Skip to main content
Cromite provides comprehensive protection against browser fingerprinting through API disabling, spoofing, and active mitigations. Fingerprinting is a tracking technique that creates unique identifiers based on your browser and device characteristics.

Disabled APIs

Cromite disables numerous APIs that can be used for fingerprinting:
APIs that expose device-specific information:
APIs that can fingerprint via rendering or media capabilities:
  • WebGL - Disabled by default
    • Prevents GPU fingerprinting via rendering
    • Major fingerprinting vector when enabled
  • WebGPU - Disabled
    • Prevents next-generation GPU fingerprinting
  • Canvas API - Mitigations enabled (not fully disabled)
    • Active fingerprinting mitigations applied
    • Adds noise to canvas rendering
  • DRM media - Disabled
    • Prevents Encrypted Media Extensions fingerprinting
  • SpeechSynthesis API - Disabled
    • Prevents voice enumeration fingerprinting
APIs that directly identify or profile users:
APIs that enable network-based fingerprinting:

Active Mitigations

For APIs that cannot be completely disabled without breaking functionality, Cromite applies active fingerprinting mitigations:

Canvas and Rect API

Canvas fingerprinting is one of the most powerful fingerprinting techniques. Cromite enables canvas fingerprinting mitigations that add noise to canvas rendering operations.
How it works:
  • Adds imperceptible noise to canvas pixel data
  • Makes canvas fingerprints unique per session/domain
  • Maintains visual appearance for legitimate use
  • Breaks canvas-based fingerprinting scripts

Media API Mitigations

Cromite implements comprehensive media API fingerprinting protections:
Audio fingerprinting uses subtle differences in audio processing to identify browsers.Protected APIs:
  • AudioBuffer - Adds noise to audio buffer data
  • AnalyserNode - Protects frequency analysis data
Reference: https://fingerprint.com/blog/audio-fingerprinting/How it works:
  • Adds imperceptible noise to audio processing
  • Randomizes timing information
  • Maintains audio quality for playback

MediaDevice ID Partitioning

MediaDevice IDs (camera, microphone identifiers) are partitioned by default, preventing cross-site device tracking.
Behavior:
  • Each site sees different MediaDevice IDs
  • Same device has different ID per site
  • Prevents device-based tracking

WebRTC Protections

WebRTC is disabled by default, but when enabled, Cromite protects against IP address leakage.
  • Do not expose local IP addresses with WebRTC
  • WebRTC disabled by default (can be enabled per-site)
  • Prevents WebRTC IP leak vulnerability

Spoofing and Overrides

Cromite spoofs or randomizes several fingerprinting vectors:

navigator.language

Language API overridden to prevent language fingerprinting

navigator.connection

Connection info spoofed to prevent network fingerprinting

navigator.deviceMemory

Device memory spoofed to prevent hardware fingerprinting

navigator.hardwareConcurrency

CPU core count spoofed to prevent CPU fingerprinting

Timezone Protection

Cromite allows you to specify a custom timezone or use a random one, preventing timezone-based fingerprinting and correlation.
Options:
  • Use system timezone (default, fingerprinting risk)
  • Specify custom timezone (e.g., UTC)
  • Use random timezone per session
  • Use random timezone per domain

Viewport Protection

Viewport Protection site setting - Prevents screen resolution and window size fingerprinting
Viewport dimensions are a strong fingerprinting signal. Viewport protection normalizes or randomizes viewport information.

Incognito Mode Protections

Cromite includes hardening against incognito mode detection, preventing sites from determining if you’re browsing in incognito mode.
Many fingerprinting scripts detect incognito mode through:
  • FileSystem API availability
  • Quota API responses
  • Storage behavior differences
Cromite normalizes these behaviors to prevent detection.

Network Fingerprinting Protections

Remote AltSvc Restrictions

  • Disable remote altsvc for h3 connections on non-443 port
    • Prevents HTTP/3 QUIC fingerprinting on non-standard ports

Multi-Screen Window Placement API

  • Multi-Screen Window Placement API fix - Fixes screen.isExtended fingerprinting
    • Prevents multi-monitor configuration fingerprinting

Private Network Access

  • Private network access content settings - Prevents probing of local network resources for fingerprinting

DocumentPiP API Restriction

The DocumentPiP API is only allowed when the popup content setting is explicitly allowed.

Platform-Specific Protections

Android

  • Do not follow night mode for dark mode preference when theme is set to system default
    • Prevents dark mode fingerprinting
  • Replaces system fonts with a predefined set

Desktop

  • Enable HighEfficiencyMode by default
    • Normalizes performance characteristics
  • Enable percent-based scrolling for mousewheel
    • Prevents scroll fingerprinting
  • Enable Keyboard Layout API mitigation
    • Prevents keyboard layout fingerprinting
  • Disable Bluetooth API by default
    • Prevents Bluetooth device enumeration

Windows

  • Disable Windows ClearType Text Tuner setting (active in RDP sessions)
    • Prevents font rendering fingerprinting
  • Hide presence of webcam if user has not given permission
    • Prevents webcam enumeration fingerprinting
  • PublicKeyCredential fingerprinting mitigations
    • Protects WebAuthn from fingerprinting
    • See: #1758
  • Disable use of non-standard and local fonts
    • Prevents font enumeration fingerprinting
    • Major fingerprinting vector eliminated

Hardware Security

Cromite displays a warning message for unsupported hardware AES.
Some fingerprinting techniques detect hardware cryptography support. The warning helps users understand when their hardware lacks AES acceleration, which could be used for fingerprinting.

Trade-offs

Important considerations:Anti-fingerprinting protections can break some legitimate functionality:
  • WebGL disabled - Breaks WebGL games and 3D visualizations
  • Canvas noise - May break canvas-based captchas (rare)
  • Spoofed navigator properties - May cause incorrect language/locale detection
  • Disabled APIs - Some web apps require gamepad, WebRTC, or other APIs
Recommendation: Enable features per-site as needed via site settings.

Testing Your Fingerprint

You can test Cromite’s anti-fingerprinting effectiveness using:
With Cromite’s anti-fingerprinting features enabled, you should see:
  • Many APIs reported as “not available”
  • Randomized canvas/audio fingerprints
  • Normalized navigator properties
  • Hidden device characteristics

Build docs developers (and LLMs) love

Get started for freeTalk to us