WebGL fingerprinting extracts device-specific information by rendering 3D graphics through the browser's WebGL API and reading back the pixel output, alongside reported GPU parameters such as renderer string and vendor. Differences in GPU hardware, driver versions, and rendering pipelines cause the same scene to produce subtly different results across devices.
The WebGL API exposes two layers of identifying information. First, the GPU renderer and vendor strings report the graphics hardware and driver directly. Second, rendering the same geometry through the GPU pipeline produces pixel-level output that varies based on hardware architecture, driver version, and precision handling, much like canvas fingerprinting but at the 3D level.
WebGL signals can be partially hardware-bound: the reported GPU identity and certain capability limits reflect physical hardware rather than the browser engine, giving them higher cross-browser stability than purely engine-bound signals. This makes WebGL fingerprinting a useful component in both browser and device fingerprints.
In doorman-benny
In doorman-benny, WebGL signals contribute to both the engine-bound `fingerprint` and, where the data is hardware-specific, to the `hardwareFingerprint` used for cross-browser device recognition.
WebGL GPU identity (docs)Frequently asked questions
Is WebGL fingerprinting the same as canvas fingerprinting?
They are related: both render graphics and read back the result. Canvas works with 2D drawing via the HTML5 Canvas API, while WebGL uses the 3D graphics pipeline. WebGL can also expose additional hardware metadata such as the GPU renderer string.
Does WebGL fingerprinting work across different browsers?
The GPU renderer string and certain hardware capability values are the same regardless of browser, giving WebGL a degree of cross-browser stability. Rendered pixel output can still vary between browsers due to differences in how each engine invokes the GPU driver.
Can users block WebGL fingerprinting?
Some privacy tools disable WebGL entirely or return placeholder values. A disabled or spoofed WebGL signal is itself a distinctive pattern, and consistent fingerprinting systems account for the possibility of absent or randomised WebGL data.
