CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-puppeteer-extra-plugin-stealth

Stealth mode plugin for puppeteer-extra that applies various techniques to make detection of headless browsers harder.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

chrome-evasions.mddocs/

Chrome API Evasions

Evasion techniques that mock Chrome-specific APIs to prevent detection through missing Chrome objects. These evasions simulate the presence of Chrome extension APIs that are typically available in regular Chrome browsers but missing in headless mode.

Capabilities

Chrome App API Evasion

Mocks the chrome.app API to prevent detection through its absence.

// Evasion name: 'chrome.app'
// Simulates: chrome.app.isInstalled property and related functionality

This evasion:

  • Creates a mock chrome.app object when it doesn't exist
  • Provides realistic chrome.app.isInstalled property
  • Prevents detection through missing Chrome app API

Detection Method Prevented:

// This detection method will be fooled:
if (typeof chrome !== 'undefined' && chrome.app) {
  // Assumes real browser
} else {
  // Detects headless/automation
}

Chrome CSI API Evasion

Mocks the chrome.csi API for Chrome Site Isolation metrics.

// Evasion name: 'chrome.csi'
// Simulates: chrome.csi() function and performance metrics

This evasion:

  • Creates a mock chrome.csi() function
  • Returns realistic performance timing data
  • Simulates Chrome's internal performance measurement API

Detection Method Prevented:

// This detection method will be fooled:
try {
  const csi = chrome.csi();
  if (csi && csi.pageT) {
    // Assumes real Chrome browser
  }
} catch (e) {
  // Detects missing Chrome CSI API
}

Chrome LoadTimes API Evasion

Mocks the deprecated chrome.loadTimes API for backward compatibility.

// Evasion name: 'chrome.loadTimes'
// Simulates: chrome.loadTimes() function with realistic timing data

This evasion:

  • Creates a mock chrome.loadTimes() function
  • Returns realistic page load timing information
  • Simulates the deprecated but still detectable Chrome API

Detection Method Prevented:

// This detection method will be fooled:
if (chrome && chrome.loadTimes) {
  const loadTimes = chrome.loadTimes();
  if (loadTimes.requestTime && loadTimes.finishDocumentLoadTime) {
    // Assumes real Chrome with load times API
  }
}

Chrome Runtime API Evasion

Mocks the chrome.runtime API that's normally available in Chrome extensions.

// Evasion name: 'chrome.runtime'
// Simulates: chrome.runtime object with extension-like properties

This evasion:

  • Creates a comprehensive mock chrome.runtime object
  • Includes realistic chrome.runtime.sendMessage function
  • Provides chrome.runtime.connect and related methods
  • Simulates extension-like environment

Detection Method Prevented:

// This detection method will be fooled:
if (chrome && chrome.runtime && chrome.runtime.sendMessage) {
  try {
    chrome.runtime.sendMessage('test');
    // Assumes Chrome extension environment
  } catch (e) {
    // Would detect fake/missing runtime API
  }
}

Usage Examples:

const puppeteer = require('puppeteer-extra');
const StealthPlugin = require('puppeteer-extra-plugin-stealth');

// Enable only Chrome API evasions
const chromeOnlyStealth = StealthPlugin({
  enabledEvasions: new Set([
    'chrome.app',
    'chrome.csi', 
    'chrome.loadTimes',
    'chrome.runtime'
  ])
});

puppeteer.use(chromeOnlyStealth);

const browser = await puppeteer.launch();
const page = await browser.newPage();

// These Chrome APIs will now be available and functional
await page.evaluate(() => {
  console.log(chrome.app.isInstalled); // Works
  console.log(chrome.csi()); // Returns timing data
  console.log(chrome.loadTimes()); // Returns load timing
  chrome.runtime.sendMessage('test'); // Functions without error
});

Static Data and Realism

The Chrome API evasions use static data files to provide realistic responses:

  • chrome.runtime uses staticData.json for realistic extension-like data
  • chrome.csi provides believable performance timing metrics
  • chrome.loadTimes returns plausible page load timing information
  • chrome.app provides consistent app installation status

Implementation Details

Each Chrome API evasion:

  1. Detects Environment: Checks if running in a secure context where Chrome APIs should exist
  2. Creates Mock Objects: Builds realistic Chrome API objects with proper structure
  3. Provides Functional Methods: Ensures mocked methods can be called without errors
  4. Uses Stealth Utilities: Leverages the shared utility system for undetectable API modification
  5. Handles Edge Cases: Accounts for different Chrome versions and API variations

Security Considerations

These evasions:

  • Only create Chrome API mocks, they don't provide real Chrome extension functionality
  • Are designed for testing and automation, not for bypassing security measures
  • Should be used responsibly in compliance with website terms of service
  • May trigger security warnings in some Chrome configurations

Install with Tessl CLI

npx tessl i tessl/npm-puppeteer-extra-plugin-stealth

docs

chrome-evasions.md

core-plugin.md

fingerprinting-evasions.md

index.md

misc-evasions.md

navigator-evasions.md

window-frame-evasions.md

tile.json