CSS features allow real-time tracking
CSS features like :hover, :focus, and [value] queries in combination with background image changes allow for the collection of nearly every action a visitor makes on a web page in real-time without JavaScript. Aside from the obvious creep factor this could be used to fingerprint visitors. The attack can be implemented in third party CSS (CSS-XSS).
Proof of Concept: https://twitter.com/davywtf/status/1124146339259002881 Code for proof: https://gist.github.com/wybiral/c8f46fdf1fc558d631b55de3a0267771
Beyond simply fingerprinting based on browsing behavior an attacker could also determine the referring page based on the mouse position at page load.
Solutions to fix the problem would break some aesthetic functionality (i.e. no more :hover image changes) but at that cost it would be trivial to prevent.
Ideally we could eliminate all types of asset requests (e.g. image changes) in all types of pseudo-class selectors or prefetch all asset requests on page load. But that proposal sounds bigger than Tor Browser.
Trac:
Username: davywtf