May 31, 2026
Captcha or creep-tcha?
Cloudflare Turnstile requiring fingerprintable WebGL
Users say Cloudflare’s human check now feels like a creepy ID scan gone wrong
TLDR: Users say Cloudflare’s human check can loop forever unless a browser reveals device details, leaving some people blocked from websites. The comments turned into a roast, with cries of “tracking,” calls for bans in Europe, and even site owners hinting they may ditch the tool.
Cloudflare’s “prove you’re human” tool is getting dragged online after users said it now refuses to let them in unless their browser gives up more identifying info. The original complaint came from someone whose browser got stuck in an endless verification loop, locking them out of websites. Their big accusation: this isn’t just anti-bot security anymore, it’s fingerprinting — a way of recognizing your device — and privacy-focused browsers are getting punished for refusing to play along.
That accusation lit up the comments fast. One site owner didn’t defend Cloudflare at all, bluntly saying, “we need to revisit that decision,” which is the kind of quiet corporate panic that speaks volumes. Others went full scorched earth. One commenter mocked the company’s good-guy image with a sarcastic, “Big tech company is evil? No way!” Another went for the nuclear slogan: “Say no to malware - say no to Cloudflare.” Subtle, this crowd is not.
The hottest drama? People weren’t just angry — they were calling for action. One user begged Europeans to push for a ban on browser fingerprinting, joking that the US is “doomed,” while another said they’d happily turn on extra privacy settings just to fail every Cloudflare check on purpose. That’s where the thread really turned from bug report to mini-rebellion: half outrage, half meme, all distrust. For many commenters, the real scandal isn’t a broken login screen — it’s the feeling that simply trying to browse privately now makes you look suspicious.
Key Points
- •The article reports that Cloudflare Turnstile has been looping indefinitely for about a week in a WebKitGTK-based browser, preventing access to some websites.
- •The author says Turnstile requires browser fingerprinting via WebGL as part of its human-verification flow.
- •A quoted Turnstile message states that blocking or randomizing fingerprinting can cause a browser to appear bot-like and fail verification.
- •The post says WebKit blocks this kind of fingerprinting, leading the author to conclude that WebKitGTK browsers are effectively excluded.
- •The article also cites Bugzilla#1916271 and argues that Firefox's current WebGL fingerprinting protections and default privacy settings may leave privacy-conscious users vulnerable to similar verification failures.