Cloudflare Turnstile requiring fingerprintable WebGL
Cloudflare Turnstile requiring fingerprintable WebGL
Cloudflare Turnstile requiring fingerprintable WebGL published on 2026-05-30T23:31:51Z, last updated on 2026-05-30T23:31:52Z Cloudflare Turnstile 要求可指纹识别的 WebGL,发布于 2026-05-30T23:31:51Z,最后更新于 2026-05-30T23:31:52Z。
Since about a week, Cloudflare Turnstile (their “Verify you’re human” device verification) has been looping indefinitely in my webkit-gtk based browser. Preventing access to quite few websites (previously, but it even went worse lately). 大约一周前,Cloudflare Turnstile(他们用于“验证您是人类”的设备验证服务)在我的 webkit-gtk 浏览器中开始无限循环。这导致我无法访问相当多的网站(之前就有这种情况,但最近变得更严重了)。
Turns out it’s because Cloudflare wants to have a fingerprint of your device via WebGL, the only reason for doing this would be tracking. Screenshot of Turnstile test page, “WebGL renderer info is spoofed” 事实证明,这是因为 Cloudflare 想要通过 WebGL 获取您设备的指纹,而这样做的唯一理由就是追踪。Turnstile 测试页面的截图显示:“WebGL 渲染器信息已被伪造”。
Their pro-tracking non-justification copied here just in case: Turnstile uses browser fingerprinting to verify you’re human. Privacy tools that block or randomize fingerprinting make your browser look like a bot trying to hide its identity. Temporarily allowing fingerprinting for this site will fix the issue. 为了以防万一,我在此复制了他们支持追踪的“非正当理由”:Turnstile 使用浏览器指纹识别来验证您是人类。拦截或随机化指纹的隐私工具会让您的浏览器看起来像是在试图隐藏身份的机器人。暂时允许此站点的指纹识别即可解决该问题。
Such things are blocked in WebKit, and have been for years. Meaning it’s tracking so awful that even Apple would block it, and as far as I can tell it’s not the kind of privacy protection you can easily disable in it. So Cloudflare just banned all WebKitGTK browsers as I guess they put an exception for Safari. WebKit 多年来一直拦截此类行为。这意味着这种追踪手段极其恶劣,连苹果公司都会将其拦截,而且据我所知,这并不是那种可以轻易在 WebKit 中禁用的隐私保护功能。因此,Cloudflare 直接封禁了所有 WebKitGTK 浏览器,我猜他们为 Safari 设置了例外。
As an aside, if you’re wondering, Mozilla Firefox screwed up their WebGL fingerprinting protection: Bugzilla#1916271: Gecko reveals sanitized GPU Characteristics; webkit and blink return hardcoded strings for all users Screenshot of Turnstile test page on Firefox 145.0 passing with no issues. 顺便提一下,如果您感到好奇,Mozilla Firefox 在 WebGL 指纹保护方面搞砸了:Bugzilla#1916271 显示,Gecko 会泄露经过清理的 GPU 特征;而 WebKit 和 Blink 则为所有用户返回硬编码字符串。Firefox 145.0 上的 Turnstile 测试页面截图显示其可以顺利通过验证。
Plus privacy.resistfingerprinting isn’t enabled even when selecting “Strict” “Enhanced Privacy Protection” in the settings, great job there Mozilla. But I guess with it enabled, privacy-conscious Firefox users might not be able to pass Cloudflare’s device verification in the future. Screenshot of Turnstile test page on Firefox 145.0 passing with just “Canvas Randomization Detected”; after enabling privacy.resistfingerprinting manually.
此外,即使在设置中选择了“严格”的“增强型跟踪保护”,privacy.resistfingerprinting 选项也并未启用,Mozilla 干得漂亮。但我猜一旦启用该选项,注重隐私的 Firefox 用户未来可能也无法通过 Cloudflare 的设备验证。Firefox 145.0 在手动启用 privacy.resistfingerprinting 后,Turnstile 测试页面仅显示“检测到画布随机化”即可通过。
Fediverse post for comments Fediverse 评论帖。