ua-tracer
by Paul Kinlan
ua-tracer
what does a user agent actually fetch, follow & run?
Trace T7ww0gpK
First seen: 2026-07-02 13:49:02.699 UTC
User-Agent: Mozilla/5.0 (compatible; DemoBot/1.0; +https://example.com)
What this user agent did
Directly-referenced assets:
✓ fetched CSS
✓ fetched JS
✗ fetched image
✗ fetched font (HTML)
Document-level link hints:
✗ fetched favicon
✗ fetched apple-touch-icon
✗ fetched web manifest
✗ fetched preload
✗ fetched prefetch
Second-level follows (proves it parsed the linking file):
✓ followed CSS background-image
✗ followed CSS @font-face
✗ followed manifest icon
✗ followed CSS @import
Frames (does it descend into iframes?):
✗ fetched iframe document
✗ descended into iframe (loaded inner image)
Reporting (a report-only CSP is violated by inline styles; reports can arrive via HTTP headers with no JS, or via in-page beacons):
✗ sent a CSP/Reporting report (any path)
✗ delivered via report-uri/Report-To header (no JS)
✗ delivered via in-page beacon (securitypolicyviolation / ReportingObserver)
Social embed (Open Graph / Twitter card images):
✗ fetched og:image
✗ fetched twitter:image
JavaScript execution:
✓ EXECUTED classic JS
✗ EXECUTED ES module
✗ posted client timing
Server-side request waterfall
Every request the server received for this trace, in receive order. +ms is the delta from the
homepage request.
| Received | Δ | Kind | Method | User-Agent |
|---|---|---|---|---|
| 2026-07-02 13:49:02.699 UTC | +0 ms | homepage | GET | Mozilla/5.0 (compatible; DemoBot/1.0; +https://example.com) |
request headers (8){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-ac896eaf4305c303285f2c870b3f7cb5-8f8659643911f099-01",
"tracestate": "",
"user-agent": "Mozilla/5.0 (compatible; DemoBot/1.0; +https://example.com)",
"via": "HTTP/2 ams.vultr.prod.deno-cluster.net",
"x-deno-userspace-traceparent": "00-ac896eaf4305c303285f2c870b3f7cb5-c7c25fc32a6063c3-01",
"x-deno-userspace-tracestate": ""
}
|
||||
| 2026-07-02 13:49:04.579 UTC | +1880 ms | CSS | GET | curl/8.20.0 |
request headers (8){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-929ebcae83c553cecfe9f2291986a998-c07bd85f5c131e2d-01",
"tracestate": "",
"user-agent": "curl/8.20.0",
"via": "HTTP/2 ams.vultr.prod.deno-cluster.net",
"x-deno-userspace-traceparent": "00-929ebcae83c553cecfe9f2291986a998-80f8d7ed684a6b41-01",
"x-deno-userspace-tracestate": ""
}
|
||||
| 2026-07-02 13:49:05.451 UTC | +2752 ms | JS | GET | curl/8.20.0 |
request headers (8){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-c0d561ae94ca61c70eb46221a62095a2-093eb42670171e3c-01",
"tracestate": "",
"user-agent": "curl/8.20.0",
"via": "HTTP/2 ams.vultr.prod.deno-cluster.net",
"x-deno-userspace-traceparent": "00-c0d561ae94ca61c70eb46221a62095a2-7f584b250f8b71c2-01",
"x-deno-userspace-tracestate": ""
}
|
||||
| 2026-07-02 13:49:06.393 UTC | +3694 ms | CSS background-image | GET | curl/8.20.0 |
request headers (8){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-55502524b368240d5f523cf8dfe053a6-bf5d3a519eea5b33-01",
"tracestate": "",
"user-agent": "curl/8.20.0",
"via": "HTTP/2 ams.vultr.prod.deno-cluster.net",
"x-deno-userspace-traceparent": "00-55502524b368240d5f523cf8dfe053a6-a7ee02a1c6aa00c3-01",
"x-deno-userspace-tracestate": ""
}
|
||||
| 2026-07-02 13:49:07.278 UTC | +4579 ms | JS executed beacon | GET | curl/8.20.0 |
request headers (8){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-170ada53b8b818df779eef4643d519c1-3aed0546684d14b2-01",
"tracestate": "",
"user-agent": "curl/8.20.0",
"via": "HTTP/2 ams.vultr.prod.deno-cluster.net",
"x-deno-userspace-traceparent": "00-170ada53b8b818df779eef4643d519c1-74eb4dc885f1d2e4-01",
"x-deno-userspace-tracestate": ""
}
|
||||
Client-side resource waterfall
JS executed (beacon hit) but no resource-timing payload was posted (UA may block sendBeacon/fetch or strip the body).