A web page that shows you everything the browser told it without asking
A web page that shows you everything the browser told it without asking
一个无需询问即可向你展示浏览器所泄露一切信息的网页
Since You Arrived · Vol. IV taken. You opened this page. It already knows the following. reading Vol. I is what the world did while you were here. Vol. II is the sky you missed. Vol. III is what was already at your feet. This was Vol. IV. We thought you should know.
自你抵达以来 · 第四卷 被获取。 你打开了这个页面。它已经知道了以下信息。 阅读第一卷,了解你在此期间世界发生了什么。 第二卷是你错过的天空。 第三卷是你脚下已有的事物。 这就是第四卷。我们认为你应该知道。
Sources & Confessions
来源与自白
Every observation on this page came from your own browser, in the first milliseconds after you arrived. The words were written by a human. A few honest footnotes follow.
本页面上的每一项观察结果都来自你的浏览器,就在你抵达后的最初几毫秒内。这些文字由人类撰写。以下是一些坦诚的脚注。
Your location ip-api.com · Free tier · CC-BY-SA Your IP address arrives in the header of every request your device makes. We pass it to ip-api.com to translate it into a city and an internet provider name. The lookup is transient — neither side stores it. Under GDPR, an IP address can be considered personal data when used for tracking. We do not track. We do not retain. We do not log. We display only the first and last octet on screen. We know the rest. We chose not to display it.
你的位置 ip-api.com · 免费层级 · CC-BY-SA 你的 IP 地址会出现在你设备发出的每一个请求的标头中。我们将其传递给 ip-api.com,以将其转换为城市和互联网服务提供商名称。这种查询是瞬时的——双方都不会存储它。根据 GDPR,当 IP 地址用于追踪时,可被视为个人数据。我们不追踪。我们不保留。我们不记录。我们仅在屏幕上显示第一组和最后一组八位字节。我们知道其余部分,但我们选择不显示。
Browser APIs MDN Web Docs · Mozilla · CC-BY-SA 2.5 Every observation about your device — screen, browser, language, GPU, cores, battery, fonts, preferences — was retrieved through standard JavaScript APIs documented openly by Mozilla. No exploits, no vulnerabilities, no hacks. Everything on this page is by design. The design is the problem.
浏览器 API MDN Web Docs · Mozilla · CC-BY-SA 2.5 关于你设备的每一项观察——屏幕、浏览器、语言、GPU、核心数、电池、字体、偏好设置——都是通过 Mozilla 公开记录的标准 JavaScript API 获取的。没有漏洞利用,没有安全隐患,没有黑客手段。本页面上的一切都是设计使然。而这种设计本身就是问题所在。
Font fingerprinting Electronic Frontier Foundation · Cover Your Tracks (formerly Panopticlick) The technique of detecting installed fonts by measuring rendered text widths has been documented since 2010. The EFF maintains a tool that lets you see how unique your browser is. Most browsers are unique enough to be tracked across the open web without any cookie at all. The combination of fonts is one of the strongest signals.
字体指纹识别 电子前哨基金会 (EFF) · Cover Your Tracks (前身为 Panopticlick) 通过测量渲染文本的宽度来检测已安装字体的技术自 2010 年起就有记录。EFF 维护着一个工具,让你了解自己的浏览器有多独特。大多数浏览器都具有足够的独特性,无需任何 Cookie 即可在开放网络上被追踪。字体组合是最强的识别信号之一。
Canvas fingerprinting Princeton University · Web Transparency & Accountability Project A 2014 study from Princeton was the first to document canvas fingerprinting in the wild. Researchers found it on 5% of the top 100,000 websites — pages that secretly asked the visitor’s browser to draw a hidden image, then read the rendered pixels back as an identifier. Your browser supports the technique. We did not draw one. The page you visit after this one might.
Canvas 指纹识别 普林斯顿大学 · 网络透明度与问责项目 普林斯顿大学 2014 年的一项研究首次记录了现实网络中的 Canvas 指纹识别技术。研究人员发现,在前 10 万个网站中,有 5% 的网站会秘密要求访问者的浏览器绘制一张隐藏图像,然后读取渲染出的像素作为标识符。你的浏览器支持这项技术。我们没有绘制图像,但你访问的下一个页面可能会这样做。
Clipboard API MDN · Clipboard API specification With a single user gesture — a click, a tap — a page can request to read the last thing you copied. A password. An address. A draft message. The capability is announced by every modern browser. We did not request it. The capability is there, available to any page that asks at the right moment.
