PRIVABROWSE
Transparency Report

PrivaBrowse believes you deserve to know exactly what your browser does. This document discloses every protection mechanism, every blocked domain, and every line of defense — no secrets, no fine print.

• Mission
• Threat Model
• What We Block
• What We Spoof
• What We Strip
• Data Poisoning Engine
  • Link Click Parameter Stripping
  • Local CDN Privacy
  • Privacy Sandbox API Blocking
  • Network State Partitioning
  • HSTS Supercookie Protection
  • Favicon Supercookie Protection
  • Bounce Tracking Detection
  • Stale Cookie Cleanup
• HTTPS Enforcement
• Cookie Consent & Annoyance Removal
• Cosmetic Ad Filtering
• YouTube Ad Blocking
• Search Engine Policy
• Password Vault
• PrivaForge Developer Tools
• Focus Mode
• Data Saver Mode
• What We Do NOT Do
• How We Compare
• How to Verify
• Architecture Overview
• Third-Party Dependencies
• Frequently Asked Questions
• Changelog

PrivaBrowse exists for one reason: your browsing data belongs to you and only you.

We reject the surveillance-capitalist model where browsers silently funnel your habits, preferences, and identity to advertising networks. Every feature in PrivaBrowse is designed to make mass tracking technically impossible — not just discouraged, but actively poisoned.

Privacy is not a feature we bolt on. It is the architecture.

PrivaBrowse is engineered to defend against the following threats:

Transparency means honesty about limits:

• State-level adversaries — PrivaBrowse is not Tor. Your ISP can still see which domains you connect to (use a VPN or Tor for that layer).
• Malware/phishing — We are not an antivirus. We block trackers, not malicious payloads.
• Compromised endpoints — If the website itself is hostile (e.g., a keylogger on a login page), browser-level protection has limits.
• Physical access — If someone has your machine, disk encryption is your defense, not a browser.

• 100+ regex patterns matching ad-serving URL structures (/ads/, /adserv/, /pagead/, etc.)
• Tracking pixel detection — 1x1 images, clear GIFs, spacer GIFs, beacon endpoints
• Script filename blocking — ads.js, tracking.js, analytics.min.js, gtag.js, fbevents.js, pixel.js, tracker.min.js
• Third-party iframe blocking — prevents cross-origin frames from loading tracker content (with a whitelist for ReCAPTCHA, YouTube embeds, Stripe payments, and other functional iframes)
• Web Vitals / Reporting API endpoint blocking — web-vitals.js, /.well-known/attribution-reporting
• Fingerprint script blocking — fp.js, fingerprint*.js

PrivaBrowse maintains a per-domain count of every blocked request. You can inspect the Tracker Graveyard from the browser's toolbar to see exactly how many trackers were stopped on each site you visit — full transparency into what's being blocked and where.

Every vector is randomized per-session to prevent cross-site linkage:

These APIs are completely disabled to prevent fingerprinting:

PrivaBrowse rotates your User-Agent string either per-session or per-site (configurable). The randomized UA is drawn from a pool of common browser/OS combinations so you blend into the crowd rather than standing out with an unusual string.

• ETag supercookies — If-None-Match header deleted on every request
• Client Hints — All 10+ Sec-CH-* headers stripped/spoofed (Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform, Sec-CH-UA-Full-Version-List, etc.)
• URL tracking parameters — 110+ tracking parameters including utm_source, utm_medium, utm_campaign, utm_term, utm_content, fbclid, gclid, msclkid, mc_eid, oly_enc_id, oly_anon_id, __hssc, __hstc, __hsfp, _hsenc, vero_id, wickedid, TikTok (_ttp, tt_*), Twitter (twclid), Reddit (rdt_cid), LinkedIn (li_fat_id), Amazon (tag, ascsubtag), Pinterest (epik), and more
• Referrer header — Reduced to origin-only or stripped entirely (configurable)

• ETag headers — stripped to prevent supercookie tracking
• Accept-CH and Critical-CH headers — deleted to prevent servers from requesting Client Hints
• Tracking cookies — cookies matching known tracker patterns are stripped

Every link on every page is cleaned in real-time. Before you navigate, PrivaBrowse strips utm_*, fbclid, gclid, and other tracking parameters from the destination URL so the receiving site never sees where the click came from.

When fingerprint protection is enabled, PrivaBrowse doesn't just block trackers — it actively poisons every piece of data they try to collect.

Blocking tells a tracker "this user has an ad blocker." That itself is a data point. Poisoning tells the tracker nothing useful — every field looks plausible but is completely fabricated. The tracker's dataset becomes polluted, their models degrade, and they can't distinguish real users from noise.

