it's very difficult to determine what properties are observable for fingerprinting purposes. I used the background image as an example because it's very simple, but you can also trigger requests in more obscure ways. For example, you could have a lazy-loaded image in the rendered HTML - the image will only be loaded if the user's viewport contains the image. Then you create a rule where if the user is using dark mode, the element immediately before the image becomes really long, forcing the image off the screen. Now, if the user loads the website and doesn't immediately also load the image, you know that they were using dark mode.

Alternatively, everywhere where you have a link, you could have one link for each combination of bits that you want to send to the backend. Then using CSS, you can hide or display this links so that only one version of each link is displayed at a time, and then monitor what gets clicked. If the user clicks the link that says `/?dark-mode=true&orientation=vertical`, you now know two extra bits of information.

This is obviously all excluding Javascript, which can just read this information straight out and use it.

The problem ends up being that there's so many different (and often valid) ways to customise a website that it's very difficult to limit these customisations to only the "safe" ones. Even if the only properties I was allowed to use were colour/background-color, I'm sure I could come up with some sort of way to use them to convey information. So the only safe option here is to turn off the customisations altogether. Yes, it's still possible to track if a user is using light mode or not, but now they're all using light mode, so that bit of information becomes useless.