MLSListings Labs Browser Fingerprinting Experiment

Browser Fingerprinting Experiment

This page demonstrates the mlsl-fp web component - a lightweight, privacy-conscious fingerprinting library that combines client-side browser signals with server-side network and TLS data gathered at the CDN edge, without storing cookies or PII.

Waiting for fingerprint...

How it works

Browser <mlsl-fp> component
gathers client signals
Token Request POST /token
signed JWT issued
Pixel Request GET /?payload=...
base64 payload + JWT
Bunny Edge Enriches with IP,
TLS / JA4 data
Webhook Full merged payload
sent to your endpoint

Client Hints are delegated to the edge origin so the CDN can request high-entropy UA values (platform version, architecture, model) on behalf of the page.

Signals gathered

Stable Browser Identity client + edge

A deterministic 128-bit MurmurHash3 fingerprint built from stable, low-entropy signals. Consistent across sessions without cookies. Combined with a JA4 cipher hash at the edge to produce a combinedId.

murmurId hardwareId combinedId cipherHash
Browser & Engine client

Parsed from the User-Agent string via UAParser.js, then enriched with high-entropy Client Hints for accurate version detection (especially on Chromium where the frozen UA reports incorrect versions).

browser.name browser.version engine.name uaFullVersionList
Operating System client + edge

OS name and version from UA parsing, cross-referenced with sec-ch-ua-platform / sec-ch-ua-platform-version Client Hints at the edge. Mismatches between the two sources are flagged.

os.name os.version uaPlatform osNameMismatch osVersionMismatch
Device & Hardware client + edge

Form factor (Mobile / Tablet / Desktop), CPU core count, device memory tier, and max touch points. Mobile flag is cross-checked against sec-ch-ua-mobile.

formFactor hardwareConcurrency deviceMemory maxTouchPoints uaModel uaArch mobileMismatch
WebGL & GPU client

Unmasked GPU vendor and renderer strings extracted via the WEBGL_debug_renderer_info extension. Highly device-specific and contributes to the hardware identity hash.

webglVendor webglRenderer
Audio Fingerprint client

Processes a triangle-wave oscillator through a dynamics compressor in an OfflineAudioContext. Tiny numeric differences in the rendered waveform reveal the underlying audio stack and DSP implementation.

audioHash
Incognito / Private Mode client

Probes browser APIs that behave differently in private browsing (storage quotas, FileSystem API, IndexedDB behaviour) to infer whether the session is incognito without user interaction.

incognito.isPrivate incognito.browserName
Locale & Timezone client

IANA timezone, preferred locale, hour cycle (12h/24h), and numbering system resolved via the Intl API. Timezone mismatches with the IP-derived location can indicate VPN usage.

tz hourCycle numbering language
Display & Media Queries client

CSS media queries probed at runtime: pointer precision (hover), HDR display support, forced-colors accessibility mode, and P3 wide colour-gamut. Together these narrow down the display class of the device.

hover hdr forcedColors p3Gamut
TLS / JA4 Fingerprint edge

The Bunny CDN exposes the JA4 TLS client fingerprint as a request header. The cipher-hash component is extracted and combined with the browser murmurId to form a network-layer identity.

tls.ja4 cipherHash combinedId
IP & Network edge

Real IP from x-real-ip, full x-forwarded-for chain, hop count, and mismatch detection. Enriched via proxycheck.io with geolocation, ISP, ASN, and proxy / VPN classification.

realIp xffChain ipCountry ipIsp ipProxy ipVpn xffMismatch
JWT Token Validation edge

Each pixel request is validated against a short-lived HMAC-SHA256 JWT issued by the edge. The token binds the murmurId and page origin, preventing replay and cross-origin abuse.

token.valid token.murmurMatch token.originMatch token.reason
Privacy & scope: This is a Labs experiment for fraud and bot-detection research. No fingerprint data is linked to user accounts or stored beyond the webhook receiver. All processing is stateless at the edge layer. This page delegates Client Hints only to https://fpj4a-8s80c.bunny.run.