Cloudflare Turnstile requiring fingerprintable WebGL

Cloudflare’s Turnstile, a device verification system designed to confirm users are human, has recently begun requiring WebGL fingerprinting, causing significant access issues for users of certain privacy-focused browsers. Users of WebKitGTK-based browsers have reported indefinite looping on Turnstile verification pages, effectively blocking access to numerous websites. This change appears to stem from Cloudflare’s reliance on WebGL device fingerprinting, a method that collects detailed hardware and software information to uniquely identify devices, raising privacy concerns. WebKitGTK, a browser engine used in various Linux-based browsers, has long blocked or spoofed WebGL fingerprinting to protect user privacy. Cloudflare’s new requirement conflicts with this protection, leading to a de facto ban on WebKitGTK browsers for sites using Turnstile. While Safari, which also uses WebKit, seems exempt from this restriction, the broader WebKitGTK ecosystem faces significant usability challenges. Cloudflare justifies the use of fingerprinting by claiming it helps distinguish legitimate users from bots, but critics argue this amounts to invasive tracking rather than genuine security. Mozilla Firefox users currently face a different situation. Firefox’s fingerprinting protections have been less stringent, with the browser returning sanitized or hardcoded WebGL information that allows Turnstile verification to pass without issue. However, enabling Firefox’s more aggressive privacy features, such as resistFingerprinting, may soon prevent users from passing Turnstile checks, potentially limiting access for privacy-conscious users. This highlights the tension between privacy tools designed to reduce tracking and security systems that rely on device fingerprinting. The Cloudflare Turnstile WebGL fingerprinting requirement underscores ongoing conflicts between user privacy and web security measures. As fingerprinting techniques become more prevalent in bot detection, privacy-focused browsers and users may face increasing barriers online. The situation raises broader questions about the balance between preventing automated abuse and preserving user anonymity, especially as major browser vendors implement varying levels of fingerprinting resistance.