Taking off from the controversial keylogger implemented in Cascading Style Sheets, this article surveys the various security holes that Web authors sometimes open up by incautiously borrowing or linking to CSS that they have not inspected and vetted.
“Third Party CSS Is Not Safe”
Jake Archibald, February 27, 2018
Cascading Style Sheets, considered as a domain-specific language, is powerful enough to enable malicious Web designers to detect and record plaintext entries in text fields of interactive Web pages as users type them in. The key idea is to use selectors like
input[type="password"][value$="a"] and specify that the background-image should be loaded from some URL where the eavesdropper has access to the log. The log entry will appear whenever the last character that the user typed into a password field is a lower-case a. By providing ninety-five such selectors, each loading a different background image from the eavesdropper's server, the eavesdropper can check the log to see which images were requested and in what order, and infer the entered password from that list.
“maxchehab”, GitHub, February 20, 2018