From 588379fda31d6797ab065cc76ffb7ee7e6cce60a Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Thu, 18 Jun 2026 00:58:50 -0700 Subject: [PATCH] docs(browse): correct stale stealth comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The file-level stealth.ts docstring claimed "we DON'T fake navigator.plugins" while the same file now ships EXTENDED_STEALTH_SCRIPT, which does fake plugins when GSTACK_STEALTH=extended. Clarify that Layer C (the always-on default) doesn't fake plugins and the opt-in extended mode does, as the documented "actively lies, may break sites" escape hatch. Also fix the launch()/launchHeaded() comments that said "mask navigator.webdriver only" — applyStealth (Layer C) also restores window.chrome.*, aligns Notification.permission, and sets per-install hardware. Co-Authored-By: Claude Opus 4.8 (1M context) --- browse/src/browser-manager.ts | 9 +++++---- browse/src/stealth.ts | 8 ++++++-- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/browse/src/browser-manager.ts b/browse/src/browser-manager.ts index 2a81742e7..05178dc1e 100644 --- a/browse/src/browser-manager.ts +++ b/browse/src/browser-manager.ts @@ -407,10 +407,11 @@ export class BrowserManager { await this.context.setExtraHTTPHeaders(this.extraHeaders); } - // D7: mask navigator.webdriver only. The other 3 wintermute patches - // (plugins, languages, chrome.runtime) are intentionally NOT applied — - // faking them to fixed values can flag more bot-like to modern - // fingerprinters, not less. + // Apply Layer C stealth (applyStealth): masks navigator.webdriver, + // restores window.chrome.* shape, aligns Notification.permission, sets + // per-install hardware, and strips automation globals + the Permissions + // notifications tell. We still do NOT fake navigator.plugins/languages — + // faking those to fixed values flags more bot-like, not less (D7). const { applyStealth } = await import('./stealth'); await applyStealth(this.context); diff --git a/browse/src/stealth.ts b/browse/src/stealth.ts index 01569d28f..5fc10a6ef 100644 --- a/browse/src/stealth.ts +++ b/browse/src/stealth.ts @@ -1,11 +1,15 @@ /** * Stealth init script — Layer C of GBrowser's anti-detection plan. * - * D7 (codex correction, kept): we DON'T fake navigator.plugins or + * D7 (codex correction, kept): Layer C (the always-on default built by + * buildStealthScript) does NOT fake navigator.plugins or * navigator.languages — modern fingerprinters cross-check those against * userAgent / platform / OS, and synthesizing fixed values flags MORE * bot-like, not less. Plugins and languages surface their native - * Chromium values. + * Chromium values. The opt-in EXTENDED_STEALTH_SCRIPT below (gated on + * GSTACK_STEALTH=extended, off by default) DOES fake plugins — that mode + * is the documented "actively lies, may break sites" escape hatch, not + * the default posture. * * What this script DOES do (the new additions for Phase 1): * 1. Mask navigator.webdriver (the canonical headless tell).