That explains why it does nothing in Safari. Safari doesn't support `navigator.getUserMedia`, as that's deprecated and no longer part of the standard. The standard way to do this is navigator.mediaDevices.getUserMedia
Is there a reason that he sets a timeout of 100? Since this is all local (because of canvas.toDataURL()), can't it just run every 16ms (60 fps) instead of 100? I noticed in the gif that it was super choppy but I kind of assumed there was a technical reason, but I can't think of a reason that there would be a reason to have such a long delay.
The browser doesn't seem to update the image any faster (at least not Chrome on Linux) than it already does. You can try different framerates though, maybe some platforms allow higher frequency?
Basically the favicon connection to the server stays open sending a periodic junk-update so that the server can detect when the tab is closed. You can do it with any asset but the favicon hides the loading indicator.
Presumably you could do the same thing with a `<script async>` tag, drip-feeding bytes across the connection and waiting for it to close. Though now that I've said that, it occurs to me that disabling JavaScript almost certainly avoids loading script hrefs to begin with rather than just not executing them.
Is there an equivalent with any other type of resource, that avoids deferring onLoad?
> Is there an equivalent with any other type of resource, that avoids deferring onLoad?
If JS is disabled the event doesn't really matter and any asset can be handled this way. I just use the favicon because it stops the browser from showing a loading spinner so everything looks still and nobody assumes there's anything going on in the background.
You can use persistent connections like this in other strange ways too. For instance this is a no-JS chat that's even able to update the connection count by sending a bit of CSS lazily: https://harmless.herokuapp.com/main
It's easier and common to do with JS, so it would be a really niche target. I was investigating it as a method of tracking users on Tor where JS is often disabled.
While really novel and interesting, would it really work that well on Tor/etc? Most people using those browsers are pretty privacy conscious and I feel like people would notice a connection that never closes
Tor can also create a false sense of privacy because people think it will do all of the work for them.
If they look at the network tab in their browser they can see it, but it just looks like a favicon asset that's really slow to load. And people usually assume that with JS disabled these things don't happen.
That's also the purpose of using it in the favicon. It prevents the loading spinner so you'd have to inspect the connections.
Why isn't stuff like this considered a security vulnerability in the browser and not require extra permissions from the user? I thought companies like Mozilla were supposed to be on the side of the users, but it often seems like they just make it easier and easier for companies to spy on users.
This particular cases is just an unintended consequence. They could put a limit on the connection duration, but you could also just slowly drip the bytes of a real favicon image (possibly augmented with junk metadata) and how would the browser know that it's not just a slow server connection?
These are favicons we are talking about. There is no legitimate reason for the browser to enable and permit this type of tracking without some permission from the user.
It's not really "permitting" it, that's just how the internet works. If you send the data slowly you can keep a connection open.
And fighting privacy violation is basically a game of cat and mouse. As soon as we figure out how to block their tactics, they evolve. If what I'm doing here became mainstream they would probably do something about it, but as it stands this is much easier to do using JS or something anyway (which people know violates their privacy but they leave it enabled because modern websites break down without it).
Note that the link is to something that is an audio spectrum analyzer/visualizer and not an equalizer. It's even called "Analyser" in the code. At first I was amazed that an equalizer could be implemented into a URL, I was wondering how one would input the gains for the frequency bands, but alas it just displays the volume at each frequency.
That's such an awesome little hack. Next think we need is to synchronize multiple tabs and a multi-player favicon game where you get to shoot the tabs of your opponents.
