←back to thread

Curl-impersonate: Special build of curl that can impersonate the major browsers

(github.com)
545 points mmh0000 | 2 comments | 03 Apr 25 15:24 UTC | HN request time: 0s | source
Show context
ec109685 ◴[03 Apr 25 16:59 UTC] No.43572497[source]
There are API’s that chrome provides that allows servers to validate whether the request came from an official chrome browser. That would detect that this curl isn’t really chrome.

It’d be nice if something could support curl’s arguments but drive an actual headless chrome browser.

replies(4): >>43572551 #>>43572562 #>>43572695 #>>43573014 #
do_not_redeem ◴[03 Apr 25 17:41 UTC] No.43573014[source]
Siblings are being more charitable about this, but I just don't think what you're suggesting is even possible.

An HTTP client sends a request. The server sends a response. The request and response are made of bytes. Any bytes Chrome can send, curl-impersonate could also send.

Chromium is open source. If there was some super secret handshake, anyone could copy that code to curl-impersonate. And if it's only in closed-source Chrome, someone will disassemble it and copy it over anyway.

replies(2): >>43573123 #>>43574874 #
1. gruez ◴[03 Apr 25 17:52 UTC] No.43573123[source]
>Chromium is open source. If there was some super secret handshake, anyone could copy that code to curl-impersonate. And if it's only in closed-source Chrome, someone will disassemble it and copy it over anyway.

Not if the "super secret handshake" is based on hardware-backed attestation.

replies(1): >>43573219 #
2. do_not_redeem ◴[03 Apr 25 17:59 UTC] No.43573219[source]
True, but beside the point.

GP claims the API can detect the official chrome browser, and the official chrome browser runs fine without attestation.