剪贴板 API MDN · 剪贴板 API 规范 只需一个用户手势——点击或轻触——页面就可以请求读取你最后复制的内容。密码、地址、草稿信息。所有现代浏览器都具备此功能。我们没有请求它,但该功能确实存在,任何在正确时机请求的页面都可以使用它。
The battery research Olejnik, Englehardt, Narayanan · 2015 · “The Leaking Battery” Published in the proceedings of the Workshop on Data Privacy Management. The paper demonstrated that the combination of battery percentage and discharge time was unique enough to track a visitor across multiple websites for up to thirty minutes — without cookies, without accounts. Firefox removed the API in 2016. Chrome and Edge still expose it.
电池研究 Olejnik, Englehardt, Narayanan · 2015 · 《泄露的电池》 发表于数据隐私管理研讨会论文集。该论文证明,电池百分比和放电时间的组合具有足够的独特性,可以在长达 30 分钟内跨多个网站追踪访问者——无需 Cookie,无需账户。Firefox 在 2016 年移除了该 API,但 Chrome 和 Edge 仍然保留。
The technique we did not run Documented · Legal · Widely deployed A page can detect which sites you are logged into by asking your browser to load favicon URLs from those sites and watching which succeed and which fail. Logged-in services return one image; logged-out services return another. The technique requires no permission. With it, a page can know — without asking — whether you are logged into Facebook, Google, X, GitHub, Reddit, LinkedIn, and dozens of others. We did not run this. The technique is documented and legal. Some of the pages you visited today did.
我们未使用的技术 有据可查 · 合法 · 广泛部署 页面可以通过要求浏览器加载这些网站的图标 (favicon) URL,并观察哪些成功、哪些失败,来检测你登录了哪些网站。已登录的服务返回一种图像,未登录的服务返回另一种。该技术无需任何权限。通过它,页面无需询问即可知道你是否登录了 Facebook、Google、X、GitHub、Reddit、LinkedIn 等数十个网站。我们没有运行此项技术。该技术有据可查且合法。你今天访问过的一些页面可能已经使用过它。
The barcode Computed in your browser · 16 bars · Yours alone Beneath the count, sixteen hairlines whose heights are derived from the data your device handed over — your GPU, your fonts, your screen size, your language, your timezone, your operating system, your browser, your color depth. Same data, same barcode. Different visitor, different barcode. The computation happens in your browser; nothing about it is transmitted. Anyone with your exact fingerprint would see the same bars. The likelihood is small.
条形码 在你的浏览器中计算 · 16 条 · 独属于你 在计数下方,有 16 条细线,其高度源自你设备提供的数据——你的 GPU、字体、屏幕尺寸、语言、时区、操作系统、浏览器、色彩深度。相同的数据,相同的条形码。不同的访问者,不同的条形码。计算过程在你的浏览器中完成;没有任何相关信息被传输。任何拥有与你完全相同指纹的人都会看到相同的条形码。这种可能性很小。
The prose Hand-written · Template-based, not generative Every sentence on this page was written by Matt. The code selects among prose templates based on what your browser returned. No language model writes or rewrites anything at runtime. If a condition is not covered by hand-written prose, the page stays quiet about it — we’d rather say less than say something false.
文案 手写 · 基于模板,非生成式 本页面上的每一句话都是 Matt 写的。代码会根据你的浏览器返回的信息,在文案模板中进行选择。没有任何语言模型在运行时编写或重写任何内容。如果某种情况没有涵盖在手写文案中,页面就会保持沉默——我们宁愿少说,也不愿说错。
What this page sent Two anonymous events to our server Two events: that you arrived, that you finished. No cookie, no identifier, no IP retained. Our server discards the body of each request and returns nothing. The transport-level record that the request happened exists in our hosting provider’s logs for as long as their default retention runs — typically a few days. We did not configure that. Every site you visit has the same record.
本页面发送了什么 向我们的服务器发送了两个匿名事件 两个事件:你抵达了,你结束了。没有 Cookie,没有标识符,没有保留 IP。我们的服务器丢弃了每个请求的主体,且不返回任何内容。请求发生的传输层记录会存在于我们托管服务提供商的日志中,保留时间取决于其默认设置——通常为几天。我们没有配置这些。你访问的每个网站都有相同的记录。