A reference on Kasada's automation-detection layer: how it spots Chrome DevTools Protocol instrumentation, Playwright and Puppeteer artifacts, and patched stealth runtimes that lie about themselves.
![A V8-style error stack trace with an orange underline and the caption 'Function.prototype.toString() // [native code]'](/javascript-runtime-fingerprinting-cover.webp)
A reference on the JS-runtime fingerprinting surface: error stack formats, Function.prototype.toString, feature and timing probes, property enumeration order, and the engine quirks that betray a patched or automated browser.
A reference catalog of the signals that give headless Chrome away: the webdriver flag, empty plugin lists, the permissions contradiction, missing proprietary codecs, software WebGL renderers, and what --headless=new actually fixed.
Traces the HeadlessChrome user-agent token from its 2017 origin through the 2023 --headless=new rewrite, and the second-order tells that survive a clean UA: permissions inconsistencies, software WebGL, missing codecs, and CDP side effects.
A walkthrough of the individual evasions in puppeteer-extra-plugin-stealth: the webdriver flag, chrome.runtime, the permissions contradiction, plugins and mimeTypes, the WebGL vendor, and iframe.contentWindow, with what each patch fixes and where it leaks.
Why property-patching stealth is a losing game: detectors test for the patch itself, for consistency across surfaces, and for signals the plugin never touches. Traced through the toString leak, the CDP Runtime.enable signal, and cross-signal consistency checks.
Traces the automation fingerprint each driver leaves behind: WebDriver's HTTP wire protocol and cdc_ globals versus the shared CDP transport that Puppeteer and Playwright ride, and which leaks belong to which framework.
Traces what attaching a CDP client changes inside a running Chrome: the websocket transport, the domains it switches on, the side effects that reach the page, and why a debugged browser is observably different from a hand-driven one.
The biography of one bot-detection signal: how logging an Error object exposed a CDP-driven browser, how DataDome made the trick public in 2024, and the two V8 commits that quietly broke it in May 2025.
How WebDriver BiDi gives the W3C automation standard the bidirectional channel that CDP had, why Selenium and Firefox are moving onto it, and what the switch changes for bot detection.
A technical comparison of the major anti-detect browsers: which browser each forks, how profiles and fingerprints are managed at the engine level, and where the spoofing leaves detectable seams.
Traces how anti-detect browsers patch the browser's C++ source to spoof canvas, WebGL, audio, navigator, fonts, and WebRTC, why those native edits survive detection that JavaScript injection does not, and where the approach still leaks.
Traces how Camoufox patches Firefox at the C++ level to inject fingerprints, why it rides Juggler instead of CDP, how config flows from Python into the engine through environment variables, and where the Firefox base still leaks.
Traces the undetected-chromedriver lineage into its successor nodriver: the cdc_ binary patch, the navigator.webdriver flags, dropping the chromedriver binary and Selenium for raw CDP, and why each layer still gets caught.
Traces the architectural fork in browser stealth: recompiling a patched Chromium or Firefox versus injecting JavaScript at runtime, and why engine-level edits win on detectability but lose on the economics of keeping up with the upstream release train.
Traces the specific tells of Page.addScriptToEvaluateOnNewDocument: the isolated-world versus main-world choice, when the injected init script actually runs, and the residue an anti-bot script can probe from inside the page.
Traces how anti-bot systems read the clock instead of the cursor: event-dispatch latency, requestAnimationFrame cadence, input-to-action gaps, and why synthetic interaction keeps a suspiciously clean beat.
Traces how the browser separates real input from fabricated input: the isTrusted flag and its unforgeable layout, the prescribed pointer and mouse event sequence, and why CDP-injected events that read as trusted still leak through timing and missing telemetry.
How the window.chrome surface became a headless tell: what real Chrome exposes through chrome.runtime, chrome.app, csi and loadTimes, what stripped headless lacked, and why faked objects get caught on shape rather than presence.
Traces how anti-bot scripts re-read the browser fingerprint from nested iframes, about:blank/srcdoc frames, and web workers, the exact contexts where injected stealth code often never runs.
Traces how websites enumerate a visitor's installed extensions: web-accessible-resource probing, DOM and stylesheet artifacts, intra-browser messages, and timing side channels, plus the Chrome and Firefox mitigations that close some of those doors.
Traces the classic Notification.permission vs navigator.permissions.query('notifications') contradiction in headless Chrome: where the signal comes from, why the two APIs use different enums, and why patching it is harder than it looks.
How detectors spot a browser running in a VM or container: software WebGL renderers like SwiftShader and llvmpipe, default 800x600 screens, quantized device memory, and timing artifacts under virtualization.
![The wordmark navigator.plugins[] in white monospace with the brackets and an underline bar in orange](/navigator-plugins-fingerprint-cover.webp)
Traces navigator.plugins from a 15-bit fingerprinting signal to the five hard-coded PDF entries Chrome and Firefox ship today, the empty array that gave away old headless, and why fabricating a PluginArray still leaks.