Draws the same deterministic canvas on two different eTLD+1 sites
(test-website-a.pages.dev and
test-website-b.pages.dev; pages.dev is a public
suffix, so Brave seeds each with a different farbling token). The drawing
is identical, so any difference between the two readbacks is farbling.
Run in Brave with Shields up. The cross-site step opens the other site in
a popup; it captures its own farbled canvas and posts the pixels back.
This site's farbled canvas
Ready.
Result
This site SHA-256
Other site SHA-256
Naive hash fingerprint
Pixel-level cross-site diff
Canvas size
Pixels identical across both sites
RGB channels changed by farbling
Max absolute per-channel delta
Alpha channel touched
Within-site sanity (this site captured twice)
Channel delta distribution (this − other)
Scope
Model-free check of the mechanism in the HackerOne report. Brave's
PerturbPixels() runs ~512 single-bit XORs regardless of
canvas size and never touches alpha, so the SHA-256 changes across sites
(breaking hash-based fingerprinting) while the device-rendered pixels
stay nearly intact (the signal a perceptual matcher uses).
Does not run the reporter's CNN and does not test whether farbling makes
a device more identifiable than no defense; that needs a
no-farbling baseline and the trained encoder. Content is held fixed here
to isolate farbling; the reporter randomizes content and relies on the
model being content-invariant.