Add Firefox-specific stealth and split browser-conditional init scripts #69

New Issue

Closed

opened 2026-02-24 01:13:21 +00:00 by Claude · 2 comments

Claude commented 2026-02-24 01:13:21 +00:00

Collaborator

Copy Link

Parent Epic: #68

Problem

All 12 stealth init scripts in stealth.go were written for Chromium but are injected unconditionally into every browser engine, including Firefox. On Firefox:

• window.chrome property injection is meaningless (Firefox doesn't have it natively)
• Chrome PDF plugin spoofing adds suspicious plugins that Firefox shouldn't have
• HeadlessChrome UA stripping targets a string Firefox never contains
• navigator.webdriver override works but the approach differs between engines
• Firefox-specific headless detection vectors (e.g. navigator.languages inconsistencies, missing mozInnerScreenX, document.fonts enumeration differences) are completely unaddressed

This means Firefox sessions are more fingerprintable than no stealth at all — the Chromium-specific spoofing makes the browser look like it's trying to fake being Chrome while running Firefox.

Proposed Solution

1. Categorize existing scripts into three groups:

   • Common — works on all engines (e.g. navigator.webdriver, permissions API)
   • Chromium-only — window.chrome, Chrome plugins, HeadlessChrome UA fix
   • Firefox-only — new scripts for Firefox-specific vectors

2. Gate injection by browser engine:

   scripts := stealthCommonScripts
   if opt.Browser == BrowserChromium {
       scripts = append(scripts, stealthChromiumScripts...)
   } else if opt.Browser == BrowserFirefox {
       scripts = append(scripts, stealthFirefoxScripts...)
   }
   

3. Add Firefox-specific stealth scripts:

   • Consistent navigator.languages (match Accept-Language header)
   • Consistent navigator.hardwareConcurrency (Firefox headless sometimes reports 2)
   • Consistent navigator.platform values
   • Override document.fonts.check() to return typical font availability
   • Spoof mozInnerScreenX/mozInnerScreenY to non-zero values

Files to Modify

• stealth.go — split script slices, add Firefox scripts
• browser_init.go — conditional injection based on opt.Browser
• stealth_test.go — tests for each script category

References

• #58, #59 — original stealth implementation
• #68 — parent epic

**Parent Epic:** #68 ## Problem All 12 stealth init scripts in `stealth.go` were written for Chromium but are injected unconditionally into every browser engine, including Firefox. On Firefox: - `window.chrome` property injection is meaningless (Firefox doesn't have it natively) - Chrome PDF plugin spoofing adds suspicious plugins that Firefox shouldn't have - `HeadlessChrome` UA stripping targets a string Firefox never contains - `navigator.webdriver` override works but the approach differs between engines - Firefox-specific headless detection vectors (e.g. `navigator.languages` inconsistencies, missing `mozInnerScreenX`, `document.fonts` enumeration differences) are completely unaddressed This means Firefox sessions are **more** fingerprintable than no stealth at all — the Chromium-specific spoofing makes the browser look like it's trying to fake being Chrome while running Firefox. ## Proposed Solution 1. **Categorize existing scripts** into three groups: - **Common** — works on all engines (e.g. `navigator.webdriver`, permissions API) - **Chromium-only** — `window.chrome`, Chrome plugins, `HeadlessChrome` UA fix - **Firefox-only** — new scripts for Firefox-specific vectors 2. **Gate injection by browser engine:** ```go scripts := stealthCommonScripts if opt.Browser == BrowserChromium { scripts = append(scripts, stealthChromiumScripts...) } else if opt.Browser == BrowserFirefox { scripts = append(scripts, stealthFirefoxScripts...) } ``` 3. **Add Firefox-specific stealth scripts:** - Consistent `navigator.languages` (match Accept-Language header) - Consistent `navigator.hardwareConcurrency` (Firefox headless sometimes reports 2) - Consistent `navigator.platform` values - Override `document.fonts.check()` to return typical font availability - Spoof `mozInnerScreenX`/`mozInnerScreenY` to non-zero values ## Files to Modify - `stealth.go` — split script slices, add Firefox scripts - `browser_init.go` — conditional injection based on `opt.Browser` - `stealth_test.go` — tests for each script category ## References - #58, #59 — original stealth implementation - #68 — parent epic

Claude added the enhancementpriority/hightype/task labels 2026-02-24 01:13:48 +00:00

Claude referenced this issue 2026-02-24 01:14:00 +00:00

Epic: Improve headless browser stealth against anti-bot detection #68

Claude referenced this issue 2026-02-24 01:18:16 +00:00

Epic: Improve headless browser stealth against anti-bot detection #68

Claude commented 2026-02-24 01:18:23 +00:00

Author

Collaborator

Copy Link

Starting implementation. Plan:

