Skip to content

feat: enhance fingerprinting system with audio_v2, canvas_v2, WebGL2, and spoofing detection#91

Merged
IntegerAlex merged 14 commits into
mainfrom
copilot/enhance-fingerprinting-system
Jun 14, 2026
Merged

feat: enhance fingerprinting system with audio_v2, canvas_v2, WebGL2, and spoofing detection#91
IntegerAlex merged 14 commits into
mainfrom
copilot/enhance-fingerprinting-system

Conversation

Copilot AI commented Apr 21, 2026

Copy link
Copy Markdown
Contributor
  • Analyze Fingerprint-OSS codebase and reference repos (creepjs, thumbmarkjs)
  • Create src/enhanced.ts with new fingerprinting functions
  • Update src/types.ts with new enhanced interfaces
  • Update src/systemInfo.ts to collect enhanced data
  • Export new functions from src/index.ts
  • Apply PR review feedback (audio, canvas fast paths, camelCase, non-enumerable, parallel, viewport)
  • Simplify 2-frame canvas stabilisation: always uses stable.set(frames[0].data) — the ternary was redundant since both branches returned data0[i]

Note

Add audio_v2, canvas_v2, WebGL2, and spoofing detection to fingerprinting

  • Adds getEnhancedAudioFingerprint using OfflineAudioContext to produce a deterministic audio fingerprint and detect sample tampering via getChannelData vs copyFromChannel comparison
  • Adds getEnhancedCanvasFingerprint that renders a fixed scene 3 times and takes the per-byte majority value to neutralize per-call noise, returning a SHA-256 hash
  • Adds getEnhancedWebGL2Info to collect vendor/renderer strings, implementation limits, shader precision formats, and extension hashes
  • Adds detectSpoofing that aggregates headless/anti-fingerprinting indicators (e.g. navigator.webdriver, missing window.chrome, software renderer) into a weighted score and boolean verdict
  • All enhanced signals are collected concurrently and attached as a non-enumerable enhanced property on the getSystemInfo return value, leaving JSON.stringify and Object.keys output unchanged

Changes since #91 opened

  • Modified dependency entries in package-lock.json [f3d01a7]
  • Upgraded fingerprint-oss dependency from version 0.9.5 to 0.9.6 [970b44a]
  • Updated version displays throughout the demo application UI to show version 0.9.6 [970b44a]
  • Bumped the repository package version from 0.9.5 to 0.9.6 [970b44a]

Macroscope summarized fb74a16.

Copilot AI and others added 4 commits April 21, 2026 19:01
Agent-Logs-Url: https://github.com/IntegerAlex/fingerprint-oss/sessions/468aec40-8202-4659-95bf-c8644f4f9774

Co-authored-by: IntegerAlex <84370725+IntegerAlex@users.noreply.github.com>
…bGL2, spoofing detection

Agent-Logs-Url: https://github.com/IntegerAlex/fingerprint-oss/sessions/468aec40-8202-4659-95bf-c8644f4f9774

Co-authored-by: IntegerAlex <84370725+IntegerAlex@users.noreply.github.com>
…t Uint8Array hashing

Agent-Logs-Url: https://github.com/IntegerAlex/fingerprint-oss/sessions/468aec40-8202-4659-95bf-c8644f4f9774

Co-authored-by: IntegerAlex <84370725+IntegerAlex@users.noreply.github.com>
@netlify

netlify Bot commented Apr 21, 2026

Copy link
Copy Markdown

Deploy Preview for clever-starlight-3034ea failed. Why did it fail? →

Name Link
🔨 Latest commit 29726a1
🔍 Latest deploy log https://app.netlify.com/projects/clever-starlight-3034ea/deploys/69e7d15e9d2cb300082f9da6

@netlify

netlify Bot commented Apr 21, 2026

Copy link
Copy Markdown

Deploy Preview for fingerprint-oss failed. Why did it fail? →

Name Link
🔨 Latest commit 970b44a
🔍 Latest deploy log https://app.netlify.com/projects/fingerprint-oss/deploys/6a2e3daaae07a80008f2b535

@CLAassistant

CLAassistant commented Apr 21, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ IntegerAlex
❌ Copilot
You have signed the CLA already but the status is still pending? Let us recheck it.

