Cloudflare’s Turnstile widget, the company’s “Verify you’re human” tool, has stalled browsers built on WebKitGTK, blocking access to several sites. The issue surfaced when the widget forced a WebGL fingerprint, a data point Cloudflare claims helps distinguish bots from users. Users who rely on privacy tools that spoof or block fingerprinting now see Turnstile loop endlessly.

Cloudflare just blocks WebKitGTK browsers entirely, citing an exception for Safari. The company says allowing fingerprinting for the Turnstile site fixes the problem, implying its intent to collect device signatures. Apple’s WebKit has long rejected such fingerprinting, suggesting the practice is considered intrusive enough to warrant blanket refusal.

Firefox users find a workaround: the browser’s privacy.resistfingerprinting setting blocks hardcoded GPU strings in WebGL, letting Turnstile pass. However, when the setting is activated, other privacy‑focused sites may fail their own device checks. Mozilla’s recent bug fix ( Bugzilla#1916271 ) exposed a flaw where Gecko still revealed sanitized GPU characteristics.

Turnstile’s reliance on WebGL fingerprinting illustrates a broader trend where bot‑detection services trade privacy for accuracy. Developers building privacy‑sensitive browsers face a dilemma: enable fingerprinting to access legitimate sites or preserve anonymity at the cost of usability. The current clash forces vendors to reconsider how device verification aligns with emerging privacy standards.