Browser DevTools Protocol changes in 2026: scrapers’ impact
DevTools Protocol 2026 is undergoing the most significant set of changes in the protocol’s decade-long history. Chrome DevTools Protocol (CDP), the underlying transport for Puppeteer, Playwright, and most modern browser automation, is being progressively reshaped by three concurrent forces: tighter fingerprint surface restrictions, the convergence with the WebDriver BiDi standard, and the security hardening required to defend against the emerging class of agentic browsers. For scrapers, the implications are direct: the patterns that worked in 2023 are partially broken, the patterns that emerged in 2024 are being formalised, and the patterns that will work in 2027 are still being shaped. This guide walks through the protocol changes, the impact on common scraping libraries, the migration patterns that work, and a forward-looking posture for operators.
The audience is the scraping engineer or platform owner whose pipeline depends on browser automation via CDP, WebDriver, or higher-level frameworks built on them.
What CDP and WebDriver BiDi actually are
The Chrome DevTools Protocol is the JSON-RPC over WebSocket protocol that Chrome exposes for browser inspection and control. Originally designed for the Chrome DevTools UI, CDP became the foundation for headless and automated browsing because it gives complete programmatic control over the browser: navigation, page evaluation, network interception, screenshot capture, fingerprint manipulation.
WebDriver, defined by W3C, is the older standardised browser automation protocol. Selenium uses WebDriver. WebDriver BiDi is the next-generation WebDriver, designed to provide bidirectional event-driven control similar to CDP while maintaining the W3C standard’s portability across browsers.
The 2024-2026 trajectory is convergence: BiDi capabilities catching up with CDP, browsers exposing both, and automation frameworks supporting both with BiDi as the default for cross-browser work.
| Protocol | Current state (mid-2026) | Browser support | Scraping use |
|---|---|---|---|
| CDP (Chrome) | Mature, evolving | Chrome, Edge, Brave (Chromium-based) | Most existing scrapers |
| WebDriver Classic | Stable | All major browsers | Selenium-based scrapers |
| WebDriver BiDi | Production with caveats | Chrome, Firefox, Safari (partial) | New cross-browser scrapers |
The 2024-2026 changes that bite scrapers
Five concrete changes shape the scraping landscape.
Change one: Chrome’s fingerprint surface tightening. Chrome’s Privacy Sandbox initiative removed or restricted several fingerprintable APIs (User-Agent client hints reduction, narrowed font enumeration, randomised screen size in incognito). These changes affect both genuine privacy users and bot management, with the net effect of narrowing the fingerprint differentiation between bots and humans.
Change two: CDP runtime detection. Bot management vendors (DataDome, PerimeterX, Akamai, Cloudflare) have invested heavily in detecting CDP-driven browsers via subtle runtime artefacts. The 2024-2025 detection waves caught most plain Puppeteer and Playwright deployments; current production scrapers require careful configuration or specialised stealth libraries.
Change three: Network. domain restrictions. Several CDP commands in the Network. domain (request modification, header injection) gained restrictions in Chrome 120-130 to limit abuse. Scrapers that intercepted and modified responses must adapt.
Change four: Headless mode unification. Chrome 109 introduced “new headless” (Headless Shell), and Chrome 132 began deprecating the old headless. The new headless is closer to a real Chrome but with different performance and detection characteristics.
Change five: WebDriver BiDi rolling out. New BiDi-only features (network interception, log capture) make BiDi a credible CDP alternative for many use cases, and frameworks (Playwright, Selenium) are increasingly defaulting to BiDi where possible.
For the broader anti-bot context, see DataDome vs PerimeterX vs Akamai. For the agentic browser angle, see the agentic browser revolution.
Impact on scraping libraries
| Library | Protocol | 2026 status | Migration concern |
|---|---|---|---|
| Puppeteer | CDP | Active, Chromium-only | Headless detection rising |
| Playwright | CDP + BiDi | Active, multi-browser | BiDi default for FF and WebKit |
| Selenium | WebDriver Classic + BiDi | Active | BiDi rollout in progress |
| Cypress | CDP | Active | Test-focused, less scraping use |
| Stagehand | Playwright underneath | Active | Inherits Playwright transitions |
| browser-use | Playwright underneath | Active | Inherits Playwright transitions |
| Selenium-Wire | WebDriver Classic | Maintenance | Network interception harder |
Playwright and Selenium with BiDi are the forward-compatible bets. Puppeteer remains strong for Chrome-only work. Older libraries built on CDP-only assumptions are increasingly fragile.