Comment thread src/enhanced.ts
Comment thread src/enhanced.ts Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the fingerprinting pipeline by adding an optional enhanced namespace to SystemInfo, collecting additional (noise-stabilized / higher-entropy) signals and a spoofing/headless score while keeping existing outputs and hashing behavior backward-compatible.

Changes:

  • Adds src/enhanced.ts with audio_v2, canvas_v2, webgl2, spoofing detection, and entropy scoring, plus an aggregate collectEnhancedFingerprint().
  • Extends SystemInfo typing to include enhanced?: EnhancedFingerprintInfo.
  • Wires enhanced collection into getSystemInfo() and re-exports the new APIs/types via src/index.ts.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

File Description
src/enhanced.ts Implements enhanced signal collection (audio/canvas/WebGL2) + spoofing scoring + entropy estimates.
src/types.ts Adds new enhanced interfaces and attaches enhanced? to SystemInfo.
src/systemInfo.ts Calls collectEnhancedFingerprint() and stores result under systemInfo.enhanced.
src/index.ts Exposes enhanced functions/constants/types as named exports and on the default export object.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/enhanced.ts Outdated
Comment thread src/enhanced.ts Outdated
Comment thread src/types.ts Outdated
Comment thread src/systemInfo.ts Outdated
Comment thread src/systemInfo.ts Outdated
Comment thread src/enhanced.ts Outdated
@IntegerAlex

Copy link
Copy Markdown
Owner

@copilot apply changes based on the comments in this thread

Copilot AI and others added 2 commits April 21, 2026 19:33
…aths, camelCase keys, non-enumerable enhanced, parallel collection, viewport guard

Agent-Logs-Url: https://github.com/IntegerAlex/fingerprint-oss/sessions/84a490dd-5714-45ad-a17a-6e48d30f8eea

Co-authored-by: IntegerAlex <84370725+IntegerAlex@users.noreply.github.com>

Copilot AI commented Apr 21, 2026

Copy link
Copy Markdown
Contributor Author

@copilot apply changes based on the comments in this thread

Applied all review comments in commit 8500629 (plus a minor follow-up in 29726a1):

  1. Audio pre-render checkgetFloatFrequencyData now runs before startRendering() so it correctly tests pre-render silence state.
  2. Canvas fast paths – replaced per-byte Map allocations with: direct set() for 1 frame; set() for 2 frames (always prefer first frame as tie-break); branchless majority-vote (a===b||a===c?a:b===c?b:a) for 3 frames; reusable Uint16Array(256) counts buffer for N-frame generic fallback.
  3. camelCase keys – renamed audio_v2/canvas_v2/fp_versionaudioV2/canvasV2/fpVersion.
  4. Non-enumerable enhanced – attached via Object.defineProperty({enumerable: false}) so generateId/JSON.stringify are unaffected.
  5. Parallel collectioncollectEnhancedFingerprint() Promise is started before the first await in getSystemInfo().
  6. visualViewport guard – changed ||&&, added typeof screen !== 'undefined' guard.

Comment thread src/systemInfo.ts
Comment on lines +174 to +176
// baseline async signals (incognito, adBlocker, audio, webGL, cores).
const enhancedPromise = collectEnhancedFingerprint();

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 High src/systemInfo.ts:174

If any intermediate await (e.g., detectIncognito() at line 178) throws before line 256, enhancedPromise is never awaited, causing an unhandled promise rejection when collectEnhancedFingerprint() eventually rejects. This can crash Node.js configured with --unhandled-rejections=throw. Consider chaining .catch(() => {}) to enhancedPromise immediately after creation to suppress unhandled rejection warnings.

        // Start enhanced collection early so it runs in parallel with the
         // baseline async signals (incognito, adBlocker, audio, webGL, cores).
-        const enhancedPromise = collectEnhancedFingerprint();
+        const enhancedPromise = collectEnhancedFingerprint().catch(() => undefined);
 
         // Check for incognito mode
         const incognitoMode = await detectIncognito();
🚀 Reply "fix it for me" or copy this AI Prompt for your agent:
In file src/systemInfo.ts around lines 174-176:

If any intermediate `await` (e.g., `detectIncognito()` at line 178) throws before line 256, `enhancedPromise` is never awaited, causing an unhandled promise rejection when `collectEnhancedFingerprint()` eventually rejects. This can crash Node.js configured with `--unhandled-rejections=throw`. Consider chaining `.catch(() => {})` to `enhancedPromise` immediately after creation to suppress unhandled rejection warnings.

