explaingit

jonasstrehle/supercookie

7,050HTMLAudience · developerComplexity · 2/5Setup · easy

TLDR

An educational demo showing how websites can persistently identify browsers by exploiting the favicon cache, a tracking technique that survives clearing cookies, cache, and even incognito mode.

Mindmap

mindmap
  root((repo))
    What it does
      Favicon cache tracking
      Privacy demonstration
    How it Works
      Binary path patterns
      Request detection
    Persistence
      Survives cookie clearing
      Works in incognito
    Setup
      Docker or Node.js
      Two env variables
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run the demo locally to see favicon-based browser tracking in action and understand how it works.

USE CASE 2

Study the technique to design defenses or audit whether your browser is vulnerable to this type of fingerprinting.

USE CASE 3

Use the persistence comparison table to understand which privacy measures fail against supercookies.

Tech stack

HTMLNode.jsDocker

Getting it running

Difficulty · easy Time to first run · 30min

Requires Docker or Node.js and setting two environment variables for hostname and port.

No license information is mentioned in the explanation.

In plain English

Supercookie is a demonstration project that shows how a website can assign a unique, persistent identifier to a browser by exploiting the way browsers cache favicons. Favicons are the small icons you see in browser tabs and bookmarks. The project is explicitly educational, intended to illustrate a privacy vulnerability rather than to enable tracking in practice. Browsers store favicons in a separate local cache, apart from the regular browser cache, to load them quickly on return visits. A web server can detect whether your browser already has a favicon cached for a specific URL path. By serving favicons for some paths and withholding them from others, a server can create a unique binary pattern across dozens of paths. When you revisit the site, the browser only requests the favicons it does not yet have cached. The server reads which requests are made and which are not, reconstructs the pattern, and identifies you without any cookies being set. What makes this technique notable is its persistence. Unlike ordinary cookies, which a user can clear, the favicon cache survives: clearing cookies, clearing the browser cache, closing and reopening the browser, rebooting the computer, using incognito or private browsing mode, and using a VPN. The README includes a comparison table showing that supercookie beats conventional cookies on every category of persistence and anti-tracking resistance it tested. The project is backed by research from scientists at the University of Illinois at Chicago. A live demo is available online. The source code can be run locally using either Docker or Node.js. Installation involves cloning the repository, setting a couple of environment variables for the hostname and port, and then starting the server. Full documentation covering the technical details is linked from the README.

Copy-paste prompts

Prompt 1
Walk me through how supercookie uses the favicon cache to create a unique browser identifier, how does the binary path pattern work?
Prompt 2
How do I run the supercookie demo locally using Docker? Show me the steps including the environment variables I need to set.
Prompt 3
Which browser privacy measures does supercookie bypass? List each one and explain why it does not block the favicon tracking technique.
Prompt 4
How can a browser or privacy extension detect and block favicon-cache-based tracking like supercookie uses?
Open on GitHub → Explain another repo

← jonasstrehle on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.