ua-tracer
by Paul Kinlan
ua-tracer
what does a user agent actually fetch, follow & run?
Trace coYjED9R
First seen: 2026-07-02 18:55:22.545 UTC
User-Agent: Bridgy Fed (https://fed.brid.gy/)
Bot verification: Not a known bot (no IP-range check applies).
What this user agent did
Directly-referenced assets:
✗ fetched CSS
✗ fetched JS
✗ fetched image
✗ fetched font (HTML)
Document-level link hints:
✗ fetched favicon
✗ fetched apple-touch-icon
✗ fetched web manifest
✗ fetched preload
✗ fetched prefetch
Second-level follows (proves it parsed the linking file):
✗ followed CSS background-image
✗ followed CSS @font-face
✗ followed manifest icon
✗ followed CSS @import
Frames (does it descend into iframes?):
✗ fetched iframe document
✗ descended into iframe (loaded inner image)
Reporting (a report-only CSP is violated by inline styles; reports can arrive via HTTP headers with no JS, or via in-page beacons):
✗ sent a CSP/Reporting report (any path)
✗ delivered via report-uri/Report-To header (no JS)
✗ delivered via in-page beacon (securitypolicyviolation / ReportingObserver)
Social embed (Open Graph / Twitter card images):
✗ fetched og:image
✗ fetched twitter:image
JavaScript execution:
✗ EXECUTED classic JS
✗ EXECUTED ES module
✗ posted client timing
Server-side request waterfall
Every request the server received for this trace, in receive order. +ms is the delta from the
homepage request.
| Received | Δ | Kind | Method | User-Agent |
|---|---|---|---|---|
| 2026-07-02 18:55:22.545 UTC | +0 ms | homepage | GET | Bridgy Fed (https://fed.brid.gy/) |
request headers (12){
"accept": "application/activity+json, application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\", text/html; charset=utf-8; q=0.5",
"accept-encoding": "gzip, deflate",
"connection": "keep-alive",
"content-type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"",
"date": "Thu, 02 Jul 2026 18:55:21 GMT",
"digest": "SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
"host": "uatracer.com",
"signature": "keyId=\"https://fed.brid.gy/fed.brid.gy#key\",algorithm=\"rsa-sha256\",signature=\"St8OE6MrFYWIaZEGgYLv2MlJs2ZbhQmH7Ui9/hvrTcUxSW+7YGoiosBpsLHJ4R9Ca8cIo9n6OT+e0Ndg9whZiaorAAOugdMyS/s057nkNxz1vxnhPtOYIq4IUhmz4um7IYRLiODmSLMh2r1sSyp4qfqLBWy2rSpEiVeS09izgCdaJZmk1OUPeyLmRQPh7IkKgsrsZ4RuYgaKP/I0dORUcAQaRqcretSsXnYuXTa6VjI13LP+LdOujKHoWPUvKVGBUj1P8CzOSYrpnUs5Ekwu0KMXP4afBYPeA5tbAdRRJvWqSwAxyURfcuCRggpEXhho/ugNhDijV1OOWAXZ0phiUw==\",headers=\"date host digest (request-target)\"",
"traceparent": "00-ce78bad5ea18173d3f643085c63bc79a-8e44608463781ab7-01",
"tracestate": "",
"user-agent": "Bridgy Fed (https://fed.brid.gy/)",
"via": "HTTP/1.1 ams.vultr.prod.deno-cluster.net"
}
|
||||