Every major data exfiltration API is intercepted and fed randomized garbage:

Every tracker request gets injected with fake: email addresses, full names, phone numbers, IP addresses, user agents, device IDs, session IDs, fingerprint hashes, Google Analytics client IDs, screen resolutions, languages, timezones, referrers, geographic coordinates, browser/OS version, GPU vendor/renderer, heap size, connection type, page URL/title, font list hash, canvas/WebGL hashes, and more.

PrivaBrowse uses a smart header poisoning strategy: instead of injecting hundreds of new headers (which degraded performance and broke websites), it only randomizes headers the tracker request already carries. This approach is stealthier, faster, and avoids detection.

For every request matching a tracker domain or URL pattern:

• User-Agent randomization: Rotated from a pool of 5 common browser/OS combinations
• Accept-Language spoofing: Randomized from 6 common locale combinations
• Referer/Origin spoofing: Replaced with common referrers (Google, DuckDuckGo, Reddit) or stripped
• IP header spoofing: X-Forwarded-For, X-Real-IP, CF-Connecting-IP, True-Client-IP, and 6 more — only randomized if the request already carries them
• Correlation/trace ID poisoning: X-Request-ID, X-Correlation-ID, X-Trace-ID, X-Amzn-Trace-Id, X-B3-TraceId, Traceparent, Sentry-Trace, Datadog — fake values replace existing ones
• Device/session ID poisoning: X-Device-ID, X-Session-ID, X-Visitor-ID, X-Device-Fingerprint, X-GA-Client-ID, X-Analytics-ID, X-Tracking-ID, Newrelic, Baggage — poisoned if present
• Sec-Fetch stripping: All Sec-Fetch-Dest/Mode/Site/User headers deleted (leaks cross-site behavior)
• Token stripping: Cookie, Authorization, X-CSRF-Token, X-XSRF-TOKEN, X-Requested-With, Proxy-Authorization all deleted from tracker requests
• Cache-busting: Cache-Control set to no-cache, no-store; If-None-Match randomized to prevent ETag fingerprinting

Why smart instead of bulk? The previous approach of injecting 200+ headers on every tracker request caused measurable performance degradation and broke websites like YouTube. The new approach poisons only what exists, making PrivaBrowse undetectable to tracker servers that monitor for unusual header counts.

No company is excluded from data poisoning. Not Google. Not Facebook. Not Microsoft. Not Amazon. No one.

The only exception is YouTube's video playback — we don't break video streaming. But YouTube's tracker endpoints still get fully poisoned data, just like every other company.

WebSocket connections to tracker hosts have their send() method intercepted. JSON payloads are parsed and every tracking field is replaced with fake data. The connection itself is preserved (to avoid detection) but the data is garbage.

Server-Sent Events (EventSource) connections to tracker hosts are replaced with a fake stub that does nothing. The page thinks it connected; the tracker receives nothing.

Links through bounce trackers (t.co, l.facebook.com, google.com/url, click.redditmail.com, safelinks.protection.outlook.com, lnks.gd, youtube.com/redirect, href.li, steamcommunity.com/linkfilter) are intercepted and resolved directly to the real destination URL.

Every 60 seconds, PrivaBrowse purges 60+ known tracker localStorage keys (_ga, _fbp, amplitude_id, intercom, drift, hubspot, etc.) and deletes tracking IndexedDB databases (Firebase, Sentry, Amplitude).

HTML <a ping=...> attributes are stripped from all links via MutationObserver. document.referrer is overridden to return origin-only. window.name is cleared on every navigation to prevent cross-site data leaking. The Reporting API (ReportingObserver) is neutralized.

Beyond stripping tracking parameters on navigation, PrivaBrowse also cleans links in real-time within the page:

• Hooks click and auxclick events on every <a> tag
• Uses a MutationObserver to clean dynamically added links as they appear
• Strips 110+ tracking parameters (utm_*, fbclid, gclid, msclkid, TikTok, Twitter, Reddit, LinkedIn, Amazon, Pinterest, and more) from href attributes before the browser navigates
• Works on both left-click and middle-click (new tab) navigation

Requests to CDN hosts (cdnjs.cloudflare.com, cdn.jsdelivr.net, unpkg.com, etc.) receive special handling:

• Cookie stripping: Cookies are never sent to CDN hosts
• Referrer stripping: Referer header is removed to prevent CDNs from knowing which site loaded their resources
• Tracking script blocking: Known tracking scripts disguised as CDN resources are detected and blocked via pattern matching

This is defined in src/cdn-replacements.js and applied in main.js.

