The Tor_Browser wiki page reference a mailing list message by Mike Perry from 2012 where he states
Actually, the FAQ makes two assumptions:
1. That nearly all of the information available to Javascript is also
available to CSS and HTTP even when JS is disabled. This includes fonts,
desktop resolution, browser widget resolution, caching-based
identifiers, and probably a few more things, too.
My understanding of Javascript’s capability differs from this statement in that i did
not belive (know?) that CSS was so powerful. I have read people write in support of
TBB stopping of UA spoofing that even with JS disabled the operating system can be
(somehow?) determined using CSS. This leads me to wonder as someone concerned with CPU
fingerprinting attacks, be that core/thread count, cpu frequency measurements, or possibly
other methods I am unaware of, should I have such concerns even with TBB on maximum security?
in respect to the CSS capabilities.
As far as I know identification of the exact CPU model through CSS or JS shouldn’t be a concern
in contrast to the threat of cpuid identification from applications running on the machine, I
would like someone more knowledgeable on the matter to affirm this understanding.
PS - Clarification in regards to the phenomenon of “Browser history disclosoure” using CSS would also be appreciated.
How does differing virtualization technologies such as KVM or XEN affect these fingerprnting measurements towards whonix users?
Based on this information, it should be possible to detect the user’s OS, because different operating systems ship different fonts, such as “Calibri” on Windows.
Tor Browser (without JavaScript) might be preventing that through a curated selection of Tor Browser default fonts. Please research to confirm.
Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for Email and Browser Fingerprinting
Distinguishing Architectures. The calc()-expressionbased technique can also differentiate instruction set architectures (ISAs). For example, we can differentiate Microsoft Edge on Windows 11 on ARM and x86-64. Furthermore, we can distinguish between a browser’s 32-bit and 64-bit versions, even for the Tor browser on Windows 11. These are the first architectural differences observable from CSS only.
Overall, out of the 1176 combinations in our evaluation, we can distinguish 1152 of them (i.e., 97.95 %). The combination of our novel techniques can generally distinguish all operating systems included in our evaluation, including the Tor browser with NoScript, both configured to the highest security level.