feder-cr/invisible_playwright

vfirefox-7 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 13d API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

anti-bot anti-detect-browser automation browser-automation browser-fingerprinting captcha

+14 more

captcha-bypass fingerprint fingerprint-spoofing fingerprintjs firefox hcaptcha headless-browser playwright recaptcha recaptcha-bypass scraping socks5 stealth web-scraping

ReleasePort's take

Light signal

editorial:auto 12d

Firefox 7 fixes a tab‑crash bug in Windows headless mode triggered by the Chromium sandbox and canvas2d getImageData.

Why it matters: Patch to Firefox 7 immediately if using headless=True on Windows with canvas2d operations; the crash is resolved.

Summary

AI summary

Fixed tab crashes and canvas getImageData segfaults when running Firefox headless with alt-desktop scenario.

Changes in this release

Type	Severity	Summary	CVE
Bugfix
Bugfix	Medium	Fixes tab crash on Windows headless=True caused by Chromium sandbox and canvas getImageData issue. Fixes tab crash on Windows headless=True caused by Chromium sandbox and canvas getImageData issue. Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	Fixes tab crash on Windows when running headless with Chrome sandbox level 6. Fixes tab crash on Windows when running headless with Chrome sandbox level 6. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Prevents segmentation fault in canvas2d getImageData on GPU-backed canvases by writing to writable buffer after swizzle step. Prevents segmentation fault in canvas2d getImageData on GPU-backed canvases by writing to writable buffer after swizzle step. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

Fixes #18 (id.sky.com tab crash on Windows headless=True). Two separate bugs that only triggered together on the alt-desktop scenario:

The Chromium content sandbox at the default level 6 sets STARTUPINFO.lpDesktop=kAlternateWinstation, putting content processes on a different desktop than the wrapper's hidden alt-desktop (which is created via CreateDesktop for window hiding when headless=True). Cross-process navigations like the ones Adobe AppMeasurement triggers can't reparent windows across desktops and the new content process exits cleanly. Wrapper-side fix lowers content sandbox to level 4 so all processes stay on the parent's desktop.

The canvas2d getImageData stealth spoof was writing to a read-only mapped DataSourceSurface. On CPU-backed canvases the write succeeded in practice; on GPU-backed canvases the memory is write-protected and the write segfaulted. That's why the crash showed up at browser.close — id.sky.com runs a final getImageData during page unload. Source-side fix moves the noise application to the JS Uint8ClampedArray's writable backing buffer after the swizzle step.

Tested end-to-end with InvisiblePlaywright headless=True + UK proxy: page survives 30s+, no crash in loop or at close.

Built from feder-cr/invisible-firefox commit 2e17b4871f93 on stealth/150.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track feder-cr/invisible_playwright

Get notified when new releases ship.

About feder-cr/invisible_playwright

All releases →