Crooked Style Sheets is a new Browser fingerprint method which is not depending on JavaScript, there is currently no protection against this new CSS trick. A source code can be found here.

Crooked Style Sheets Test Page

How does the new fingerprint work?

The new proof of concept not requires JavaScript and works via CSS, even this can reveal some information like which font you use or which Browser you used by visiting the page. The basic concept is that Stylesheets loads different URLs depending on various conditions which then sending information like what you clicked back to the server.


There is currently no protection or addon which protects you against this new fingerprinting technique but I’m sure there already working on it, it’s unclear if it’s already used in the wild but the bad guys will not sleep to abuse this new kind of trick to obtain some useful information.

There is a demo page here which shows some basic techniques to gain some information such as which font you use or if you clicked a link.

crooked-css-ec645a6fbb4674a2How big is the risk?

It’s not as big as other fingerprinting methods, the Demo pages uses session-cookies to bring the URLs server side together but some smart people might find a way to do this directly over the IP and timestamp.

This is btw not the first time that CSS was abused, but currently every browser blocks older attacks like the CSS history hack.