@media window size leak POC

Your browser is

Tor Browser 9.0's letterboxing alleviates these concerns somewhat. The companion blog post to this demo has more information.

If you're trying to stay anonymous, you want to look like as many other people as possible. This is why the Tor Browser suggests you do not change your window size. CSS by itself can leak your window size. If your window size is unique enough, you could be deanonymized. No JavaScript required.

This website is a proof of concept. CSS supports @media queries that allow the webdesigner to conditionally set styles. Usually this is done to make a webpage "responsive." On mobile? Collapse that top menu bar into a hamburger menu and use one column instead of two. Useful!

But this can be abused to help deanonymize you. CSS supports setting some attributes to URLs. Combining these ideas, an adversary can force your browser to load different resources based on your window size. This webpage demonstrates this very obviously by loading and displaying different images based on the width and height of your window. An adversary wouldn't have to be so obvious. Maybe a small element with display:none; has its background image changed based on screen width. You wouldn't be able to see this in action unless you're watching the requests your browser is making.

I recommend you do just that: view the source of this page and its stylesheet. Open the developer console to the network tab and start resizing your window. All I have to do is watch my web server's logs to see what images are being requested. Thanks CSS!

Disabling JavaScript can't help you in this regard. If your threat model calls for it, do not change the window size of the Tor Browser Bundle from its default.