Google's Privacy Sandbox APIs (marketed as "privacy-preserving" but still enabling interest-based advertising) are comprehensively disabled:

These are blocked via both app.commandLine.appendSwitch('disable-features', ...) in the main process and by injecting a Permissions-Policy response header on every page load.

To prevent cross-site tracking via shared network state, PrivaBrowse enables Chromium's isolation features:

This means Site A cannot detect whether you've visited Site B by probing shared caches, connection pools, or DNS state.

HSTS (HTTP Strict Transport Security) can be abused to store a unique identifier across browser sessions by selectively setting HSTS on a matrix of subdomains. PrivaBrowse defends against this by:

• Clearing the HSTS resolver cache on startup
• Clearing it again every 30 minutes while running
• Using session.defaultSession.clearHostResolverCache()

Similar to HSTS supercookies, favicon caching can be exploited to track users across sessions. PrivaBrowse clears the favicon cache periodically alongside HSTS cache clearing using session.defaultSession.clearCache().

"Bounce tracking" is a technique where trackers redirect you through their domain for just long enough to set a cookie, then bounce you to your actual destination. PrivaBrowse detects this:

• Tracks navigation timestamps per webContents
• If a domain redirects within 1.5 seconds without user interaction, it's flagged as a bounce tracker
• All cookies and storage for flagged domains are immediately purged
• The system is integrated into the onBeforeRequest handler for main frame navigations

Even without bounce tracking, cookies can accumulate from domains you visited once and never returned to. PrivaBrowse tracks domain visit timestamps and periodically:

• Scans all cookies in the session
• Compares each cookie's domain against the last-visited timestamp
• Deletes cookies from domains not visited within a configurable threshold (default: 7 days)
• Runs on startup and can be triggered manually

PrivaBrowse can automatically upgrade all http:// navigations to https://, preventing passive eavesdropping on unencrypted connections. This is configurable per the user's preference and applies to top-level navigations and subresource requests alike.

The web is drowning in cookie banners. PrivaBrowse automatically detects and dismisses them:

• Cookie consent popups — Detected via common selectors and class names, auto-dismissed with "reject all" preference
• Newsletter signup overlays — Email capture modals are identified and removed before they interrupt your reading
• "Are you still there?" dialogs — Idle-detection prompts are auto-dismissed
• Overlay scroll locks — When a popup locks page scrolling, PrivaBrowse restores it

This runs entirely client-side via injected scripts. No network requests, no external services.

Beyond network-level blocking, PrivaBrowse includes a Universal Ad Nuker that removes ad containers from the rendered page:

• Hides elements matching known ad selectors ([class*="ad-"], [id*="google_ads"], ins.adsbygoogle, etc.)
• Removes empty placeholder divs left behind by blocked ad scripts
• Runs on DOMContentLoaded and observes DOM mutations for dynamically injected ads
• Purely cosmetic — no network requests are made, these elements are simply hidden from view

YouTube receives special handling because its ad delivery is tightly integrated with video playback:

• Pre-roll and mid-roll ads — Detected and skipped at the player level
• Ad overlay banners — Removed from the video player
• Tracker endpoints — Still fully poisoned (YouTube does not get a free pass on tracking)
• Video playback — Preserved and unbroken

PrivaBrowse only ships privacy-respecting search engines:

Removed engines: Google, Bing, and Yahoo were removed because their search pages load tracking scripts that conflict with our blocking and because we don't believe a privacy browser should normalize surveillance-based search.

PrivaBrowse includes a built-in encrypted password vault so you don't need to trust a third-party extension with your credentials:

• Encryption — All entries are encrypted locally with a master password
• Zero-knowledge — Your master password never leaves your machine; we cannot recover it
• No cloud sync — Vault data stays on your device, period
• No third-party dependencies — The vault is implemented entirely within PrivaBrowse, not outsourced to an extension or external service

PrivaBrowse ships with PrivaForge — a completely custom developer tools panel built from scratch. This is not Chrome DevTools. It's a cyberpunk-themed toolkit designed to be fun and practical.

Chrome DevTools are powerful but generic. PrivaForge is purpose-built for PrivaBrowse users who want to inspect, debug, and audit websites with a tool that matches the browser's identity. It also includes a Privacy Scan tool that no standard dev tools provide.

PrivaForge runs entirely locally. It does not send any data anywhere. The Terminal executes JavaScript within the page's webview context using executeJavaScript(). No external services, no telemetry, no analytics.

