Pillar 3 of 4

Hunt down trackers your tag manager forgot about

A real browser, real network interception, and a full set of fingerprinting API hooks. We catch the trackers everyone catches — and the ones nobody else does.

Lancer un scan gratuit Tester l’audit gratuit

The fingerprinting that hides in plain sight

Privacy laws are catching up to fingerprinting. Cookie-style consent banners don't help, because fingerprinting doesn't write a cookie — it reads stable browser characteristics to identify you. Most scanners can't see this. We inject a small init script before any of your page's JavaScript runs. It wraps the four APIs most commonly used for fingerprinting and counts every call. If your site loads a third-party script that probes the canvas to derive a hardware-specific image hash, we'll see exactly which script and how many times. This is how The Markup's Blacklight project works, and it's the only reliable way to detect fingerprinting from outside the running script.

Network interception, done right

We listen to every outbound request from page load through 4 seconds of scrolling, so trackers triggered by lazy-loaded content (the ones that fire when the user reaches a chat widget or product card) aren't missed. First-party vs third-party is determined by registrable domain comparison — a request to cdn.example.com from example.com is correctly first-party, whereas px.facebook.com is third-party even if loaded from a same-name subresource. Each request is recorded with its category, owner organization, and known-tracker name where applicable.

Why classify? Because counting matters less than naming

Telling a customer "your site loads 47 third-party requests" is a number without action. Telling them "your site loads Hotjar (session replay), Mixpanel (analytics), and Meta Pixel (advertising) before consent" is a punch list. Every known tracker comes with the owning organization so your privacy team has the right vendor to negotiate with.

Exemples de constats

serious

Canvas fingerprinting détecté

Un script chargé depuis cdn.fingerprintjs.com appelle HTMLCanvasElement.prototype.toDataURL() 3 fois pendant le chargement de la page. Combiné à des lectures WebGL et audio-context depuis le même script, cela correspond à un fingerprinting déterministe du navigateur et doit être divulgué dans votre politique de privacy et soumis à un consentement explicite.

API           : canvas.toDataURL
Called by     : https://cdn.fingerprintjs.com/v3/iife.min.js
Call count    : 3
Co-occurs with: webgl.getParameter, audioContext, navigator.plugins

critical

Outil de session-replay chargé avant le consentement

Hotjar (hotjar.com/c/hotjar-XXXXX.js) a été chargé et initialisé avant que l’utilisateur interagisse avec la bannière de consentement. Le session replay enregistre les mouvements de la souris, les clics, les scrolls et la saisie des formulaires — l’EDPB a été explicite : il s’agit d’un traitement de catégorie spéciale au titre du GDPR et qui nécessite un opt-in, pas un « legitimate interest ».

Tracker  : Hotjar (session replay)
Owner    : Contentsquare
Loaded   : t=0.4s (before banner mount)
Category : session-replay (high-risk)

Fix: defer hotjar.com requests until the user opts into the "analytics" or "functional" category in your CMP.

moderate

Sonde de WebGL fingerprinting

Un bundle first-party lit WebGLRenderingContext.getParameter() avec l’extension UNMASKED_RENDERER_WEBGL — qui expose le modèle GPU de l’utilisateur. Il n’y a pas de cas d’usage lié au rendu pour cette chaîne dans votre app ; c’est un signal de fingerprinting qui doit être divulgué ou supprimé.

API        : WebGLRenderingContext.getParameter
Parameter  : UNMASKED_RENDERER_WEBGL (37446)
Called by  : /static/js/main.4f8a2c.js (first-party bundle)
Call count : 1

This exposes GPU renderer string (e.g. "ANGLE (Apple, Apple M2 Pro, OpenGL 4.1)").

Scannez votre site en 60 secondes

25 credits gratuits. Pas de carte bancaire. Des constats réels sur la page qui vous intéresse.

Créer votre compte gratuit Voir les tarifs