Local Frames: Exploiting Inherited Origins to Bypass Content Blockers
Source: arXiv:2506.00317 · Published 2025-05-31 · By Alisha Ukani, Hamed Haddadi, Alex C. Snoeren, Peter Snyder
TL;DR
This paper investigates a systemic vulnerability in popular Web privacy and security tools related to their mishandling of local frames—iframes with non-URL sources such as "about:blank"—which should inherit the origin of their parent document but are often misattributed by content blockers. Because content blockers rely heavily on frame origin to apply protections such as request blocking, resource replacement, scriptlet injection, and cosmetic filtering, this misattribution enables websites to bypass these defenses, allowing tracking scripts and ads to run undetected. The authors design a set of empirical tests and apply them to six widely used tools (including Brave Browser, AdGuard, uBlock Origin Lite, AdBlock Plus, Safari Content Blocking, and DuckDuckGo), uncovering 19 distinct vulnerabilities. A large-scale crawl of 21,965 websites finds local frames on 56% of sites, with 73.7% of network requests originating from local frames evading blocking rules despite being on major blocklists. Over 14% of all sites studied effectively evade blocking via local frames. After coordinated disclosure, several tools have released patches to fix these issues.
The results reveal a substantial and underappreciated attack vector against privacy tools stemming from the complex interaction between legacy Web iframe behavior and browser security boundaries. This work highlights the fragility of approaches that rely on URL-based origin attribution and static filter lists, and motivates reconsideration of content-blocking designs to correctly handle inherited origins in local frames. The authors also contribute reusable test pages and methodologies to evaluate content blockers' handling of local frames.
Key findings
- 56% of 21,965 crawled websites use local frames (about:blank or about:srcdoc) on at least one page.
- 73.7% of requests made by local frames matched popular filter lists (EasyList, EasyPrivacy, uBlock Origin), but were not blocked due to mishandling of origins.
- 14.3% of all studied sites made requests that should be blocked within local frames, effectively enabling evasion.
- All six studied privacy tools have at least one vulnerability related to local frame origin mishandling, totaling 19 distinct flaws.
- Brave iOS browser completely fails request blocking inside local frames, allowing full bypass.
- AdGuard incorrectly inherits first-party origins inside third-party nested local frames, leading both to tracking exposure and site breakage.
- Scriptlet injection and cosmetic filtering can be evaded in Brave, AdGuard, AdBlock Plus iOS app, Safari Content Blocking, and uBlock Origin Lite, enabling ads and tracking calls that should be blocked to run.
- DuckDuckGo blocks tracking requests inside local frames correctly but fails to report these blocks to users as done for normal frames.
Threat model
The adversary is a website that attempts to evade local content-blocking and privacy protections installed by the user, including filter list-based blocking of tracking and ads. The adversary knows that content blockers inspect the origins of frames to determine if content should be blocked, and actively crafts page structures using local frames (iframes with 'about:blank' source) to subvert origin attribution. The adversary cannot directly modify browser internals but controls all web content and JavaScript on their page, including nested iframe creation and network requests. The adversary does not control the user's browser settings or extensions other than attempting to evade them via legitimate web functionality.
Methodology — deep read
The authors first define their threat model as a website attempting to evade user-installed privacy tooling, specifically content blockers that rely on frame origin and blocklists to apply protections. The adversary controls page content and may dynamically create local frames. Content blockers assume correct origin inheritance as per HTML spec (local frames inherit their parent document's origin) but many tools miscompute this origin.
Data provenance involves crawling 21,965 websites sampled from the Tranco top-sites list, covering a range from top 1K to rank 1 million. The crawl was conducted from AWS EC2 nodes using a custom Chromium-based crawler (PageGraph) that hides crawler artifacts (e.g., window.webdriver) to avoid detection bias. For each site, the root page was visited and observed for 30 seconds of load and script execution, recording a graph of DOM events, script calls, and network requests. From this graph, local frames were identified and categorized as first-party or third-party.
To empirically test content-blocker vulnerabilities, the authors designed HTML test pages modeling a main site firstparty.com containing nested local frames and third-party iframes with local frames (Listing 2). These hosts attempt to load scripts and make requests marked for blocking by filter lists. By observing script execution or network request success, they determine if blocking capabilities (request blocking, resource replacement for AJAX, scriptlet injection, cosmetic filtering) are enforced inside local frames. For each tested tool, test pages were loaded with the blocker active, and DOM content checked visually or via script for signs of blocking failure.
The authors studied six widely-used tools spanning browsers and extensions: Brave browser, AdGuard, uBlock Origin Lite, AdBlock Plus iOS, Safari content blocking (used by iOS apps), and DuckDuckGo browser. Filter lists included EasyList, EasyPrivacy, and uBlock Origin maintained rules. Tests for each capability were repeated for first-party and third-party local frames, as well as nested local frames.
Analysis of third-party local frames included mapping frames to owning organizations via the Disconnect entity list to understand prevalent trackers packaging content inside local frames.
