A web page that shows you everything the browser told it without asking
mwheelz
552 points
275 comments
May 08, 2026
Related Discussions
Found 5 related stories in 92.8ms across 8,303 title embeddings via pgvector HNSW
- What if the browser built the UI for you? jonnonz · 22 pts · April 05, 2026 · 52% similar
- Smalltalk's Browser: Unbeatable, yet Not Enough mpweiher · 139 pts · March 05, 2026 · 47% similar
- Forking the Web wrxd · 120 pts · May 09, 2026 · 47% similar
- Show HN: Pablo – a Chrome extension that copies UI from any website rayansaleh · 22 pts · May 22, 2026 · 47% similar
- Show HN: I built a tool that watches webpages and exposes changes as RSS vkuprin · 213 pts · March 11, 2026 · 47% similar
Discussion Highlights (20 comments)
superkuh
With javascript off it just stalls at "reading" forever. There are certainly some viewport properties and other things it does know even without JS execution, but the mitigation is significant. And the page itself (the JS application) cannot act on that data or communicate it. Instead it has to be processed by some other application on the backend or wherever. Not in my browser by my computer.
mrpopo
Happy to say that my browser didn't tell anything that I didn't expect it to. It even identified my IP from a location 1000km away from me. Firefox on Android with ublock
wincy
My battery is at NaN%, the site is cool but it should probably change the text if I’m not actually exposing that information. It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
Multicomp
Mine told me my graphics card was "or similar" so my stock Firefox is doing at least okay. While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing. Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms. I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
freedomben
I guess I shouldn't be surprised that it gives my exact GPU, but that was surprising to me. Just so everyone knows, its an AMD Radeon RX 6900 XT and I paid way too much for it during the covid/crypto price explosion when they were sold out everywhere. Still a bit raw about that, but it is an excellent card on Linux (fedora)
aidanbeck
Aside from the fingerprinting methods, the graphics processor string seems to be the most immediately personal data given up (other than location, which was incorrect for me). I could see sites tailoring ads around an assumed class, income, and level of digital literacy based on this data point alone.
chrisweekly
I appreciate the intent here, so this is constructive feedback: - Some of the numbers are off, eg "Your browser allocated 39322 MB of storage to this page alone" - low contrast in dark mode makes text hard to read
yakkomajuri
DuckDuckGo browser helped mask some stuff, but definitely a fair amount still goes through. Annoyingly the web is becoming a bit more annoying to browse as a DuckDuckGo (mobile) and Brave (desktop) user. With a VPN on top it gets even worse.
Gualdrapo
Text is so dim is really hard to read.
ebolyen
There's really a lot more you can look at here. Lot's a prior art on super-cookies and fingerprinting: https://coveryourtracks.eff.org/ https://amiunique.org/
card_zero
* I'm not in that city. * It's running a kind of Chrome on a kind of Linux, at a stretch. * Nobody can infer when I work and when I sleep. That includes me. * The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago. * But yes, browser fingerprinting is annoying. * Since you can detect light mode, would it kill you to honor it?
ramon156
Its mixing confidential info. For example, you know I'm connected from a location, but you do not know my precise location. I connected from a tower that is from Odido, but I am not paying Odido for a subscription.
thatguy0900
Man what a awful looking site. I shouldn't have to crank my brightness to max to kind of read the words
aziaziazi
> Your screen is 320 by 568 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display. It’s been a long time my 2016’ iPhone as been called recent or high-end but I’ll take the compliment, thank-you.
crazygringo
This is just... silly. Everything it told me, while browsing on my iPhone, seems entirely reasonable. > Every page you have ever visited knows at least this much. Most of them know more. None of them told you. So? Why would I want the news site I'm visiting to "tell me" it knows my preferred language, that I'm using light mode, or the estimated location of my IP address...? It's not surprising that a browser which renders text can be used to identify which fonts are available. It's not surprising that a browser which allows calculation with your GPU will identify your type of GPU. The "without asking" framing is just silly. I expect to be asked for consent to use my webcam or microphone or exact precise location . But the last thing I want is to be asked for permission around detecting my local time zone or preferred language or my screen resolution or 20 other totally reasonable things for a website to be able to know.
Retr0id
> Your screen is 1512 by 982 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display. Your device volunteered all of this in the first milliseconds of the connection. No it didn't. It was queried by the JS running on the page. It's a fun demo but it could really do without the slop prose.
troyvit
> Your graphics processor identified itself as or similar. That checks out. I think what I have is similar to a graphics card but isn't quite.
pona-a
A vibe-coded EFF Cover Your Tracks. The fact this made it to front-page is spookier than its contents
joshstrange
It's somewhat interesting but over half of what it talked about is just silly. - Reverse IP/geocode (while be cute about "we won't show your IP", oh no, not my IP!) - Timezone - Ok, yeah, lots of websites need/make use of that for completely legit tasks - Browser/OS/Screen size - boring, again mostly needed or historical - GPU - Again, not super interesting IMHO - Battery - Ok, this is the first one I think should be behind a permission dialog - Language - Come off it, that's just table stakes - Fonts - Again, not sure how else this should work in a "perfect" world - Cookies/dark mode/DnT/etc - Ehh, again aside from fingerprinting (which ruins everything) these are all QoL improvements IMHO - Referrer - Again, this is just how the web works I think the websites that take all of that and show you a fingerprint or show the data in a more data-oriented way are way more compelling. This, almost certainly vibe-coded, website doesn't do anything novel and hits on a huge pet peeve of mine: using low-quality arguments for a legit issue (fingerprinting). By mixing in stuff like your IP/Language on the same level as Battery/GPU/other-fingerprinty-things it makes the whole argument less compelling.
nathanmills
You can't gaurentee any of this is fingerprintable without checking twice (i.e. give the user a unique url, then ask them to restart the browser and visit it). In privacy browsers like LibreWolf or Mullvad Browser this is almost all spoofed, save for things like the IP which needs to be hidden/changed independently of the browser.