Part 3: Canvas, WebGL, and the Paradox of Spoofing.
In Part 1 and 2, we looked at data the browser *tells* the website. In Part 3, we look at what the website *forces the browser to do*. Fingerprinting scripts act like a digital forensic kit, forcing your hardware to render complex tasks and then "hashing" the result into a unique ID.
A website can command your browser to draw a hidden, invisible 2D image using the HTML5 <canvas> element. While the image is the same for every user, the result is not.
The website converts this drawing into a 32-bit hash. Even if you change your IP, that hash remains a constant "serial number" for your machine.
While Canvas handles 2D, WebGL handles 3D. Scripts can force your GPU to render a complex 3D object with specific shadows and textures. Because every GPU architecture (Intel, NVIDIA, AMD, Apple Silicon) handles floating-point math slightly differently, the final image contains unique "artifacts."
This is the most critical point for cybersecurity students. Many users try to "spoof" their headers (e.g., making a Windows PC look like an iPhone). However, this creates Inconsistency Detection.
| Attribute | Spoofed Value | Hardware Reality | Result |
|---|---|---|---|
| User-Agent | iPhone / iOS | Windows 11 | Flagged |
| Screen Resolution | 800x600 | 2560x1440 | Flagged |
By faking your identity, you become "The one user who claims to be an iPhone but renders images like a high-end NVIDIA desktop." You haven't hidden; you've become the most unique (and trackable) person on the site.
Finally, simple JS loops can measure how long it takes your CPU to process a set of math problems. This reveals your system load and clock speed. Sophisticated systems can even detect if you are running in a Virtual Machine (VM) by measuring the "latency" of the CPU instructions.