• F12 or Ctrl+Shift+I — Toggle PrivaForge
• Right-click context menu — "PrivaForge" option
• Command palette (Ctrl+Shift+P) — "PrivaForge" command

PrivaBrowse includes a Focus Mode that lets you temporarily block distracting websites for a set period of time:

• Define your own blocklist of distracting domains
• Set a timer — the sites are inaccessible until it expires
• No workarounds, no "just 5 more minutes" — the block is enforced at the network level

This is a productivity feature, not a privacy feature, but it reflects our belief that a browser should work for you.

When bandwidth matters, Data Saver Mode reduces page weight by:

• Blocking third-party fonts (also a privacy win — font loading reveals your OS and language)
• Blocking animated images
• Optionally blocking all images entirely
• Reducing unnecessary subresource requests

To be absolutely clear:

• No telemetry — We never phone home. Zero analytics endpoints exist in the codebase.
• No crash reporting — Errors stay on your machine. No Sentry, no Bugsnag, no New Relic.
• No usage statistics — We don't know how many users we have, let alone what they browse.
• No update tracking — Update checks use standard Electron mechanisms, no identifying data sent.
• No A/B testing — Every user gets the same features.
• No data sales — We have no data to sell.
• No "anonymous" metrics — There is no such thing as truly anonymous analytics. We collect nothing.
• No partnerships with ad companies — We block them all.
• No acceptable ads program — All ads are treated equally: blocked.
• No remote configuration — There is no server-side feature flag system. What ships in the binary is what runs.
• No third-party account requirement — You never need to sign in to anything to use PrivaBrowse.

Don't take our word for it. Verify everything yourself:

1. Visit Cover Your Tracks by the EFF
2. Visit BrowserLeaks for detailed fingerprint analysis
3. Visit AmIUnique to check your fingerprint uniqueness
4. Visit CanvasBlocker Test for canvas protection
5. Visit WebRTC Leak Test to confirm no IP leaks
6. Visit DNS Leak Test to check for DNS leaks

Every protection is implemented in plain JavaScript, fully readable, no obfuscation:

The package.json pins all dependencies. Clone the repo, run npm install && npm run build, and compare the output to the distributed binary. If they differ, something is wrong and you should not trust it.

User's Request
    │
    ├─► main.js: onBeforeRequest
    │       ├─ FAST_BLOCK_HOSTS (Set, O(1) lookup)
    │       ├─ blocklist.js domains (ads / trackers / aggressive)
    │       ├─ AD_URL_PATTERNS (100+ regex patterns)
    │       ├─ Social tracker hosts (112 domains)
    │       ├─ Crypto miner hosts (84 domains)
    │       ├─ Tracking pixel detection
    │       ├─ Third-party iframe blocking (with functional whitelist)
    │       ├─ YouTube ad endpoint blocking
    │       └─ HTTPS upgrade (if enabled)
    │
    ├─► main.js: onBeforeSendHeaders
    │       ├─ ETag supercookie removal
    │       ├─ Client Hints stripping / spoofing
    │       ├─ URL parameter cleaning (utm_*, fbclid, gclid, etc.)
    │       ├─ Referrer policy enforcement
    │       ├─ User-Agent randomization
    │       ├─ Smart header poisoning (randomizes existing headers only)
    │       ├─ CDN cookie/referrer stripping
    │       ├─ Bounce tracking detection
    │       └─ Redirect tracker bypass (9 bounce domains)
    │
    ├─► main.js: onHeadersReceived
    │       ├─ ETag removal
    │       ├─ Accept-CH / Critical-CH removal
    │       ├─ Privacy Sandbox Permissions-Policy injection
    │       └─ Tracking cookie stripping
    │
    ├─► main.js: Background Tasks
    │       ├─ HSTS supercookie cache clearing (startup + every 30 min)
    │       ├─ Favicon cache clearing (periodic)
    │       ├─ Stale cookie cleanup (domains not visited in 7+ days)
    │       └─ Network state partitioning (via Chromium enable-features flags)
    │
    └─► renderer.js: Injected Scripts
            ├─ FINGERPRINT_SPOOF_SCRIPT (60+ vectors)
            ├─ DATA_POISONER_SCRIPT (fetch, XHR, beacon, form, pixel, geo)
            ├─ STORAGE_CLEANUP_SCRIPT (60+ tracker keys purged every 60s)
            ├─ MISC_PRIVACY_SCRIPT (anchor pings, referrer, sendBeacon, ReportingObserver)
            ├─ Cookie consent auto-dismissal
            ├─ Newsletter popup killer
            ├─ Idle dialog dismissal
            ├─ Cosmetic ad filtering (Universal Ad Nuker)
            ├─ YouTube ad blocker
            ├─ Link URL cleaner (strips tracking params from hrefs)
            ├─ Link click param stripping (MutationObserver + click/auxclick hooks)
            └─ PrivaForge dev tools (Terminal, X-Ray, Pulse, Vault, Paint, Scan)

