Chameleonn de 0x127

What it is

Chameleon is an advanced Firefox extension that quietly blocks the fingerprinting surface modern websites use to track you. Canvas, WebGL, audio, fonts, MIDI, sensors, WebRTC, navigator quirks, the whole pile.

The core trick: Instead of randomising your fingerprint on every request (which actually makes you more unique, since no real browser does that), Chameleon picks a stable identity per origin. The same site sees the same fingerprint every time so nothing breaks. Two different sites see different fingerprints so they can't link your visits together.

You can also rotate your master identity whenever you want with one click.



How to use it

Once installed, it runs automatically. Defaults are safe for normal browsing.

The toolbar popup

• Protection toggle
  Master on/off switch. Reloads the tab immediately. Settings persist.
• Exempt this site
  Adds the current eTLD+1 to an allowlist and reloads without protection.
• Rotate identity
  Generates a new global seed. All sites see a fresh fingerprint going forward.
• Settings
  Opens full configuration page.

The options page

Accessible via right-click -> Manage Extension -> Options.

• Master toggle
  Global enable/disable.
• Browser identity
  Choose OS/UA profile (default: Linux-based Firefox).
• Surfaces controls
• Timer precision rounding
• Timezone pinning (UTC)
• Motion sensor blocking
• HTTP header rewriting
• Exempt origins
  One eTLD+1 per line. Lines starting with # are ignored.

Verifying it works

Test across multiple windows:

• https://browserleaks.com
• https://amiunique.org
• https://coveryourtracks.eff.org
• https://audiofingerprint.openwpm.com
• https://abrahamjuliot.github.io/creepjs

Expected behavior:

• Same origin + same window → consistent fingerprint
• Different origins → different fingerprints

What it blocks

Visual fingerprinting (canvas, WebGL, WebGPU)

• Canvas readback APIs (toDataURL, getImageData, etc.)
• WebGL/WebGL2 parameter extraction
• readPixels noise injection
• WebGPU fully hidden

Audio fingerprinting

• AudioBuffer analysis
• AnalyserNode frequency leakage
• OfflineAudioContext compression artifacts

Layout fingerprinting

• getBoundingClientRect / getClientRects
• offsetWidth/Height, scroll metrics
• screen size + DPR
• TextMetrics inconsistencies

Navigator identity

• UA, platform, vendor
• hardwareConcurrency, deviceMemory
• languages, plugins, mimeTypes
• maxTouchPoints
• userAgentData spoofing

Firefox quirks hiding

• InstallTrigger
• mozInnerScreenX/Y
• window.sidebar, window.netscape
• CSS feature probes

Hardware-leaking APIs

• Battery API
• NetworkInformation
• StorageManager
• enumerateDevices
• Bluetooth / USB / HID / Serial
• Speech synthesis voices
• Gamepads
• IndexedDB databases

Sensors

• Motion/orientation APIs disabled
• Magnetometer, gyroscope, accelerometer blocked
• Touch precision normalized
• screen.orientation pinned

Web MIDI

• MIDI access blocked completely

WebXR / WebVR

• XR APIs removed
• VR display enumeration disabled

PointerEvent entropy

• Stylus pressure/tilt/twist zeroed (except real pen input)
• pointerId normalized
• multi-touch behavior flattened

Speech Recognition

• SpeechRecognition APIs removed

Reporting Observer

• Fully stubbed to prevent side-channel reporting leaks

Cookie Store API

• async cookie enumeration disabled

Performance memory probes

• memory estimation disabled
• eventCounts spoofed

Audio latency

• outputLatency/baseLatency normalized

Notifications

• Permission pinned to default state

navigator.scheduling

• API hidden

window.name

• Cleared on cross-origin navigation

Ad-block detection bypass

• Fake ad-bait elements neutralized
• detection globals pre-filled

Font enumeration

• Local font APIs blocked
• Canvas font measurement normalized
• System fonts only exposed

Permissions / media queries

• All media queries normalized
• Permissions API stabilized

WebRTC

• Local and STUN IP leakage blocked
• Relay-only connections allowed

Timing

• performance.now() quantized to 1ms
• timestamps rounded globally

Locale

• Forced en-US locale
• UTC timezone
• standardized numeric formats

HTTP layer

• UA rewritten
• Accept-Language normalized
• Client hints removed
• tracking headers stripped
• DNT/GPC enforced

Workers

• Worker scripts wrapped and re-hooked
• Cross-origin workers partially unsupported

Camouflage

• toString() spoofed as native
• error stacks cleaned
• sensitive APIs hidden

Will it slow my browser down?

Not noticeably.

• Canvas/audio hooks: tiny overhead
• DOM measurement hooks: minimal
• HTTP rewriting: negligible
• Worker interception: most expensive (tens of ms in heavy apps)

Configuration recipes

• Maximum privacy (breaks some sites)
  Linux profile, everything enabled, no exemptions
• Daily driver
  Defaults + exempt banking/video tools
• Casual privacy
  Defaults, disable timezone pinning

Known limits

• Detection possible inside JS realm (hook introspection)
• Cross-origin worker injection limitations
• Timezone vs real clock inconsistencies
• First-canvas race condition on page load
• TLS fingerprinting (JA3/JA4) still visible
• TCP/IP fingerprinting still leaks OS (kernel-level issue)

The source code for this extension can be found at https://github.com/00x127/chameleon