Script categorization:

• Common (all engines, 4 scripts): navigator.webdriver override, outerWidth/outerHeight fix, navigator.permissions.query override, Notification constructor stub
• Chromium-only (8 scripts): navigator.plugins (Chrome PDFs), navigator.mimeTypes, window.chrome stub, chrome.app/csi/loadTimes, WebGL spoof (ANGLE strings), navigator.connection, CDP cleanup (cdc_*), HeadlessChrome UA strip
• Firefox-only (5 new scripts): Firefox navigator.webdriver hardening (getOwnPropertyDescriptor), WebGL spoof (Mesa/Intel strings), mozInnerScreenX/Y spoof, navigator.hardwareConcurrency normalization, Firefox PDF.js plugin list

Files to modify: stealth.go, browser_init.go, stealth_test.go

Branch: fix/69-firefox-stealth-scripts

Starting implementation. Plan: **Script categorization:** - **Common (all engines, 4 scripts):** `navigator.webdriver` override, `outerWidth/outerHeight` fix, `navigator.permissions.query` override, `Notification` constructor stub - **Chromium-only (8 scripts):** `navigator.plugins` (Chrome PDFs), `navigator.mimeTypes`, `window.chrome` stub, `chrome.app/csi/loadTimes`, WebGL spoof (ANGLE strings), `navigator.connection`, CDP cleanup (`cdc_*`), `HeadlessChrome` UA strip - **Firefox-only (5 new scripts):** Firefox `navigator.webdriver` hardening (`getOwnPropertyDescriptor`), WebGL spoof (Mesa/Intel strings), `mozInnerScreenX/Y` spoof, `navigator.hardwareConcurrency` normalization, Firefox PDF.js plugin list **Files to modify:** `stealth.go`, `browser_init.go`, `stealth_test.go` Branch: `fix/69-firefox-stealth-scripts`

Claude referenced this issue from a commit 2026-02-24 01:20:44 +00:00

fix: split stealth init scripts by browser engine and add Firefox stealth

Claude referenced a pull request that will close this issue 2026-02-24 01:20:53 +00:00

fix: split stealth scripts by browser engine, add Firefox stealth #72

Claude commented 2026-02-24 01:20:59 +00:00

Author

Collaborator

Copy Link

Implementation complete. PR: #72

What was done:

• Split stealthInitScripts into stealthCommonScripts (4), stealthChromiumScripts (8), and stealthFirefoxScripts (5 new)
• browser_init.go now selects common + engine-specific scripts via switch opt.Browser
• Added 5 Firefox stealth scripts: webdriver getOwnPropertyDescriptor hardening, Mesa/Intel WebGL spoof, mozInnerScreenX/Y fix, hardwareConcurrency normalization, PDF.js plugin list
• Tests cover per-category counts, content checks, no-overlap, and cross-contamination guards
• All builds, tests, and vet pass cleanly

Implementation complete. PR: #72 **What was done:** - Split `stealthInitScripts` into `stealthCommonScripts` (4), `stealthChromiumScripts` (8), and `stealthFirefoxScripts` (5 new) - `browser_init.go` now selects common + engine-specific scripts via `switch opt.Browser` - Added 5 Firefox stealth scripts: webdriver `getOwnPropertyDescriptor` hardening, Mesa/Intel WebGL spoof, `mozInnerScreenX/Y` fix, `hardwareConcurrency` normalization, PDF.js plugin list - Tests cover per-category counts, content checks, no-overlap, and cross-contamination guards - All builds, tests, and vet pass cleanly

steve closed this issue 2026-02-24 01:23:25 +00:00

Claude referenced this issue 2026-02-24 01:26:34 +00:00

Epic: Improve headless browser stealth against anti-bot detection #68

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

No results found.

Labels

Clear labels

bug

Something isn't working correctly

claude

Trigger — Steve has marked this issue for Claude to work on.

claude:blocked

Blocked — Waiting on a dependency (another issue/repo).

claude:review

In Review — PR created, awaiting human review/merge.

claude:running

Active — A Claude instance is currently working on this.

documentation

Documentation improvements or additions

enhancement

New feature or improvement to existing functionality

performance

Performance optimization or resource usage improvement

priority/critical

Showstopper — security vulnerability, data loss, or crash in production

priority/high

Important — significant bug or high-value improvement

priority/low

Nice to have — minor improvement or cleanup

priority/medium

Normal — standard improvement or non-critical bug

security

Security-related issue or vulnerability

testing

Test coverage, test infrastructure, or test improvements

type/epic

Parent issue grouping related stories/tasks

type/refactor

Code restructuring without behavior change

type/task

Concrete implementation work item

No Label enhancement priority/high type/task

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Claude fizi steve

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: steve/go-extractor#69