test-website-a.pages.dev — 18 tests — GitHub
See also: Test Website B
Loads a web font from Google's servers (fonts.googleapis.com / fonts.gstatic.com) and checks whether the download actually succeeded.
google-font-loading/Tests whether 'Forget me when I close this site' clears the Cache Storage API (window.caches) after the site is closed.
cache-storage-clearing/Tests for security and privacy behavior inside about:blank and other local iframes — content filtering, cookies, JS fetch, mixed content, network scan, permissions, and secure content.
local-frames/Draws an identical canvas on both sites and measures how much Brave's per-eTLD+1 farbling actually changes the readback.
canvas-farbling/Tests whether the Payment Request API leaks the full Accept-Language header even when 'Prevent sites from fingerprinting me based on my language preferences' is enabled. Brave reduces Accept-Language in BraveProxyingURLLoaderFactory, but PaymentManifestDownloader fetches manifests through the browser-process URLLoaderFactory (kPaymentRequestUseRendererUrlLoader is disabled by default), which is not proxied, so the full language list leaks.
payment-request-language-bypass/Tests whether timing differences in IndexedDB durability modes, OPFS SyncAccessHandle flush, and CacheStorage operations can reveal private browsing mode. Covers three detection methods reported in brave-browser#56009.
incognito-detection-timing/Tests whether Brave's fingerprinting farbling protections apply to blob: URLs opened in a new tab. Blob pages bypass the SchemeIsHTTPOrHTTPS check in GetBraveShieldsEnabled(), leaking real screen size, hardwareConcurrency, deviceMemory, languages, and user agent.
blob-farbling-bypass/Tests whether storage written by a cross-site iframe is cleared after the embedding first-party site is closed or navigated away from.
ephemeral-3p-clearing/Tests whether the browser correctly distinguishes svh, lvh, and dvh viewport units on mobile, per CSS Values Level 4.
viewport-units/Tests whether the browser incorrectly resizes the layout viewport when the virtual keyboard appears.
viewport-keyboard/Tests whether browsers protect against <noscript>-based permanent redirects to a subdomain when JavaScript is disabled.
noscript-redirect/Tests whether storage quota APIs leak different values in normal vs. private browsing, enabling incognito detection. Covers both the modern navigator.storage API and the legacy webkitTemporaryStorage API.
storage-quota-fingerprint/Tests that AMP pages served with Content-Disposition: attachment are downloaded, not De-AMPed.
de-amp-download/Tests browser behavior on a server-side 302 redirect to a cross-site destination (lobste.rs).
server-redirect/Tests whether De-AMP redirects preserve the cross-site hop in the Sec-Fetch-Site header.
de-amp/Tests whether a cross-site iframe can read cookies set when its origin was top-level.
third-party-cookies/Tests whether a cross-site iframe can regain access to its first-party cookies via the Storage Access API.
storage-access/Tests whether the browser clears window.name on cross-origin navigations.
window-name-clearing/