Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The actual blogpost is here

https://fingerprintjs.com/blog/disabling-javascript-wont-sto...

basically they use CSS trickery together with server-side stuff.

It's pretty clever.

  @font-face {
    font-family: 'Helvetica';
    src: local('Helvetica'),
         url('/signal/(token)/fontHelvetica')
         format('truetype');
  }
to detect font (which detects OS), and

  @media (featureX: value1) {
    .css_probe_42 {
      background: url('/signal/(token)/featureX/value1');
    }
  }
to detect browser features (which detects browser)


Thanks, I thought I saw the demo before on HN but I was not sure as I couldn't find the domain.

Previous discussion: https://news.ycombinator.com/item?id=29042791


Nice read though..

I was surprised by the amount of CSS tricks used for fingerprinting all while having js disabled.

A few days ago, I came across this "GPU fingerprinting" called "DrawnApart" => https://blog.amiunique.org/an-explicative-article-on-drawnap...

and was thinking that this must be the most advanced fingerprinting approach so far but after reading your article, I have to reconsider!


Eh. It's been pretty easy to fingerprint browsers for a while now, including those types of CSS hacks. The real feat is doing so without looking like you're doing it and for it to be durable (survive OS upgrades, reboots, etc).


navigator.useragent will still have more precise answer as the amount of people who fake their useragent (or have JS disabled) are less than the amount of Windows/Linux users that have Helvetica (clone/real one) installed.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: