Cloudflare Turnstile Now Demands WebGL Fingerprinting, Breaking WebKitGTK Browsers

Cloudflare’s Turnstile human-verification widget has started requiring WebGL-based device fingerprinting, locking out users of WebKitGTK browsers who cannot complete the check and are blocked from any site behind it. Cloudflare’s own explanation frames the fingerprinting as necessary for bot detection and tells users that privacy tools blocking or randomizing fingerprints make them look like bots — a justification that amounts to admitting the verification relies on tracking signals WebKit has refused to expose for years. Safari users appear unaffected, suggesting Cloudflare carved out an exception rather than finding a less invasive check.

The author notes Firefox is not a clean alternative either. A known Gecko bug leaks sanitized GPU characteristics that WebKit and Blink hide behind hardcoded strings, and Mozilla’s privacy.resistFingerprinting flag stays off even under the Strict privacy setting. If users do enable stronger protections, they risk being shut out of Turnstile-gated sites the same way WebKitGTK users already are.

The broader concern is that a single CDN sitting in front of a large share of the web is now using its bot-defense layer to push fingerprinting back into browsers that deliberately stripped it out, turning anti-tracking choices into an access barrier.