LmCast :: Stay tuned in

Cloudflare Turnstile requiring fingerprintable WebGL

Recorded: May 31, 2026, 3:01 p.m.

Original Summarized

Cloudflare Turnstile requiring fingerprintable WebGL - lanodan's cyber-home

I, too, "value your privacy" but unlike most I think it is priceless and fundamental. Privacy Policy

Links

Home
About
Software Projects
Anime List
Manga List
Bookmarks
coding style
Decreases of usability
Software basic requirements
Google ReCaptcha
/git/
/kopimi/: libre data
/notes/
standards: opinions on them

Atom feed
Resume

Donations

Cloudflare Turnstile requiring fingerprintable WebGL
published on 2026-05-30T23:31:51Z, last updated on 2026-05-30T23:31:52Z

Since about a week, Cloudflare Turnstile (their "Verify you're human"
device verification) has been looping indefinitely in my
webkit-gtk based browser.
Preventing access to quite few websites (previously, but it even went worse lately).

Turns out it's because Cloudflare wants to have a fingerprint of your
device via WebGL, the only reason for doing this would be tracking.

Screenshot of Turnstile test page, "WebGL renderer info is spoofed"

Their pro-tracking non-justification copied here just in case:

Turnstile uses browser fingerprinting to verify you're human.
Privacy tools that block or randomize fingerprinting make
your browser look like a bot trying to hide its identity.
Temporarily allowing fingerprinting for this site will fix the issue.

Such things are blocked in WebKit, and have been for years.
Meaning it's tracking so awful that even Apple would block it,
and as far as I can tell it's not the kind of privacy protection
you can easily disable in it.
So Cloudflare just banned all WebKitGTK browsers as I guess they
put an exception for Safari.

As an aside, if you're wondering, Mozilla Firefox screwed up their
WebGL fingerprinting protection:

Bugzilla#1916271: Gecko reveals sanitized GPU Characteristics; webkit and blink return hardcoded strings for all users

Screenshot of Turnstile test page on Firefox 145.0 passing with no issues.

Plus privacy.resistfingerprinting isn't enabled even
when selecting "Strict" "Enhanced Privacy Protection" in the settings,
great job there Mozilla.
But I guess with it enabled, privacy-conscious Firefox users might
not be able to pass Cloudflare's device verification in the future.

Screenshot of Turnstile test page on Firefox 145.0 passing with just "Canvas Randomization Detected"; after enabling privacy.resistfingerprinting manually.

Fediverse post for comments

Copyright © 2014 Haelwenn (lanodan) Monnier, distributed under the terms of the FreeArt License 1.3.

.onion
Privacy Policy(2025-04-08)
​bot-bog

The discussion centers on the conflict between Cloudflare Turnstile's requirement for fingerprintable WebGL and user privacy concerns regarding device tracking. The author experienced issues with Cloudflare Turnstile looping indefinitely in their webkit-gtk based browser, which restricted access to certain websites. The core issue stemmed from Cloudflare's reliance on browser fingerprinting mediated through WebGL as a method for device verification, which the author suspected was intended for tracking purposes.

A summary of Cloudflare's stated rationale for employing this method indicates that Turnstile utilizes browser fingerprinting to verify human users. The author noted that privacy tools designed to block or randomize this fingerprinting cause the browser to appear like a bot attempting to conceal its identity. Cloudflare suggested that temporarily allowing this fingerprinting for the site would resolve the technical issue. The author points out that such fingerprinting protections are typically blocked in WebKit browsers, suggesting that Cloudflare has reportedly banned WebKitGTK browsers, although an exception for Safari exists.

The author also references related privacy concerns regarding WebGL fingerprinting in other browsers. Mozilla has documented issues with WebGL fingerprinting protection, specifically noting that Gecko reveals sanitized GPU characteristics, while webkit and blink return hardcoded strings for all users. Furthermore, the author observed that Mozilla’s privacy.resistfingerprinting feature does not activate even when the system is set to "Strict" "Enhanced Privacy Protection" mode. The implication is that while these privacy controls are valuable, enabling them might prevent privacy-conscious users from successfully passing Cloudflare's future device verification checks. Thus, the text frames a tension between security/verification mechanisms implemented by services like Cloudflare and the fundamental desire for privacy protection within modern web browsers and operating systems.