Pillar 3 of 4
Hunt down trackers your tag manager forgot about
A real browser, real network interception, and a full set of fingerprinting API hooks. We catch the trackers everyone catches — and the ones nobody else does.
The fingerprinting that hides in plain sight
Privacy laws are catching up to fingerprinting. Cookie-style consent banners don't help, because fingerprinting doesn't write a cookie — it reads stable browser characteristics to identify you. Most scanners can't see this. We inject a small init script before any of your page's JavaScript runs. It wraps the four APIs most commonly used for fingerprinting and counts every call. If your site loads a third-party script that probes the canvas to derive a hardware-specific image hash, we'll see exactly which script and how many times. This is how The Markup's Blacklight project works, and it's the only reliable way to detect fingerprinting from outside the running script.
Network interception, done right
We listen to every outbound request from page load through 4 seconds of scrolling, so trackers triggered by lazy-loaded content (the ones that fire when the user reaches a chat widget or product card) aren't missed. First-party vs third-party is determined by registrable domain comparison — a request to cdn.example.com from example.com is correctly first-party, whereas px.facebook.com is third-party even if loaded from a same-name subresource. Each request is recorded with its category, owner organization, and known-tracker name where applicable.
Why classify? Because counting matters less than naming
Telling a customer "your site loads 47 third-party requests" is a number without action. Telling them "your site loads Hotjar (session replay), Mixpanel (analytics), and Meta Pixel (advertising) before consent" is a punch list. Every known tracker comes with the owning organization so your privacy team has the right vendor to negotiate with.
Exemplos de achados
Canvas fingerprinting detectado
Um script carregado de cdn.fingerprintjs.com chamou HTMLCanvasElement.prototype.toDataURL() 3 vezes durante o carregamento da página. Combinado com leituras de WebGL e do audio-context pelo mesmo script, isso é consistente com fingerprinting determinístico do navegador e deve ser divulgado na sua política de privacidade e condicionado a consentimento explícito.
API : canvas.toDataURL Chamado por : https://cdn.fingerprintjs.com/v3/iife.min.js Quantidade : 3 Ocorre junto com: webgl.getParameter, audioContext, navigator.plugins
Ferramenta de session-replay carregada antes do consentimento
Hotjar (hotjar.com/c/hotjar-XXXXX.js) foi carregado e inicializado antes de o usuário interagir com o banner de consentimento. O session replay registra movimentos do mouse, cliques, rolagens e entrada de formulário — o EDPB foi explícito que isso é um processamento de categoria especial sob GDPR e requer consentimento opt-in, não interesse legítimo.
Tracker : Hotjar (session replay) Owner : Contentsquare Carregado : t=0.4s (antes do banner montar) Categoria : session-replay (alto risco) Correção: adie as requisições para hotjar.com até o usuário optar pelas categorias "analytics" ou "functional" no seu CMP.
Sonda de WebGL fingerprinting
Um bundle de primeira parte lê WebGLRenderingContext.getParameter() com a extensão UNMASKED_RENDERER_WEBGL — que expõe o modelo de GPU do usuário. Não há um caso de uso de renderização para essa string no seu app; é um sinal de fingerprinting que deve ser divulgado ou removido.
API : WebGLRenderingContext.getParameter Parâmetro : UNMASKED_RENDERER_WEBGL (37446) Chamado por: /static/js/main.4f8a2c.js (bundle de primeira parte) Quantidade : 1 Isso expõe a string do renderer da GPU (ex.: "ANGLE (Apple, Apple M2 Pro, OpenGL 4.1)").
Faça o scan do seu site em 60 segundos
25 créditos grátis. Sem cartão de crédito. Achados reais na página que importa para você.