github h4ckf0r0day/obscura v0.1.9
v0.1.9: Request interception and global stealth
on GitHub

5 hours ago

v0.1.9

Request interception for the embeddable crate, a global stealth flag, a large stealth-consistency overhaul (creepjs now reports 0% detection), and a batch of CDP, Web API, and build fixes. 59 commits since v0.1.8.

Highlights

Request/response interception API on the embeddable obscura crate (#306): observe, block, mock, or rewrite any request a page makes, including JS fetch()/XHR.
--stealth is now a global flag, applied to fetch, serve, scrape, and mcp, before or after the subcommand (#325). scrape workers inherit it.
Stealth overhaul: one consistent Chrome 145 identity across TLS, JS, and WebGL. creepjs now reports 0% stealth detection. obscura --stealth renders booking.com's AWS WAF challenge like headless Chrome.

New features and Web APIs

• Interception API: on_request / on_response callbacks, enable_interception() (Continue / Fulfill / Fail), and add_preload_script (#306).
• Global --stealth flag across all subcommands (#325).
--dump cookies: export the cookie jar as JSON, including HttpOnly cookies (#313).
--dump assets now also lists fetch()/XHR request URLs (#301).
• CDP Network.setBlockedURLs (#315) and Network.getResponseBody (#300).
Element.getAttributeNames() (#297).
Plugin, MimeType, MimeTypeArray globals (#305).
document.evaluate and XPathResult (XPath subset), enough to scrape Google Maps.
crypto.subtle.digest: added SHA-512/224 and SHA-512/256; unsupported algorithms now throw NotSupportedError instead of silently returning SHA-256 (#314).
DocumentFragment constructor passes through node ids; Range.getBoundingClientRect / getClientRects return the common-ancestor rect.

Stealth and anti-fingerprinting

• Consistent Chrome 145 identity: TLS ClientHello, User-Agent, navigator surfaces, and WebGL renderer all agree.
• creepjs: 0% stealth detection, hasIframeProxy: false.
• Fingerprint surface fixes: AudioBuffer (getChannelData), Crypto / SubtleCrypto, Worker, matchMedia, and performance.memory.jsHeapSizeLimit made consistent with a real Chrome.
• Scripted fetch()/XHR routed through the stealth client so subresource requests carry the same TLS fingerprint and client hints as the navigation.
FormData request bodies serialized to multipart/form-data (the fix that clears the booking.com AWS WAF challenge).
sec-ch-ua client hints derived from the User-Agent on the default path; navigation headers sent in Chrome's order.
navigator.permissions.query returns "prompt" for camera, microphone, geolocation, and midi.
NetworkInformation and ContentIndex shims.
event.isTrusted is false for page-constructed events; the Event constructor reports as native (#303).

CDP and input

• Backspace and typing honor the text selection; triple-click selects all (#316, #320, #321).
clickCount reaches MouseEvent.detail, and the char-input handler pumps the event loop so framework change detection fires (#317).

Fixes

• Blob-URL Worker race fixed; location updates synchronously on navigation.
• macOS x86_64 binaries are built on a native Intel runner, fixing a SIGSEGV at startup (#290).
• Windows build: dropped the unused reqwest cookies feature that caused a cookie-crate E0119 (#295).

Docs

• New SECURITY.md, CONTRIBUTING.md, AGENTS.md, and GitHub issue templates.
• Guides for the interception API, the global stealth flag, and the new dump formats.

Known limitation

• The interception resource_type reports Fetch for JS-initiated requests and does not yet distinguish Xhr.

Check out latest releases or
releases around h4ckf0r0day/obscura v0.1.9

Don't miss a new obscura release

NewReleases is sending notifications on new releases.

Get notifications