Cloudflare Turnstile requiring fingerprintable WebGL
HypnoticOcelot
598 points
332 comments
May 31, 2026
Related Discussions
Found 5 related stories in 99.5ms across 9,043 title embeddings via pgvector HNSW
- Headway Therapy Patients Forced to Scan Their Faces to Keep Getting Care pavel_lishin · 116 pts · May 29, 2026 · 46% similar
- HarfBuzz Slug Support with WebGL mcraiha · 27 pts · April 03, 2026 · 45% similar
- Invisible_playwright: Stealth Firefox that passes every bot detection test thunderbong · 13 pts · May 19, 2026 · 45% similar
- Websites have a new way to spy on visitors: analyzing their SSD activity kurthr · 15 pts · May 27, 2026 · 45% similar
- Websites have a new way to spy on visitors: analyzing their SSD activity Brajeshwar · 15 pts · May 28, 2026 · 45% similar
Discussion Highlights (20 comments)
nulledy
As turnstile users on several of our sites, I think we need to revisit that decision.
kykat
What? Big tech company is evil? No way! I thought cloudflare were good guys...
Fokamul
Please, anyone from EU (US is doomed rofl) create a petition to ban browser-fingerprinting in EU, across all existing browsers. I'm not good at creating petitions but can happily sign it. Also with stop killing games and anti-chat control. I can imagine this can get a traction, if it's explained in youtube video to "normal" people.
anonym29
Say no to malware - say no to Cloudflare
malka1986
Thanks, i did not know about `privacy.resistfingerprinting` I'll make sure to fail all cloudflare turnshit in the future.
Wowfunhappy
...in the age of AI, does anyone have an actual solution for keeping out bots while preserving the privacy of humans? Obviously this is terrible, but I think there's a possibility it's the least terrible option? Another option is IP reputation, which I think is worse. Or scanning a code with a non-rooted phone, which I think is even worse than that!
denysvitali
Cloudflare is known to use fingerprinting to detect scrapers For example, they use JA3 fingerprints and match them against the UA to block stuff like cURL while allowing OkHttp (Android clients) - but this can be easily be spoofed with packages such as CycleTLS [1]. I don't want to defend them, because they gate away a good chunk of the internet with their "bot protection", but unless you do PoW (which is also ecologically a nightmare), probably fingerprinting is the way to go - completely destroying the privacy of everyone involved. Cromite, a privacy conscious fork of Chromium for Android, has constantly issues with CloudFlare Turnstile [2] because they (Cloudflare) try to fingerprint it in multiple ways in order to pass the challenge. The only way to get it to work would be to join the CloudFlare Browser Developer program - which requires signing an NDA. Rightfully so, the project maintainer didn't want to do it. If you want to see the extent of what CloudFlare does to fingerprint the browsers, just have a look in the issue [2] and see which flags need to be disabled in order to allow CloudFlare to pass the challenge. I understand both sides, but at least CloudFlare could be flexible enough to fall back to PoW instead of just blocking people from sending forms or accessing websites... [1]: https://github.com/Danny-Dasilva/CycleTLS [2]: https://github.com/uazo/cromite/issues/2365
adamtaylor_13
So if you need to prevent bot abuse, but also don't want an ugly captcha every time someone goes to sign up, is there a better option?
avallach
Doesn't this mean we just need to make the webgl fingerprint resistance implementation smarter? Instead of explicitly rejecting webgl access or responding with dummy data, respond with data that is random within space of N common and reproducible patterns. E.g. emulate webgl implementation of some low spec but actually popular devices.
gruez
This blog post is filled with false assumptions. >Turns out it's because Cloudflare wants to have a fingerprint of your device via WebGL, the only reason for doing this would be tracking. > So Cloudflare just banned all WebKitGTK browsers as I guess they put an exception for Safari. This is false. I ran firefox with: * hardware acceleration disabled (so software renderer, nothing to fingerprint) * resistfingerprinting enabled, including letterboxing with default window size * webgl disabled * VPN enabled * In a Windows VM By all accounts this should be the most suspicious fingerprint ever, but turnstile happily lets me through. If they want to track people, they're doing a pretty bad job. My guess is that OP's browser is getting banned because his WebKitGTK has a weird fingerprint, not because of webgl or whatever. > Such things are blocked in WebKit, and have been for years. Meaning it's tracking so awful that even Apple would block it, and as far as I can tell it's not the kind of privacy protection you can easily disable in it. This is also false. Webgl fingerprinting works just fine on Safari. They might try to mitigate it by adding some noise, but that's not so different than what firefox does, and is certainly not "blocked".
JoshTriplett
"This makes your browser appear suspicious because it looks like you're trying to hide your identity." Yeah, this needs to be burned to the ground.
shevy-java
I wondered about that too. So they allege that bots require that everyone now has to ID to the big service providers. Very dystopian situation. Skynet is currently winning the war.
bflesch
Firefox has so much built-in tracking it seems they want to push me to build my own browser. For example every time you open the settings there are several ways they are sending out pings to certain extensions. Also by default addons.mozilla.org is a privileged site so of course they include google tracking in it and they get the proper fingerprint no matter what you have configured.
kordlessagain
I did warmups in Grub Crawler to fight this: https://deepbluedynamics.com/grub
4oo4
I tested this extension that I've been using for a long time on the turnstile page and it got through, fwiw. I think it's a bit more subtle than how resistfingerprinting works but not sure what the privacy tradeoff is. https://github.com/kkapsner/CanvasBlocker
Dwedit
Adding noise to a canvas element is a mistake anyway. It means you can't develop a proper paint program using web technologies because your browser will mess with the image.
dblohm7
> Plus privacy.resistfingerprinting isn't enabled even when selecting "Strict" "Enhanced Privacy Protection" in the settings, great job there Mozilla. That pref is there for the Tor Browser.
jeroenhd
> Plus privacy.resistfingerprinting isn't enabled even when selecting "Strict" "Enhanced Privacy Protection" in the settings, great job there Mozilla. For good reason. I've run that setting for ages but I kept having to disable it and add workarounds because websites would break in weird ways. Timezones in scheduling websites being messed up nearly made me miss a couple of appointments. There's no way to tell the user Firefox isn't broken without displaying a permanent banner like "if websites are broken in any way or you see weird glitches or your computer's time is wrong or fonts look weird or videos don't always work right, click here to disable fingerprinting protection". Interestingly, Turnstile breaks with resistfingerprinting but works with fingerprintingProtection, I guess the latter takes this crap into account.
Kiboneu
In other words, Cloudflare requires you to substantially increase your browser’s attack surface in order to visit websites.
Animats
Is there a deal between Google and Cloudflare to make non-Chrome browsers harder to use? The pressure to use Chrome keeps increasing, and the amount of ad filtering you can do in Chrome keeps decreasing.