To Reproduce
using var playwright = await Playwright.CreateAsync();
await using var browser = await playwright.Chromium.LaunchAsync(new BrowserTypeLaunchOptions
{
Headless = false, // disable headless so that the website is visible
Args = PlaywrightStealthExtensions.StealthArgs
});
var context = await browser.NewContextAsync();
var stealthConfig = new StealthConfig
{
NavigatorHardwareConcurrency = 18 // let's spoof the hardware concurrency
ChromeLoadTimes = false // need to disable this evasion for reasons explained below
};
// Apply stealth before creating pages.
await context.ApplyStealthAsync(stealthConfig);
var page = await context.NewPageAsync();
await page.GotoAsync("https://www.browserscan.net/bot-detection");
await page.PauseAsync();ChromeLoadTimes has to be set to false because in the file chrome.load.times.js, on line 14 throws an error when viewed with headless == false thus exiting early effectively disabling all other evasions. When all evasions are disabled, the browser will pass anti-bots tests since there isn't any tampering/spoofing taking place giving a false sense of security. Since there isn't any tampering, the anti-bots are looking directly at the browser's original properties and will therefore be fingerprinted.
|
// That means we're running headful and don't need to mock anything |
|
if ('loadTimes' in window.chrome) { |
|
throw new Error('skipping chrome loadtimes update, running in headfull mode') |
|
} |
Expected behavior
Should pass anti-bots tests (anti-bot should not be able to tell if the browser is a bot) and evade detection.
Environment
- ManagedCode.Playwright.Stealth Version: 1.0.0
- Microsoft.Playwright Version: 1.58.0 and 1.60.0
- .NET Version: 10
- OS: Windows 11
- Browser: Chromium and Chrome
- Headless: false
Additional context
The moment an evasion technique is enabled (not only hardwareConcurrency), anti-bots are able to detect tampering and flag the browser as bot.
https://pixelscan.net/bot-check
https://www.browserscan.net/bot-detection
To Reproduce
ChromeLoadTimeshas to be set tofalsebecause in the filechrome.load.times.js, on line14throws an error when viewed withheadless == falsethus exiting early effectively disabling all other evasions. When all evasions are disabled, the browser will pass anti-bots tests since there isn't any tampering/spoofing taking place giving a false sense of security. Since there isn't any tampering, the anti-bots are looking directly at the browser's original properties and will therefore be fingerprinted.playwright_stealth/src/Playwright.Stealth/Resources/js/chrome.load.times.js
Lines 12 to 15 in f7fbcda
Expected behavior
Should pass anti-bots tests (anti-bot should not be able to tell if the browser is a bot) and evade detection.
Environment
Additional context
The moment an evasion technique is enabled (not only
hardwareConcurrency), anti-bots are able to detect tampering and flag the browser as bot.