fix(stealth): close screen/window geometry headless tells#293
Draft
JWriter20 wants to merge 1 commit into
Draft
Conversation
Three related leaks in the spoofed screen/window geometry, all from BrowserForge fingerprints that ship physically-impossible or headless-looking dimensions: 1. navigator.platform / oscpu arch mismatch: ~8% of Linux fingerprints report "Linux armv81" while the UA says "Linux x86_64". CreepJS cross-checks oscpu/platform/UA arch, so force both to match the UA. 2. noTaskbar: when screen.avail == screen on both axes, CreepJS's noTaskbar Like-Headless flag flips. Subtract a typical chrome height (mac 25 / win 40 / lin 27) from availHeight and clamp outer/inner height to the new avail. 3. dimension hierarchy: enforce inner <= outer <= avail <= screen on both axes, since the browser faithfully reports whatever we inject and a fingerprint with e.g. outerWidth > screen.width leaks as impossible geometry. Also stop the geoip block from clobbering user-supplied geo fields (timezone / geolocation:* / locale:*) — fill gaps with setInto instead of a spreading overwrite, and treat a user-set timezone as driving geo so the proxy-without-geoip warning doesn't false-fire. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three related leaks in the spoofed screen/window geometry, all from
BrowserForge fingerprints that ship physically-impossible or
headless-looking dimensions:
navigator.platform / oscpu arch mismatch: ~8% of Linux fingerprints
report "Linux armv81" while the UA says "Linux x86_64". CreepJS
cross-checks oscpu/platform/UA arch, so force both to match the UA.
noTaskbar: when screen.avail == screen on both axes, CreepJS's
noTaskbar Like-Headless flag flips. Subtract a typical chrome height
(mac 25 / win 40 / lin 27) from availHeight and clamp outer/inner
height to the new avail.
dimension hierarchy: enforce inner <= outer <= avail <= screen on both
axes, since the browser faithfully reports whatever we inject and a
fingerprint with e.g. outerWidth > screen.width leaks as impossible
geometry.
Also stop the geoip block from clobbering user-supplied geo fields
(timezone / geolocation:* / locale:*) — fill gaps with setInto instead of
a spreading overwrite, and treat a user-set timezone as driving geo so
the proxy-without-geoip warning doesn't false-fire.
Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com