Detection arms race: what bot management sees
CDP-driven browsers leave subtle traces that bot management can detect:
| Trace | Source | Detection |
|---|---|---|
| navigator.webdriver true | Old WebDriver default | Trivially detectable |
| Missing chrome.runtime | Old headless | Detectable |
| Inconsistent UA strings | Manual UA override | Easy to flag |
| Permissions API anomalies | CDP affects permissions | Detectable |
| Cdc_* properties (ChromeDriver) | Selenium-specific | Specific signature |
| Runtime.evaluate timings | CDP injection | Subtle but detectable |
| iframe contentDocument access | CDP-mediated access | Detectable |
| WebGL fingerprint anomalies | Headless renderer | Detectable |
The 2026 patterns that defeat most of these:
- Use Stagehand or Browserbase, which absorb stealth concerns at the platform level.
- Use undetected-chromedriver or similar stealth-modified drivers (effective but requires maintenance).
- Use the new Chrome headless mode rather than old headless.
- Apply runtime patches (puppeteer-extra-plugin-stealth equivalents).
- Run real Chrome (not headless) when detection budget allows.
For the deeper fingerprinting question, see TLS fingerprinting for scrapers and canvas fingerprinting bypass techniques.
A migration pattern from CDP-direct to BiDi
For scrapers writing to raw CDP, the BiDi migration path is well-defined. The high-level mapping:
| CDP domain | BiDi equivalent | Notes |
|---|---|---|
| Page.navigate | browsingContext.navigate | Direct mapping |
| Page.captureScreenshot | browsingContext.captureScreenshot | Direct mapping |
| Network.enable | network.addIntercept | Different API style |
| Runtime.evaluate | script.evaluate | Direct mapping |
| Input.dispatchMouseEvent | input.performActions | Different action model |
| Target.* | session.* | Different lifecycle model |
A scraper using Playwright sees almost none of this; the framework abstracts the protocol choice. A scraper using raw CDP via puppeteer-core or chrome-remote-interface needs to migrate manually.
Decision tree: which protocol to build on in 2026
Q1: Are you Chromium-only or cross-browser?
├── Chromium-only -> Q2
└── Cross-browser -> Use Playwright or Selenium (with BiDi).
Q2: Is your work Puppeteer-aligned (single-browser, low-level)?
├── Yes -> Stick with Puppeteer; track BiDi for future migration.
└── No -> Q3
Q3: Do you need stealth above all?
├── Yes -> Stagehand or Browserbase; or stealth-patched Playwright.
└── No -> Playwright with default settings.
What scraping operators should plan for
Three concrete planning items.
First, plan for new headless. The old headless is being retired. New headless behaves more like real Chrome, with different performance and detection characteristics. Migrate now; do not wait for forced removal.
Second, plan for BiDi. New scraping infrastructure should be BiDi-first or framework-agnostic (Playwright handles both). CDP-only investments should be evaluated for migration.
Third, plan for tighter privacy controls. Chrome’s privacy sandbox, Firefox’s Total Cookie Protection, and Safari’s ITP all affect what a browser exposes. Scrapers that depend on specific browser behaviours should test in current and beta Chrome regularly.
For the broader infrastructure planning, see self-hosted proxy infrastructure.
Network interception in the new world
Network interception is one of the most affected areas. CDP’s Network.requestIntercepted and Fetch.* domains evolved with restrictions. BiDi’s network.addIntercept added a more standardised interface.
For scrapers that intercept requests (commonly to skip image/font loading for performance, or to capture specific responses for parsing), the migration:
# Playwright (works with CDP and BiDi automatically)
async def intercept_setup(page):
async def block_resources(route, request):
if request.resource_type in ("image", "font", "media"):
await route.abort()
else:
await route.continue_()
await page.route("**/*", block_resources)
This pattern is portable across the protocol transition because Playwright abstracts the underlying protocol.
Comparison: CDP vs WebDriver Classic vs WebDriver BiDi
| Dimension | CDP | WebDriver Classic | WebDriver BiDi |
|---|---|---|---|
| Standard body | Google (Chromium) | W3C | W3C |
| Browser support | Chromium | All | Chrome, Firefox, partial Safari |
| Bidirectional events | Yes | No (polling) | Yes |
| Network interception | Yes (with restrictions) | No | Yes |
| Console capture | Yes | Limited | Yes |
| Performance | Excellent | Adequate | Good |
| Detectability by bot management | Higher | Higher | Equivalent (early) |
| Future trajectory | Coexists with BiDi | Maintenance | Default cross-browser |
| Best for in 2026 | Chromium-only deep work | Selenium-existing | New cross-browser |
External references
The Chrome DevTools Protocol viewer is at chromedevtools.github.io/devtools-protocol. The W3C WebDriver BiDi specification is at w3.org/TR/webdriver-bidi. Playwright’s protocol notes are at playwright.dev/docs/api/class-browser. Chrome’s release notes for headless changes are at developer.chrome.com/blog.