PrivaBrowse is built on Electron. We acknowledge this dependency and its implications:

• Electron 40.6.1 — Provides the Chromium rendering engine and Node.js runtime. We apply restrictive webPreferences (context isolation, disabled Node integration, sandboxing) to minimize Electron's attack surface.
• No third-party analytics SDKs — Zero. None. Not one.
• No third-party ad SDKs — We would sooner shut down.
• No CDN-loaded scripts — Everything ships in the binary. No external JavaScript is loaded at runtime by PrivaBrowse itself.
• Chromium telemetry — Disabled at the Electron configuration level. No Google services are contacted.

All dependencies are listed in package.json and are auditable via npm audit.

Privacy & Anti-Tracking:

• Expanded blocklist to 2,100+ domains
• Added Nuclear Data Poisoning Engine (55+ fields on tracker API requests)
• Refactored header poisoning from 200+ bulk-injected headers to smart approach (randomizes existing headers only) — fixes performance issues and website breakage
• Added Privacy Sandbox API blocking (FLEDGE, Topics, Attribution Reporting, Shared Storage, Fenced Frames) via Chromium flags + Permissions-Policy
• Added network state partitioning (HTTP cache, connections, SSL sessions, DNS isolated per site)
• Added HSTS supercookie protection (cache cleared on startup + every 30 minutes)
• Added favicon supercookie protection (periodic cache clearing)
• Added bounce tracking detection (< 1.5s redirects detected, cookies/storage purged)
• Added stale cookie cleanup (domains not visited in 7+ days have cookies deleted)
• Added local CDN privacy (Decentraleyes-style cookie/referrer stripping + tracking script blocking)
• Added link click parameter stripping (MutationObserver + click hooks clean 110+ params from <a> hrefs in real-time)
• Expanded URL parameter stripping to 110+ params (navigation + in-page links)
• Removed all company exclusions from data poisoning
• Expanded fingerprint protection to 60+ vectors
• Added WebSocket payload poisoning for tracker hosts
• Added EventSource (SSE) blocking for tracker hosts
• Added redirect tracker bypass (t.co, l.facebook.com, google.com/url, etc.)
• Added periodic storage cleanup (60+ tracker localStorage keys every 60s)
• Added anchor ping stripping and document.referrer sanitization

Search & Browsing:

• Removed Google, Bing, Yahoo search engines
• Added SearXNG, Mojeek, MetaGer, Swisscows, Yep

UI & Features:

• Added PrivaForge — custom cyberpunk developer tools with 6 panels (Terminal, X-Ray, Pulse, Vault, Paint, Scan)
• Added cookie consent auto-dismissal
• Added newsletter popup killer
• Added cosmetic ad filtering (Universal Ad Nuker)
• Added YouTube-specific ad blocking
• Added link URL cleaning (strips tracking params from hrefs)
• Added Tracker Graveyard (per-domain blocked request stats)
• Added Data Saver Mode
• Added Focus Mode
• Added HTTPS enforcement
• Added encrypted password vault

Security:

• Added process sandboxing and 30+ Chromium security flags
• Added strict Content Security Policy
• Added IPC input validation and rate limiting
• Added navigation guards and webview hardening

Bug Fixes:

• Fixed Ctrl+C/V/X/A not working (replaced null application menu with proper hidden Edit menu)
• Fixed yellow annotation bar appearing on text selection (disabled auto-injection of PAGE_ANNOTATE_SCRIPT)
• Fixed YouTube breakage caused by overly broad tracker detection regex
• Added safe-host bypass for data poisoner to prevent first-party site interference

Performance:

• Optimized blocklist lookups: O(1) Set for hostnames, single compiled RegExp for URL patterns
• Consolidated URL parsing in network handlers to reduce redundant new URL() calls
• Tightened tracker detection regex to use word boundaries and exact domain matching

Found a tracker we missed? A site that breaks? A privacy concern in our code?

• GitHub Issues: Report bugs, broken sites, or missed trackers
• Pull Requests: Every contribution is reviewed for privacy implications before merge
• Security Disclosures: If you find a security vulnerability, please report it responsibly via GitHub's private vulnerability reporting

This document is updated whenever PrivaBrowse's protection mechanisms change.
Last updated: March 6, 2026 · Version 1.1.0