The hardcoded DefaultChromiumUserAgent said Chrome/131 while the
installed Chromium was v136. Chromium's sec-ch-ua header is generated
from the real engine version, so sites comparing User-Agent against
sec-ch-ua detected the mismatch as bot traffic and returned 403.
Now the User-Agent is built after browser launch using browser.Version(),
keeping the Chrome/N token in sync with sec-ch-ua's Chromium;v="N".
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace static stealthChromiumScripts and stealthFirefoxScripts slices
with builder functions that accept hardware profile structs. Each browser
session now randomly selects from a pool of 6 realistic profiles per
engine, and Chromium connection stats receive per-session jitter (±20ms
RTT, ±2 Mbps downlink). This prevents anti-bot systems from correlating
sessions via identical WebGL, connection, mozInnerScreen, and
hardwareConcurrency fingerprints.
Closes#71
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The stealth system previously injected all 12 init scripts unconditionally
into every browser engine. Chromium-specific scripts (window.chrome stubs,
ANGLE WebGL strings, CDP cleanup, HeadlessChrome UA strip) were no-ops or
actively suspicious on Firefox, while Firefox-specific headless vectors
were unaddressed.
Split stealthInitScripts into three categories:
- stealthCommonScripts (4): webdriver, outerWidth/Height, permissions, Notification
- stealthChromiumScripts (8): existing Chromium-specific scripts
- stealthFirefoxScripts (5): new Firefox-specific stealth:
- navigator.webdriver getOwnPropertyDescriptor hardening
- WebGL renderer spoof with Mesa/Intel strings
- mozInnerScreenX/Y non-zero spoof
- navigator.hardwareConcurrency normalization
- PDF.js plugin list override
browser_init.go now selects common + engine-specific scripts based on
opt.Browser. Tests updated with per-category validation and cross-
contamination checks.
Closes#69
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add 7 new init scripts to cover WebGL fingerprinting, missing Chrome
APIs, permissions behavior, CDP artifacts, and HeadlessChrome UA string.
Enable Chromium's new headless mode (Channel: "chromium") when stealth
is active to use the full UI layer that is harder to detect.
Closes#58
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add anti-bot-detection evasion support to reduce blocking by sites like
archive.ph. Stealth mode is enabled by default for all browsers and applies
common evasions: navigator.webdriver override, plugin/mimeType spoofing,
window.chrome stub, and outerWidth/outerHeight fixes. For Chromium,
--disable-blink-features=AutomationControlled is also added.
New BrowserOptions fields:
- Stealth *bool: toggle stealth presets (default true)
- LaunchArgs []string: custom browser launch arguments
- InitScripts []string: JavaScript injected before page scripts
Closes#56
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
steve