It’s a double edged sword you need to walk the edge of. Almost everything they use to fingerprint you has a fully legitimate use case which is why it was added.

The more you do to prevent fingerprinting the more you hobble the web as a platform. A lot of restrictions that got placed on the canvas tag to help prevent fingerprinting for instance really limited its functionality.

In my opinion a workable solution would be to make more of these things opt-in by the end user to high accuracy data for the page.

Most of those APIs should be default closed. Incognito should definitely be default closed.

But it's not just a matter of "open"/"close". It's more like signal/noise. Much of the signal is legit: source IP is needed to deliver response, screen resolution, audio/video codec support, transfer protocol, cache headers are all needed to render the page correctly and as quick as possible.

Unfortunately, much of that signal persists across sessions as well as websites and can therefore be aggregated into a hash that works as a "super cookie". The signal is based on the device, the connection, not so much the HTTP/HTML you're looking at.

The best approach to mitigate is therefore: adding noise: add random gibberish to User-Agent, tunnel IP though VPN/NAT, lie about codecs or screen resolution.

While that degrades user experience, it give no guarantees to actually preventing fingerprinting. So, the good news, if that fingerprinting is hard too, and doesn't work as well as is usually claimed!

Randomization works if you opt in everyone without their consent. If your addon or minority browser randomizes data you're adding a signal.

Yes, but that's a poor signal. If only two users add "enough" noise to their signal, fingerprinting will only be able to proof a user added noise, but not which user did so. For a single site doing the fingerprinting.

Compare that to tracking users across multiple sites for proper signal without randomization.

Yeah but if it's opt-in for privacy concerned users there may well be two users in the world with identical basic metadata (browser version, platform, etc) who have this enabled. And telling you it was one of two users but not which is pretty shite anonymization.

Regardless it's still adding an extra bit of information leaked, so you may as well forge a common value rather than make something new up.

Which then pushes a lot of web use-cases into mobile apps locked to a few corporate platforms that make tracking much much easier. Yes, even iOS.

Which we have regulations to force these platforms to open up.

Asking for users permission should and is slowly becoming the default on phones as well.

Well, we could fingerprint the fingerprint detection code ...

uBlock Origin in default deny of 3p scripts basically achieves this already.

UBlock (and even AdGuard) is not preventing this website from accurately fingerprinting me.

If Javascript is enabled there’s ultimately very little that can be done to prevent fingerprinting. If you don’t want to be fingerprinted then only allowing JS to run on allowlisted websites is the only way to truly be safe

Well, and stuff like the resistFingerprinting=True option in Firefox. As described in the article. You can make your browser to just lie to the JS API.

There is a price, of course. Lying about screen resolution might mess up how the website looks. Lying about which fonts are installed might make the site a bit uglier.

As someone said already, 'resistFingerprinting' option should be configurable per-domain. Then we could have it enabled (randomized) for most of the web and disable it (allow fingerprinting) for payment processors and similar 'trusted' websites.

EDIT: there actually appears to be a hidden per-domain whitelist privacy.resistFingerprinting.exemptedDomains