A forward-looking posture
For a scraping operation building a new pipeline in mid-2026:
- Use Playwright for browser automation. Default to BiDi where Playwright supports it; CDP fallback is automatic.
- Use Stagehand or Browserbase for managed Chrome with stealth built in, when the cost is justified.
- Use new headless mode, never old headless.
- Maintain a stealth-test corpus (a small set of bot-management-fronted pages) to validate detection state on every Chrome version.
- Track Chrome and Firefox release notes for protocol changes. Subscribe to the chromium-discuss mailing list and the WebDriver BiDi GitHub.
For the deeper pattern of testing scraping pipelines against bot detection, see DataDome vs PerimeterX vs Akamai.
Code-level patterns that survive the transition
Three patterns that work in both CDP and BiDi worlds:
# 1. Resource blocking via Playwright
await page.route("**/*", lambda route, request: (
route.abort() if request.resource_type in ("image", "font", "media")
else route.continue_()
))
# 2. Response capture via Playwright
async def on_response(response):
if "api/products" in response.url:
await save(await response.json())
page.on("response", on_response)
# 3. Cookie set via Playwright (works with both protocols)
await context.add_cookies([{
"name": "session", "value": "x", "domain": ".example.com", "path": "/"
}])
Frameworks insulate scrapers from most protocol churn. Direct CDP calls do not.
What about WebRTC, WebTransport, and emerging APIs
The 2026 web includes APIs that did not exist when Puppeteer was designed. WebRTC, WebTransport, the Reporting API, the Permissions Policy framework, and more. CDP and BiDi are evolving to expose these, but coverage is uneven.
For scraping operators working on sites that use these APIs (real-time apps, video conferencing, modern push messaging), the protocol layer matters more than for traditional sites. Expect continued churn through 2027 as the protocols extend coverage.
FAQ
Should I migrate from Puppeteer to Playwright?
For new projects, Playwright is the better default (cross-browser, BiDi-ready). For existing Puppeteer projects, migration is optional unless you need cross-browser.
Is Selenium still relevant in 2026?
Yes. Selenium with BiDi is competitive for cross-browser scraping. Selenium 4+ supports BiDi.
What is the impact of Chrome’s privacy sandbox on scraping?
It tightens the fingerprintable surface. Some bot detection signals weaken; some new ones emerge. Continuous testing required.
Should I use new headless or real Chrome?
New headless is closer to real Chrome and is the supported path. Use real Chrome only when detection budget demands it.
What is the future of CDP after BiDi matures?
CDP coexists with BiDi indefinitely; Chromium will continue to expose both. BiDi is the cross-browser standard; CDP is the Chromium-deep option.
Extended CDP and BiDi analysis
The Chrome DevTools Protocol (CDP) and WebDriver BiDi diverged sharply between 2024 and 2026. CDP remains Chrome-specific. BiDi is the cross-browser standard backed by W3C with implementations in Chrome, Firefox, and WebKit (in progress).
The 2024-2026 changes that affected scrapers are.
- Chrome 124 (April 2024) deprecated several CDP domains in favour of BiDi-equivalent commands.
- Chrome 130 (October 2024) added BiDi support for network interception that was previously CDP-only.
- Firefox 128 (July 2024) reached BiDi parity for the most common scraping operations.
- The W3C BiDi specification reached Candidate Recommendation in late 2025.
For scrapers the practical implication is that new code should target BiDi for cross-browser portability. Existing CDP code should migrate over a 12-24 month window.
Migration pattern: CDP to BiDi
// Before (CDP)
const cdpSession = await page.context().newCDPSession(page);
await cdpSession.send("Network.enable");
cdpSession.on("Network.requestWillBeSent", event => {
console.log("CDP request:", event.request.url);
});
// After (BiDi)
const browser = await playwright.chromium.launch();
const context = await browser.newContext();
const page = await context.newPage();
context.on("request", request => {
console.log("BiDi request:", request.url());
});
Network interception in BiDi
await page.route("**/*api*", async route => {
const request = route.request();
const body = request.postData();
const modified = body.replace("limit=10", "limit=100");
await route.continue({ postData: modified });
});
await page.route("**/api/data", async route => {
await route.fulfill({
status: 200,
contentType: "application/json",
body: JSON.stringify({ items: [] }),
});
});
Detection signals from CDP and BiDi
Bot detectors look for several signals that distinguish automated browsers.
