MIME Type and Codec Fingerprinting: How Media Support Tracks You

Introduction

Modern browsers support a wide range of media formats, from established standards like H.264 and AAC to newer codecs like AV1, VP9, and Opus. Web developers need to know which formats a browser can play, so the platform provides several APIs for querying media capabilities. These APIs help websites serve the right video and audio format for each visitor, ensuring optimal playback quality and performance.

However, codec support varies significantly between browsers, operating system versions, and hardware configurations. A browser on Windows with hardware video decoding reports different capabilities than the same browser version on Linux without hardware acceleration. These differences create a stable, queryable fingerprint that requires no permissions and produces no user-visible indicators. Any website can enumerate codec support in milliseconds, building a detailed media capability profile of your device without your knowledge or consent.

This is why media format fingerprinting is a serious privacy concern, and why BotBrowser provides comprehensive protection at the engine level.

Privacy Impact

Media capability fingerprinting is particularly effective because the codec landscape is highly fragmented. Unlike simpler fingerprint signals that produce a handful of distinct values, codec support creates a matrix of hundreds of potential combinations. This high entropy makes it one of the more powerful fingerprinting techniques available to websites.

Consider the scope of variation that exists across platforms:

• Hardware video decoding depends on browser version, GPU model, and operating system. The availability of hardware acceleration for specific codecs reveals detailed information about your system's hardware.
• Platform-specific codecs are available on some operating systems but not others. Certain codecs are provided through the operating system's native media framework, making them a direct indicator of your platform.
• Premium codecs (such as Dolby Vision and Dolby Atmos) are available only on specific hardware and operating system combinations, further narrowing your device identity.
• Container and codec combinations produce different support levels depending on the browser and platform, creating additional data points for fingerprinting.
• Audio codec support varies across platforms in subtle ways that add to the overall fingerprint, even though most modern browsers share a common baseline.

The combination of responses across dozens of common media format queries produces a highly distinctive profile. When more advanced capability queries are used, additional information about hardware acceleration, power efficiency, and smooth playback is exposed, further increasing the fingerprint's uniqueness.

A 2022 analysis of the Alexa top 10,000 sites found that over 15% queried media capabilities as part of their fingerprinting scripts. The queries are fast, require no permissions, and are indistinguishable from legitimate feature detection for media playback. This makes them difficult to block without breaking the web experience.

Why This Matters for Your Privacy

Your Hardware Revealed

Every media capability query reveals something about your hardware. Whether your GPU supports hardware decoding for a specific format, what codecs your operating system provides natively, and what level of performance your device can achieve for various media types. All of this information is exposed silently, without any notification or consent prompt.

Persistent Identification

Unlike cookies, which can be cleared, your codec support profile is tied to your hardware and operating system. It remains the same across browsing sessions, incognito mode, and even after clearing all browser data. This persistence makes codec fingerprinting especially valuable for tracking purposes.

Cross-Site Tracking

Because your codec profile is consistent across every website you visit, it can be used as a linking identifier. Two different websites that both query your media capabilities will receive the same responses, allowing them to correlate your visits even without shared cookies or login information.

No User Awareness

There is no visual indicator when a website queries your media capabilities. No permission dialog appears. No icon is shown in the address bar. Users have no way to know that their codec profile is being collected, and no browser setting to prevent it.

Common Protection Approaches and Their Limitations

VPNs and Proxy Servers

VPNs have no effect on codec support queries. Media capability detection happens entirely within the browser and does not involve network requests. Two devices behind the same VPN report completely different codec profiles based on their local hardware and software. VPNs protect your IP address, but they leave your media fingerprint fully exposed.

Incognito and Private Browsing

Private browsing modes do not modify codec support. The same responses are returned in incognito as in a normal window, because codec support is determined by the browser binary and OS configuration, not by stored data. Incognito mode is designed to prevent cookie and history persistence, not to change your device's fundamental capabilities.

Browser Extensions

Extensions that attempt to modify media capability responses face several fundamental problems:

• Consistency across multiple APIs: The browser exposes codec information through several different interfaces. Modifying one without also modifying the others creates detectable inconsistencies that are actually worse for your privacy than the original fingerprint.
• Functional impact: Incorrectly reporting a codec as unsupported when it is actually available can break video and audio playback. Reporting a codec as supported when it is not causes playback failures. Either way, the user experience suffers.
• Detection surface: Overriding native browser methods at the JavaScript level changes their internal properties and can be detected through inspection techniques.
• Scope limitations: Extensions typically cannot intercept capability queries made from Web Workers or service workers, leaving those contexts with unprotected information.

