navigator.languages differs between the main thread and a Web Worker
br.languages_worker_vs_main · convicts
What it catches
The language half of the geo-spoof realm pair (with timezone_worker_vs_main). A residential-proxy bot patches navigator.languages in the main realm to match the proxy's country, but a JS patch cannot reach Web Worker scope, so a Worker reports the real host languages. Grounded headless: a normal real browser reports identical languages in both realms (no fire). EXPERIMENTAL — unlike timezone, a legitimate CDP locale override (context.locale) does NOT propagate to the Worker (grounded: main es-ES, worker en-US → diverges), so this fires on legit locale emulation and on the rare real user running a language-spoofing privacy extension; kept corroborating until the legit-browser divergence rate is validated against Tier-3 real traffic. Catches both JS- and CDP-level main-realm language spoofs.
Signals it reads
browser.languages_worker_divergence
How it fires
present
Evaders it caught 5
Bypassed by 10
Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.