The teams disclosed all 19 vulnerabilities found to respective projects before publication. Brave, Safari, AdGuard, and DuckDuckGo have patched their tools, while uBlock Origin Lite and AdBlock Plus have acknowledged issues. The authors provide full test code and data at https://osf.io/9yq57.
A concrete example test: for request blocking, a page containing first-party and third-party frames each loading two scripts (one allowed, one blocked by filter list) is loaded. Without protection, all scripts run and add visible text. With correct blocking, all blocked scripts fail to load and add no text. Several tested tools fail to block the third-party local frame's script, showing visible text and proving evasion.
Evaluation metrics include pass/fail of blocking behavior with regard to local frames, prevalence statistics of local frames and requests on the 21,965 sites, and attribution of evading requests to specific entities. No formal statistical tests or machine learning methods were used as this is an empirical security evaluation.
Reproducibility is strong: all code and crawling data required to replicate the tests and measurement are publicly available. Some filter lists are public; others may evolve. The crawler is based on open Chromium forks. No closed datasets were used.
Overall, the methodology combines: extensive large-scale empirical measurement of frame usage and evasion on the Web, detailed construction of test sites to isolate capabilities, and coordinated vulnerability disclosure and patch verification with major content-blocking tools.
Technical innovations
- Identifying local frames ('about:blank' iframes) as a systemic vulnerability vector due to incorrect origin inheritance assumptions by content blockers.
- Developing a test framework with controlled nested iframe structures to empirically evaluate multiple content blocking capabilities against local frame origin errors.
- Large-scale measurement showing real-world prevalence of local frames enabling evasion on over 14% of popular sites, connecting theory to practice.
- Mapping third-party local frames to tracker entities via the Disconnect list to reveal major advertising and analytics companies exploiting these frame-based evasion techniques.
Datasets
- Tranco top-sites list sampling 21,965 websites — public — http://tranco-list.eu/
- Local frames crawl data including network requests, DOM events, and scripts from 21,965 websites — public — https://osf.io/9yq57
Baselines vs proposed
- Brave iOS browser: request blocking in local frames disabled (no blocking) vs fixed version: blocking applied correctly
- AdGuard: third-party nested local frames incorrectly inherit first-party origin leading to rule misapplication vs patched version: origin correct inheritance
- DuckDuckGo: tracking requests inside local frames blocked but user notifications absent vs ideal: notifications should also be presented
- AdBlock Plus iOS app: cosmetic filtering evaded inside local frames vs after acknowledgement: patches pending
- Safari Content Blocking: cosmetic filtering bypassed by local frames vs after patch: filters correctly applied
Limitations
- Tests focused mainly on 'about:blank' local frames; other local frame URI schemes (e.g., blob, data) were rare and less studied.
- Evaluation limited to six popular tools; results may not generalize to all content blockers or emerging tools.
- No formal adversarial adaptation analysis or red-team style attacks beyond origin inheritance issues.
- Measurement cannot determine intent behind websites' use of local frames for evasion—benign versus malicious use ambiguous.
- No longitudinal measurement to see if sites adapt to patched tools or if new evasion methods appear post-disclosure.
- Some tests use simplified synthetic pages and so may not cover all real-world code paths or complex web architectures.
Open questions / follow-ons
- How can content blockers redesign origin computation to correctly and robustly handle all types of local frames and non-standard URIs?
- Can detection methods leveraging dynamic analysis or behavior-based heuristics reliably identify tracking code inside local frames, circumventing brittle filter-list matching?
- Would browser-level changes to iframe origin specifications or enforcement reduce this class of evasion without sacrificing web compatibility?
- What is the impact of local-frame evasion on user privacy in the longer term, e.g., after mass patch deployments and adaptive adversary responses?
Why it matters for bot defense
Bot-defense and CAPTCHA practitioners rely on browser privacy and integrity signals to distinguish between legitimate users and automated attackers. This paper exposes a major blind spot in content blockers caused by the misattribution of origins in local frames, which can allow web content—potentially including fingerprinting and tracking scripts often used for suspicious behavior detection—to run undetected. Practitioners should be aware that standard browser privacy assumptions may be violated in these local frames, potentially degrading the fidelity of signals derived from content blocking or tracking protection. Integrating defenses or detection techniques that account for local-frame evasion could improve robustness against tracker-driven behavioral fingerprinting or script-based automation.
Moreover, evaluating CAPTCHA integration inside local frames deserves caution since unexpected origin inheritance can cause security or privacy policy violations, potentially enabling attackers to bypass detection. This calls for careful testing of iframe-based interactions and suggests that security mechanisms relying on strict origin controls must explicitly consider local-frame semantics to avoid subtle evasion paths.
Cite
@article{arxiv2506_00317,
title={ Local Frames: Exploiting Inherited Origins to Bypass Content Blockers },
author={ Alisha Ukani and Hamed Haddadi and Alex C. Snoeren and Peter Snyder },
journal={arXiv preprint arXiv:2506.00317},
year={ 2025 },
url={https://arxiv.org/abs/2506.00317}
}