Randomization

Randomly modifying codec responses is impractical. Unlike canvas or audio fingerprinting where small noise perturbations are possible, codec support is fundamentally binary: a format is either supported or it is not. Random responses would break media playback and produce obviously invalid combinations that draw more attention than the original fingerprint would.

BotBrowser's Engine-Level Approach

BotBrowser controls media capability responses at the browser engine level, ensuring that all codec-related APIs return results consistent with the loaded fingerprint profile. This is not a JavaScript patch or browser extension. BotBrowser modifies the browser's internal media capability reporting, so every API returns authentic, profile-consistent results.

Profile-Based Media Capabilities

When a fingerprint profile is loaded, BotBrowser configures the complete codec support matrix to match the profile's target platform:

chrome --bot-profile="/path/to/profile.enc" \
       --user-data-dir="$(mktemp -d)"

The profile defines the complete set of codec responses, captured from a real device matching the profile's configuration. This includes:

• Correct support levels for each media format and codec combination
• Appropriate hardware acceleration flags
• Platform-accurate power efficiency and smooth playback indicators
• Consistent responses between all media capability APIs

Every response matches what a real device with the profiled configuration would report. There are no gaps, no inconsistencies, and no signals that could indicate the responses have been modified.

Cross-API Consistency

BotBrowser ensures that all codec-related APIs agree with each other. If one API reports support for a given format, the other APIs also report consistent support with appropriate details. This multi-API consistency is critical because fingerprinting scripts routinely query multiple APIs and compare the results to detect inconsistencies.

Platform-Accurate Responses

A Windows profile reports Windows-specific codecs (including those provided through the platform's native media framework), while a Linux profile omits platform codecs that are not available on Linux. This alignment extends to hardware acceleration: a profile targeting a system with a specific GPU reports hardware decoding capabilities consistent with that GPU's decoder support.

This platform accuracy is what separates BotBrowser from surface-level approaches. Every detail of the media capability profile corresponds to a real, coherent hardware and software configuration.

No Functional Impact

Because BotBrowser controls the engine-level codec reporting rather than blocking API calls, media playback continues to work normally. Websites that use codec queries for legitimate format selection receive appropriate information about what the browser can play. Your privacy is protected without sacrificing functionality.

Configuration and Usage

Basic CLI Usage

Codec protection is automatic when loading a profile:

chrome --bot-profile="/path/to/profile.enc" \
       --user-data-dir="$(mktemp -d)"

Playwright Integration

const { chromium } = require('playwright-core');

(async () => {
  const browser = await chromium.launch({
    executablePath: '/path/to/botbrowser/chrome',
    args: [
      '--bot-profile=/path/to/profile.enc',
    ],
    headless: true,
  });

  const context = await browser.newContext({ viewport: null });
  const page = await context.newPage();

  // Navigate to verify codec signals are consistent
  await page.goto('https://example.com');

  // Check codec protection is active
  const codecInfo = await page.evaluate(() => {
    const video = document.createElement('video');
    const codecs = [
      'video/mp4; codecs="avc1.42E01E"',
      'video/webm; codecs="vp9"',
      'video/mp4; codecs="av01.0.01M.08"',
      'audio/mp4; codecs="mp4a.40.2"',
      'audio/webm; codecs="opus"',
    ];

    return codecs.map(c => ({
      codec: c,
      supported: video.canPlayType(c),
    }));
  });

  console.log('Codec support:', JSON.stringify(codecInfo, null, 2));
  await browser.close();
})();

Puppeteer Integration

const puppeteer = require('puppeteer-core');

(async () => {
  const browser = await puppeteer.launch({
    executablePath: '/path/to/botbrowser/chrome',
    args: [
      '--bot-profile=/path/to/profile.enc',
    ],
    headless: true,
    defaultViewport: null,
  });

  const page = await browser.newPage();
  await page.goto('about:blank');

  // Verify media capabilities match the profile
  const capabilities = await page.evaluate(async () => {
    const result = await navigator.mediaCapabilities.decodingInfo({
      type: 'file',
      video: {
        contentType: 'video/mp4; codecs="avc1.640028"',
        width: 1920, height: 1080, bitrate: 5000000, framerate: 30,
      },
    });
    return {
      supported: result.supported,
      smooth: result.smooth,
      powerEfficient: result.powerEfficient,
    };
  });

  console.log('Media capabilities:', capabilities);
  await browser.close();
})();

