# Cloudflare Turnstile requiring fingerprintable WebGL
Source: [https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting](https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting)
Since about a week, Cloudflare Turnstile \(their "Verify you're human" device verification\) has been looping indefinitely in my[webkit\-gtk based browser](https://hacktivis.me/projects/badwolf)\. Preventing access to quite few websites \([previously](https://hacktivis.me/articles/blocking%20cloudflare%20IP-range%20be%20like), but it even went worse lately\)\. Turns out it's because Cloudflare wants to have a fingerprint of your device via WebGL, the only reason for doing this would be tracking\.
Screenshot of[Turnstile test page](https://browser-compat.turnstile.workers.dev/), "WebGL renderer info is spoofed"Their pro\-tracking non\-justification copied here just in case:
> Turnstile uses browser fingerprinting to verify you're human\. Privacy tools that block or randomize fingerprinting make your browser look like a bot trying to hide its identity\. Temporarily allowing fingerprinting for this site will fix the issue\.
Such things are blocked in WebKit, and have been for years\. Meaning it's tracking so awful that even Apple would block it, and as far as I can tell it's not the kind of privacy protection you can easily disable in it\. So Cloudflare just**banned all WebKitGTK browsers**as I guess they put an exception for Safari\.
As an aside, if you're wondering, Mozilla Firefox screwed up their WebGL fingerprinting protection:[Bugzilla\#1916271: Gecko reveals sanitized GPU Characteristics; webkit and blink return hardcoded strings for all users](https://bugzilla.mozilla.org/show_bug.cgi?id=1916271)
Screenshot of Turnstile test page on Firefox 145\.0 passing with no issues\.Plus`privacy\.resistfingerprinting`isn't enabled even when selecting "Strict" "Enhanced Privacy Protection" in the settings, great job there Mozilla\. But I guess with it enabled, privacy\-conscious Firefox users might not be able to pass Cloudflare's device verification in the future\.
Screenshot of Turnstile test page on Firefox 145\.0 passing with just "Canvas Randomization Detected"; after enabling`privacy\.resistfingerprinting`manually\.
The article introduces CloakBrowser, an open-source stealth Chromium-based browser designed to bypass bot detection systems like reCAPTCHA and Cloudflare Turnstile. It claims to offer superior stealth capabilities by patching the C++ source code rather than injecting JavaScript, positioning itself as a free alternative to expensive commercial anti-detect browsers.
Headway, a popular online therapy platform, will require clients and providers to undergo biometric facial scanning for identity verification, with no opt-out possible except leaving the platform, raising significant privacy concerns.
A web tool experiment demonstrating how to handle Content Security Policy errors in sandboxed iframes by intercepting fetch requests and prompting users to whitelist domains. The tool was built using GPT-5.5 via the Codex desktop app.
reCAPTCHA Mobile Verification is integrating the Play Integrity API into desktop environments, which could impact user privacy and anti-bot verification.