navigator.userAgent + HTTP User-Agent + sec-ch-ua-*)navigator.hardwareConcurrency, deviceMemory, getBattery, maxTouchPointswidth, height, colorDepth, devicePixelRatio (quantized)UTC) + language (en-US) + Accept-LanguagegetImageData, toDataURL, toBlob, measureText — sub-pixel noiseAudioBuffer.getChannelData, AnalyserNode.getFloatFrequencyData — inaudible noiseUNMASKED_VENDOR_WEBGL, UNMASKED_RENDERER_WEBGL, readPixels, getShaderPrecisionFormatqueryLocalFonts returns []chrome.privacy.network.webRTCIPHandlingPolicy = disable_non_proxied_udpperformance.now precision reduced + jittermousemove/pointermove/wheel/touchmove listeners to 20 Hz with 2-pixel coordinate quantization. Breaks smooth drag and drawing apps; raises mouse-dynamics fingerprinting cost 5–10×. Keystroke jitter + event metadata quantization (Tier A) are always on and not toggleable. See LIMITS.md for the structural leaks (isTrusted, CSS timing, etc.).
On every counterintel probe hit, the graph tracer captures the JavaScript stack and builds a call-graph over the page's code. Functions that touch multiple unrelated fingerprint surfaces but have low in/out connectivity are classified as spokes — dedicated surveillance code rather than framework utilities. When one of these spokes is the immediate caller of a subsequent probe, the null-op escalates: isTrusted→inverted, MutationObserver→silenced, getBoundingClientRect→zero-rect, performance.now→literal 0, listener throttle→never-invoke. Non-spoke callers keep the default null-op.
| Location | Fn | Score | Visits | In / Out | Traps touched |
|---|
Some fingerprinting techniques cannot be blocked from an extension — they use standard DOM APIs in patterns that we can only observe, not interdict. This table shows every origin that has tripped one or more counterintel sensors, highest score first. The sensors: isTrusted reads, MutationObserver style/class watches, PerformanceObserver event entries, getBoundingClientRect polling rate, CSS scroll-timeline, descriptor enumeration, listener density, timing probes, and vendor script URLs.
| Origin | Max | Severity | Top indicators | Last seen |
|---|
Pair algoblocker with Cloudflare WARP and an audit Worker to close the TLS/IP/ASN fingerprint surfaces the extension can't touch. See deploy/cloudflare/ARCHITECTURE.md for the design and cost tiers ($0–$15/mo).
https://algoblocker-audit.yoursubdomain.workers.devdown or mismatch, all HTTP/HTTPS traffic is blocked via a dynamic DNR rule — except requests to the Worker URL itself (so re-check can succeed). Recommended only for strict threat models. Off by default.Open the built-in probe page and compare against a control tab with algoblocker disabled:
External probes will show the spoofed values. If your real values leak, that's a coverage gap — please file it.