[RunSet]

> Why do we need all this when we have JavaScript?

In practice, mostly so google can still invade the privacy of users after they disable javascript.

No user ever asked for this.

[shepherdjerred]

No user ever asked for any of these APIs or technologies, but that doesn't mean they can't be useful to developers.

[matheusmoreira]

How can CSS be abused to invade our privacy?

[vinnymac]

I can think of a few ways, but here is an example where CSS triggers a request to track a user: https://underjord.io/is-this-evil.html

[matheusmoreira]

The reason the server can track who is hovering over links is the browser apparently requests the background image only when the interaction happens. I certainly didn't expect that!

This seems to be an example of browser optimization leaking private information. There's an obvious way to fix that: deoptimize. Instead of lazily downloading resources as they are needed, request all the linked resources when the page loads, and do it only once. Now they can't tell whether the requests were due to user interaction or just normal browser behavior.

I wonder if uBlock Origin can deal with this. I know it's got a lot of options for blocking weird information leaks like this, webfonts being an example. Firefox also has fingerprinting resistance, I wonder if it resists this.