Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Artifact for "Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets"

Paper by Pierre Laperdrix, Oleksii Starov, Quan Chen, Alexandros Kapravelos and Nick Nikiforakis to appear at USENIX Security '21



The extension folder contains our defense prototype that protects users against CSS-based extension fingerprinting. It redirects getComputedStyle calls made on 222,642 specific elements into a special Shadow DOM copy that will return benign measurements.

Demo page

In order to demonstrate the effectiveness of our extension, we have a demo page that detects 11 browser extensions through the style they inject on any page. The 11 triggers we use were working as of January 4th 2021 but the targeted extensions may have been updated since then and so the detection may be altered.

List of tested extensions (last tested versions in parentheses):

Instructions to test the extension

  1. Download the extension by pulling the repo or downloading the corresponding zip file HERE.
  2. On a Chromium-based browser like Chrome, visit the address "chrome://extensions/".
  3. Activate "Developer mode" on the right and click on "Load unpacked extension". Extension page on Chrome
  4. Select the folder which contains the extension (the one from the repo or the unzipped file). You should see the "Protecting in style" extension enabled in your browser (see below). Extension enabled on Chrome
  5. Visit the demo page and all fingerprinted extensions should be marked as "non" detected when the defense is active. Links to install the fingerprinted extensions can be found on the demo page.


To encourage further research on style fingerprinting, we make our dataset available so that future researchers can compare with our findings. It contains the following two entities:

  • The trigger_pages folder has the raw trigger pages that we used to check if an extension is detectable or not. Each HTML file contains thousands of very specific HTML structures with both a baseline version and a trigger one. When a detectable extension is present, it will manifest its presence by modifying the style of its corresponding "trigger" version. When compared with the style of the "baseline" one, we can compute the style fingerprint of the extension used for detection. It should be noted that each HTML page outputs in the console the different style fingerprints it detects during its run. The trigger_map.txt file contains the mapping between extension IDs and trigger number.
  • The file is the full dataset of the 4,446 extensions that we found to be detectable through style fingerprinting and can be downloaded HERE. Each file in the zip follows the naming convention "<Extension ID>_<version>.zip". It is available outside of GitHub as its size is about 3.7GB.


Thanks to Soroush Karami for informing us about a possible iframe bypass in the defense prototype and providing a quick fix!


Companion repository to the paper entitled "Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets"






No packages published