Static

Blocks websites from fingerprinting which browser extensions you have installed, and known tracker/session-replay telemetry.

Block websites from fingerprinting which browser extensions you have installed, and block known client-side tracker and session-replay telemetry. No remote server, no telemetry, MIT-licensed, none of your data ever leaves your browser. THE PROBLEM Most websites you visit quietly try to discover which other extensions you have installed. A typical fingerprinting script iterates through thousands of extension IDs and probes each one — fetch("chrome-extension://<id>/some-file") — using whether the request succeeds or fails as a signal. LinkedIn alone fires around 4,500 such probes on every pageview (verified by BleepingComputer in April 2026), and many large-site anti-bot vendors do the same. Static counters this across three layers, with an optional fourth. 1. SCRIPT-LAYER INTERCEPTION Static intercepts fetch, XMLHttpRequest, element src / href / data setters, setAttribute, sendBeacon, Worker, SharedWorker, EventSource, and serviceWorker.register in the page's JS context. Any request to a chrome-extension:// URL (plus moz-extension://, safari-web-extension://, edge-extension://, ms-browser-extension://) is rejected before the browser's network stack sees it. 2. DOM-MARKER SCRUBBING Some extensions announce their presence by adding distinctive attributes or custom tags to the DOM. Static strips those markers via a MutationObserver so fingerprinters can't query for them. 3. NETWORK-LAYER BLOCKLISTS Five toggleable rulesets block known vendor endpoints in these categories: - Fingerprinting and anti-bot services. - CAPTCHA services (off by default; blocking can break some logins). - Session-replay and behavioral-analytics services. - Datadog RUM (off by default; also used for legitimate monitoring). - LinkedIn telemetry (sensor/metrics collection, tracking, ad pixels, adblock detection). Toggle any category on or off from the popup without reloading. The current list of blocked endpoints is maintained in the source repository. 4. NOISE MODE (opt-in, off by default) Blocking alone tells a fingerprinter only "something blocks me." Noise mode goes further: it learns each site's probe dictionary from the site's own behavior and returns plausible decoy responses for a stable 3–8 ID subset of that dictionary. The site sees those IDs as "installed" and records them in its own dataset instead of the user's real extension profile. Each Static user produces a different decoy persona on the same site (seeded from a random per-install secret), so cross-user correlation doesn't work. Canary-resistant: an ID must be observed at least twice on an origin before entering the replay pool. WHO STATIC IS FOR Built for people who want explicit control over browser fingerprinting beyond what default browsers provide. Recommended setup: Static + uBlock Origin. Static handles fingerprinting defenses, uBlock handles ad and tracker blocking. They complement, not replace, each other. VISIBILITY The toolbar badge shows a live probe-block count for the current tab. The popup shows that number, a cumulative since-install counter, and the top probed extension IDs. A dedicated log viewer lets you browse full per-site probe history and export it in two formats: raw for private archival, or anonymized in a research-friendly format that is safe to publish or contribute to aggregate datasets. PERMISSIONS - storage — for your local probe log and preferences, stored only in your browser. - declarativeNetRequest — for the network-layer blocking rules. - scripting — for the script-layer request interception. - host access to all websites — because fingerprinting can occur on any site you visit. WHAT STATIC DOES NOT DO - Does not send any data to any server, ever. - Does not read or modify page content beyond removing extension-fingerprinting markers. - Does not replace a general-purpose ad or tracker blocker — run it alongside uBlock Origin, not instead of it. - Does not promise to defeat every possible fingerprinting technique — it targets the specific, measurable techniques described above. PRIVACY Static has no remote server. It never transmits any data anywhere — no telemetry, no analytics, no crash reporting. Contains no third-party SDKs. The probe log is stored only in your browser's local storage and can be cleared at any time. Full privacy policy: https://github.com/G-man3207/Static/blob/main/PRIVACY.md OPEN SOURCE (MIT-licensed) Every behavior described here is verifiable in the source code. Issues and contributions welcome: https://github.com/G-man3207/Static