Crooked Style Sheets

Crooked Style Sheets is a proof of concept for website tracking/analytics using only CSS and without Javascript.

What can we do with this method?

We can gather some basic information about the user, like the screen resolution (when the browser is maximized) and which browser (or engine) is used. Further we can detect if a user opens a link or hovers with the mouse over an element. This can be used to track which (external) links a user visits and using the hover method. It should be even possible to track how the user moved their mouse (using an invisible table of fields in the page background). However, using my method it’s only possible to track when a user visits a link the first time or hovers over a field the first time. Maybe it’s possible to modify the method so that it is possible to track every click.

Furthermore it is possible to detect if a user has installed a specific font. Based on this information it should be possible to detect, which OS a users uses (because different operating systems ship different fonts, e.g. “Calibri” on Windows).

Firefox : The Quantum Era

Entering the Quantum Era—How Firefox got fast again and where it’s going to get faster” is an insightful article showcasing the big changes happening with the Firefox browser.  It seems, the pendulum is swinging back towards the browser that almost became irrelevant.  I think that competition is good for everyone, and it has proven much more so in the end-user applications.  New ideas, new approaches, new technologies, and plenty of stimuli for the Google Chrome and other browser teams to respond with something even better.

Markdown Here – a browser extension for quick Markdown

Markdown Here Screenshot.

Markdown Here is a browser extension (for all sorts of browsers too) that enables quick and easy rendering of the Markdown text into the HTML.  This works well in a number of scenarios – Gmail email composition, WordPress post editing, and a few other.

Clockwork – PHP developer tools integration for Google Chrome

Clockwork is a PHP library and a Google Chrome extension that work together to provide a new tab in the Google Chrome DevTools for PHP developers.  The tab contains all sorts of useful information such as variable values, application tracing, timing, and more.

Google Chrome color profile

My good friend and colleague Michael Stepanov has been recently annoyed by some weird color offsets on his external screen in Fedora 26.  Turns out, it wasn’t the external monitor, video card, or cable issue.  The problem was with the new Google Chrome and its choice of the color profile.  The solution was found in this Reddit thread:

  • Open new tab and type there chrome://flags
  • Find option “Force color profile” and set it to “sRGB”
  • Restart Chrome and enjoy blue as blue 🙂

BeEF – Browser Exploitation Framework

BeEF is a browser exploitation framework.

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

The end of CSRF?

The end of CSRF?” blog post talks about the new feature coming to browsers – SameSite cookie enforcement, which will help in getting rid of Cross-Site Request Forgery (CSRF) attacks.  Too bad this is currently only supported by Google Chrome (both desktop and mobile), and Opera.  But I’m sure it’s coming soon to the rest of the browsers.

Update:  It looks like the above blog post is almost a copy of this blog post, which has a number of useful comments.  Including this one, which links to a variety of projects and programming languages bug trackers requesting the support of the SameSite cookie feature.  Also, it looks like SameSite cookie is superseded by the Cookie Prefix solution, proposed by Google.

Secure Headers – a PHP library for easier management of browser security features

Modern browsers offer a variety of security mechanisms for web developers.  Unfortunately, some of these aren’t so easy to manage.  One needs a deep understanding of the functionality as well as theory behind.  Secure Headers is a library that makes all that work a lot easier for PHP developers.  Here are some of the features:

  • Add/remove and manage headers easily
  • Build a Content Security Policy, or combine multiple together
  • Content Security Policy analysis
  • Easy integeration with arbitrary frameworks (take a look at the HttpAdapter)
  • Protect incorrectly set cookies
  • Strict mode
  • Safe mode prevents accidental long-term self-DOS when using HSTS, or HPKP
  • Receive warnings about missing, or misconfigured security headers

Real Favicon Generator

Real Favicon Generator is a handy tool for setting up your website’s favicon properly.  It takes care of both the images (formats, resolutions, etc) and the HTML that you’ll need to include.  With just a few clicks your website will work properly with browsers, operating systems, and mobile applications.

With so many platforms and icons, it’s hard to know exactly what you should do. What are the dimensions of favicon.ico? How many Touch icons do I need? RealFaviconGenerator did the reseach and testing for you.

If you still prefer to do it yourself and know all there is to generating proper favicon images and markup, have a look at this resource for everything there is to it and more.