Evidence trail:
src/systemInfo.ts lines 175-178 (enhancedPromise creation and first intermediate await), lines 185, 207, 210, 217 (additional intermediate awaits), line 255 (where enhancedPromise is finally awaited), src/incognito.ts line 372 (`main().catch(reject)` showing detectIncognito can reject)

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fix it for me

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm working on the fix now. Adding .catch(() => undefined) to enhancedPromise to suppress unhandled rejection warnings.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unable to create the branch macroscope/copilot/enhance-fingerprinting-system. This may be due to your branch protection rules. For more information, see the documentation at https://docs.macroscope.com/fix-it-for-me.

@IntegerAlex

Copy link
Copy Markdown
Owner

@macroscope-app review

@macroscopeapp

macroscopeapp Bot commented Apr 21, 2026

Copy link
Copy Markdown

Review in progress. Results will be posted when complete.

@IntegerAlex IntegerAlex marked this pull request as ready for review April 21, 2026 19:42
@IntegerAlex

Copy link
Copy Markdown
Owner

@macroscope-app review

@macroscopeapp

macroscopeapp Bot commented Apr 21, 2026

Copy link
Copy Markdown

Review in progress. Results will be posted when complete.

@macroscopeapp

macroscopeapp Bot commented Apr 21, 2026

Copy link
Copy Markdown

Approvability

Verdict: Needs human review

1 blocking correctness issue found. Diff is too large for automated approval analysis. A human reviewer should evaluate this PR.

You can customize Macroscope's approvability policy. Learn more.

@netlify

netlify Bot commented Jun 13, 2026

Copy link
Copy Markdown

Deploy Preview for clever-starlight-3034ea failed. Why did it fail? →

Name Link
🔨 Latest commit 970b44a
🔍 Latest deploy log https://app.netlify.com/projects/clever-starlight-3034ea/deploys/6a2e3daa56d017000870f9b3

IntegerAlex and others added 3 commits June 14, 2026 00:59
- Add permissions: contents: read to ci.yml and playwright_tests.yml (code scanning #2, #3)
- Fix Dependabot alerts: upgrade transitive deps via npm audit fix
- Add npm overrides to force safe versions of postcss, esbuild, qs, uuid, etc.
- All 4 packages now report 0 vulnerabilities
fix: resolve all security vulnerabilities and code scanning alerts
@socket-security

socket-security Bot commented Jun 13, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedfingerprint-oss@​0.9.600000
Addedvite@​8.0.16991008296100
Updatedstart-server-and-test@​2.1.3 ⏵ 2.1.598 +110010095 +1100

View full report

@socket-security

socket-security Bot commented Jun 13, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm webpack is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: fingerprint-oss-docs/package-lock.jsonnpm/webpack@5.107.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.107.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

IntegerAlex and others added 2 commits June 14, 2026 01:18
- Regenerate lockfiles with npm install to ensure package.json/lock sync
- Add .npmrc with legacy-peer-deps for demo (react-day-picker peer dep)
- All 4 packages pass npm ci and report 0 vulnerabilities
fix: regenerate all lockfiles for npm ci compatibility
@IntegerAlex

Copy link
Copy Markdown
Owner

@macroscope-app review

@macroscopeapp

macroscopeapp Bot commented Jun 13, 2026

Copy link
Copy Markdown

Review in progress. Results will be posted when complete.

- Add permissions: contents: read to ci.yml and playwright_tests.yml
- Add npm overrides for postcss, esbuild, uuid, qs, etc. to force safe versions
- Add .npmrc with legacy-peer-deps for demo (react-day-picker peer dep conflict)
- Regenerate all lockfiles to be in sync with package.json
- All 4 packages report 0 vulnerabilities
@IntegerAlex IntegerAlex merged commit 9ef95a5 into main Jun 14, 2026
11 of 20 checks passed
@IntegerAlex IntegerAlex deleted the copilot/enhance-fingerprinting-system branch June 14, 2026 05:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants