Cross-origin data leaks via the ambient light sensor

As discussed in more detail in the blog post from @lukOlejnik, readings from the ambient light sensor allow attackers to reveal the color of the user's screen. This can be used as an interesting side channel to steal data across origins (read cross-origin images or frames) or extract data from the user's browsing history.

Below is a list of demos for extracting images and history, and some diagnostic tests to show other capabilities of the light sensor. When running the demos, the results are affected by the lighting conditions of the environment, the brightness of the screen, and the distance and color of a surface reflecting light from the screen (see setup examples below).

Demos

square: Simple test with a 5x5 px image (video)
qr: Stealing a QR code (video)
digit: Reconstructing a digit from an image (video)
secret: Stealing a full image with a secret code. (video)
history: Checking websites in the browser's history. (video)

Diagnostic tests:

latency: Measure time from screen color change to sensor reading.
calibration: Recalibrating the sensor whenever lighting conditions change.

Setup examples

All the readings below were measured with screen brightness at 50% in a relatively bright room.

Black: 19 lux. White: 23 lux.

Black: 145 lux. White: 158 lux.

Black: 45 lux. White: 49 lux.
(Light reflected off the bottom edge of monitor.)