- navigator.webdriver returns true under both CDP and BiDi unless patched.
- The presence of cdc_ properties on the document (older Selenium signature).
- The Runtime.evaluate domain enabled via CDP.
- TLS fingerprints distinct from production browser builds.
- Mouse and keyboard event timing distributions.
The 2026 counter-detection toolkit includes patched Chromium builds (puppeteer-extra-plugin-stealth maintained, undetected-chromedriver, rebrowser-puppeteer), residential proxies, and human-jitter event timing.
Pattern: jitter for action timing
async function humanType(page, selector, text) {
await page.click(selector);
for (const char of text) {
await page.keyboard.type(char);
await page.waitForTimeout(50 + Math.random() * 150);
}
}
async function humanScroll(page, totalDelta) {
let scrolled = 0;
while (scrolled < totalDelta) {
const step = 100 + Math.random() * 200;
await page.mouse.wheel(0, step);
scrolled += step;
await page.waitForTimeout(200 + Math.random() * 500);
}
}
Comparison: CDP vs WebDriver Classic vs WebDriver BiDi 2026
| Feature | CDP | WD Classic | WD BiDi |
|---|---|---|---|
| Cross-browser | Chrome only | Cross-browser | Cross-browser |
| Bidirectional events | Yes | No | Yes |
| Network interception | Mature | Limited | Mature 2025 |
| Performance | Highest | Lower | Comparable to CDP |
| Standardised | No | W3C | W3C |
| Future direction | Maintenance | Maintenance | Active development |
What about WebRTC and WebTransport
WebRTC and WebTransport are emerging as scraping targets for real-time data (chat, sports scores, finance). The 2026 toolkit includes.
- node-webrtc and aiortc for programmatic WebRTC peer connections.
- The WebTransport API in Chromium for HTTP/3 stream-based scraping.
- Direct QUIC libraries for lower-level access.
Scraping these protocols is meaningfully harder than HTTPS scraping because the connection state is richer and signalling is more complex.
Additional FAQ
Should I migrate from CDP to BiDi now?
Yes for new projects. For existing CDP code migrate as the BiDi equivalent reaches parity for your use case.
Does BiDi defeat bot detection?
No by itself. Detectors look at the same browser-level signals regardless of protocol.
What about Playwright vs Puppeteer in 2026?
Both ship BiDi support. Playwright has stronger cross-browser story. Puppeteer has tighter Chrome integration.
How do I test for protocol regressions?
Pin the browser version in CI. Run a smoke test suite per browser per channel (stable, beta, dev) to catch upstream breakage early.
Common pitfalls when migrating CDP scrapers to BiDi
The migration looks clean on paper, but the failure modes in production cluster around a handful of patterns that engineers consistently underestimate. Understanding them up front saves weeks of intermittent breakage.
The first pitfall is assuming feature parity exists when it does not. As of mid-2026, BiDi reached parity with CDP for navigation, screenshots, basic network interception, and script evaluation, but it lags CDP for low-level operations like Target.attachToTarget for service workers, fine-grained Performance.getMetrics access, and several Page.* events around lifecycle that mature scrapers depend on for retry logic. Scrapers that orchestrate multiple tabs, frames, or workers at the protocol layer will hit gaps. The mitigation is to build a thin compatibility shim that falls back to CDP for the gap operations while BiDi handles the bulk of the workload.
The second pitfall is event ordering. CDP delivers Network.* events in a documented sequence (requestWillBeSent, then responseReceived, then loadingFinished). BiDi’s network module emits a similar but not identical sequence, and the ordering guarantees are weaker for chunked responses. Scrapers that match request and response pairs by sequence position will see misaligned data. Match by request ID instead.
The third pitfall is target lifecycle. CDP’s Target.* domain provides explicit attach and detach semantics that scrapers use to follow popups and new windows. BiDi’s session and browsingContext model is different, and Playwright’s higher-level abstractions hide the difference but do not eliminate it. If the scraper opens many windows or follows OAuth-style redirects across browsing contexts, expect to rewrite the orchestration loop.
