Hah, this didn't cover window.webdriver, and I was about to post that you can still use that (since I assumed window properties weren't deletable) but... window properties are deletable. Cool.

How do you ensure that your deletion code runs in the context of the hosted page but before that page can run any of its own code?

From the original article, you put a proxy in front of Chrome headless and inject the deletion code into the HTML of each page before any JS loaded by the page.

So now the page needs to checksum itself once loaded to detect tampering.

Or you could just rewrite the JS that does the checksumming to return true.

You'd get false positives from e.g. extensions modifying the page.

Which, for 99% of extension-equipped users, will be just an ad blocker, i.e. something the websites don't want to deal with either.

The arms race goes on.