Verification

After launching BotBrowser with a profile, verify that your media capability protection is working correctly:

1. Support levels match the expected values for the profile's target platform. Each codec should return the response that a real device with the profiled configuration would produce.
2. Cross-API consistency is maintained. All media capability APIs should agree with each other. If one reports support for a format, the others should be consistent.
3. Platform-specific codecs align with the profile's operating system. Codecs that are only available on certain platforms should be present or absent according to the profile.
4. Results are stable across page reloads and browser restarts. Your media capability fingerprint should be reproducible and consistent every time.
5. Fingerprint testing tools report no anomalies in media capability detection. You can use popular fingerprint testing websites to verify that your codec profile appears authentic.

Best Practices

1. Use complete profiles. Codec support is closely tied to the OS, browser version, and GPU. A complete profile ensures all three dimensions are consistent. BotBrowser profiles are captured from real devices, so completeness is built in.

2. Match profile to intended use case. If your workflow involves media-heavy sites, choose a profile that supports the codecs those sites expect. A profile that lacks certain codecs may cause quality degradation on some streaming sites. BotBrowser offers profiles for various platform configurations to match your needs.

3. Verify cross-API consistency. Always confirm that multiple media capability APIs agree with each other. Fingerprinting scripts compare results across APIs, so consistency is essential. BotBrowser handles this automatically, but verification gives you confidence.

4. Do not install additional codec extensions. Browser extensions that add codec support (like h265ify) can alter the codec profile and conflict with BotBrowser's engine-level control. Let the profile handle codec reporting entirely.

5. Combine with DRM signal protection. Media codec capabilities and DRM codec capabilities should tell a consistent story. Using a single BotBrowser profile ensures alignment across both. See the DRM signal protection article for details.

Frequently Asked Questions

Does codec fingerprinting work on all browsers?

Yes. All major browsers implement media capability APIs. The queries work consistently across all platforms, which is why codec fingerprinting is such a widely used technique. BotBrowser protects against these queries regardless of the profile's target browser.

How many distinct codec fingerprints exist?

The number is very large. With dozens of commonly queried codec strings, each returning multiple possible values, the theoretical combination space is enormous. In practice, real devices cluster into several hundred common configurations, but the fingerprint is still highly distinctive. BotBrowser profiles correspond to real device configurations, ensuring your fingerprint falls within the normal distribution.

Does codec support change between browser versions?

Yes. New browser versions add support for new codecs and occasionally deprecate old ones. BotBrowser profiles are versioned to match specific browser releases, so your codec profile always corresponds to a valid, real-world configuration.

Can websites detect that codec responses are controlled?

If the control is applied at the JavaScript level (overriding native methods), it can be detected. BotBrowser applies control at the engine level, so the native methods themselves return the profile-consistent values. There are no JavaScript overrides to detect. The protection is invisible to the website.

Does this affect actual video playback?

BotBrowser's codec reporting is designed to be consistent with the browser's playback capabilities under the loaded profile. Websites that use codec queries for format selection receive appropriate responses, and media playback works normally. You get privacy protection without sacrificing your browsing experience.

What about encrypted media (EME) codec queries?

EME codec queries (used for DRM-protected content) are also controlled by the profile. See the DRM signal protection article for details on EME-specific protections. BotBrowser ensures both general and DRM-specific codec queries are consistent.

How does this interact with WebRTC codec negotiation?

WebRTC uses separate codec negotiation through SDP (Session Description Protocol). BotBrowser profiles control both web media codec queries and WebRTC-related codec signals for comprehensive consistency. Your media fingerprint is protected across all contexts.

Summary

MIME type and codec support queries are a high-entropy fingerprinting surface that reveals operating system, hardware, and browser configuration details. These queries run silently, require no permissions, and produce stable results that persist across sessions. BotBrowser controls all media capability APIs at the engine level through its profile system, ensuring consistent, cross-API-accurate responses that match the target platform. Your codec fingerprint is authentic, stable, and indistinguishable from a real device. Combined with DRM signal protection, audio fingerprint control, and comprehensive profile management, BotBrowser provides thorough media fingerprint protection.