The fourth pitfall is error reporting. CDP errors are typed JSON-RPC errors with stable error codes. BiDi errors are W3C-defined and use different codes for similar conditions. Scraper retry logic that branches on error codes needs an error code translation layer for the migration period.
The fifth pitfall is browser version coupling. BiDi support varies by Chrome and Firefox version. A scraper that works on Chrome 130 BiDi may break on Chrome 128 BiDi. Pin the browser version in containers, validate on the next two stable channels in CI, and refuse to run on unverified or untested versions in production.
The Chrome DevTools Protocol architecture
The Chrome DevTools Protocol exposes Chromium’s internals to external clients via WebSocket-based RPC. The protocol is organised into domains (Network, Page, Runtime, DOM, etc.), each containing methods and events. A client sends method calls and receives results plus events.
CDP was originally designed for the Chrome DevTools UI but became the de facto automation protocol for headless Chromium. Puppeteer (introduced 2017) and Playwright (introduced 2020) both build on CDP. Selenium added CDP support alongside its WebDriver-based automation.
The protocol’s tight coupling to Chromium internals is its strength and its weakness. Clients have access to fine-grained control that other protocols lack. The trade-off is that the protocol is Chrome-only and changes with each Chromium release.
The 2024-2026 changes that affected scrapers were largely driven by Chromium’s internal evolution. Domains that wrapped specific implementation details were deprecated when those details changed. Replacement domains exposed the new internal structures with similar but not identical interfaces.
WebDriver BiDi as the cross-browser successor
WebDriver BiDi is the W3C standard that intends to be the cross-browser successor to CDP. BiDi adds bidirectional communication to the existing WebDriver Classic protocol, enabling event-driven automation that CDP supports but WebDriver Classic does not.
BiDi reached Candidate Recommendation in late 2025. Implementations exist in Chrome (Chromium-based), Firefox (Geckodriver-based), and WebKit (in progress). The implementations vary in completeness, with Chrome and Firefox closest to parity.
For scrapers BiDi solves the cross-browser fragmentation problem. A scraper written against BiDi runs against Chrome, Firefox, and eventually Safari without code changes. The portability is meaningful for teams that test against multiple browsers or that want to switch browsers as detection landscapes evolve.
BiDi has performance comparable to CDP in 2026. Early implementations had higher latency, but optimisation has narrowed the gap. The remaining performance gap is task-specific, generally favouring CDP for high-frequency event scenarios and BiDi for control-flow-heavy scenarios.
Network interception parity
Network interception (intercepting requests, modifying headers, mocking responses) is the most-used CDP feature in scraping. CDP supported it from the beginning. WebDriver BiDi added comparable functionality through a 2025 update.
The BiDi network interception API uses the addIntercept and continueRequest patterns. A client adds an intercept matching a URL pattern, receives requestPaused events when matching requests fire, and continues or fulfils each request. The API maps cleanly onto Playwright’s existing route function.
The 2026 best practice for new scraping code is to use Playwright’s BiDi-backed network interception rather than CDP. Existing code can stay on CDP for the lifetime of the project. Migration is recommended when other reasons drive a refactor.
Detection and the protocol-level signal
Bot detection vendors look at protocol-level signals to identify automated browsers. CDP usage leaves traces that detectors can find. BiDi usage leaves different traces. Both are detectable.
The 2026 detection patterns include checking for the presence of specific runtime features that automation enables, looking for timing patterns characteristic of automation libraries, and probing for behaviours that humans rarely exhibit. None of the detection methods is foolproof, but together they create a strong signal.
Counter-detection in 2026 typically includes patched browsers (puppeteer-extra-plugin-stealth, undetected-chromedriver, rebrowser-puppeteer), residential proxies for IP-level evasion, and human-like timing for behavioural evasion. The arms race continues with neither side decisively winning.
A 2026 trend that affects the calculus is the increasing acceptance of agent traffic by large platforms. A site that recognises a verified agent presenting a signed identity may grant access without the heavy-handed bot detection that anonymous scrapers face. The shift moves the detection question from how to evade detection to how to participate in the verified-agent ecosystem.
Next steps
If your pipeline is Puppeteer-based and you have not evaluated Playwright in two years, this quarter is the right time. The cross-browser ergonomics and BiDi-readiness pay off through the 2026-2027 protocol transitions. For broader emerging-tech context, head to the DRT emerging-tech hub and pair this with the agentic browser revolution guide.
This guide is informational, not engineering or legal advice.