Easy. Just make a small fragment shader to produce a token in your client. No bot is going to waste GPU resources to compile your shader.
Why do people even think this? Bots almost always just use headful instrumented browsers now. if a human sitting at a keyboard can load the content, so can a bot.
Security measures never prevent all abuse. They raise the cost of abuse above an acceptable threshold. Many things work like this. Cleaning doesn't eliminate dirt, it dilutes the dirt below an acceptable threshold. Same for "repairing" and "defects", and some other pairs of things that escape me atm.
That's the same argument as CAPTCHA's - as far as I know there are no bots protesting them making their lives harder, but as a human - my life is much harder than it needs to be because things need me to prove I'm a human.
Clean for data ingestion usually means complicated for data creation - optimizing for the advertisers has material cash value downstream, but customers are upstream, and making it harder is material too.
What is so hard about running a fragment shader after the site has loaded?
I have to assume /s, but lacking that -- Why can't you just allow `curl`? You need a human for advertising dollars or a poor mechanism of rate limiting. I want to use your service. If you're buying me a fragment shader, I guess that's fine, but I'm feeding it to the dogs, not plugging in your rando hardware in to my web-browser.
I just want to limit my server to usual human users. If you have JavaScript disabled, you won't be missed. Sorry.
We are talking about Curl bots here. How is what you are saying relevant?
Can't they use a software renderer like swiftshader? You don't need to pass in an actual gpu through virtio or whatever.
Maybe you can call a WebGL extension that isn't supported. Or better yet have a couple of overdraws of quads. Their bot will handle it, but it will throttle their CPU like gangbusters.
Sounds like a PoW system with extra steps?
It's exactly a PoW system, but with fewer steps. Most bots can't run GPU workloads. Some do, and that's fine.
My hardware is not yours to galavant in, and your fitzing around in my digital home for your server's sake just lays bare you are being self-referentially inconsistent. You value the sanctity of your hardware, not mine.
You may not realize it, but you're sounding exactly like part of the problem here.
I don't think running a fragment to calculate one blit operation isn't doing anything to the "sanctity of your machine". Believe me, Chrome abuses your GPU much more than that. Turn off JavaScript if it bothers you so much. You won't be missed.
You are just guessing, please stop. Also, you’re wrong. All serious scraping is using browsers today.
Can't a bot just collect a few real tokens and then send those instead of trying to run the shader?
How do you automate that? Just generate a new token for each day.
replay attacks are some of the easiest to automate