Saved in:
Bibliographic Details
Main Authors: Ukani, Alisha, Haddadi, Hamed, Snoeren, Alex C., Snyder, Peter
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.00317
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908429780516864
author Ukani, Alisha
Haddadi, Hamed
Snoeren, Alex C.
Snyder, Peter
author_facet Ukani, Alisha
Haddadi, Hamed
Snoeren, Alex C.
Snyder, Peter
contents We present a study of how local frames (i.e., iframes loading content like "about:blank") are mishandled by a wide range of popular Web security and privacy tools. As a result, users of these tools remain vulnerable to the very attack techniques against which they seek to protect themselves, including browser fingerprinting, cookie-based tracking, and data exfiltration. The tools we study are vulnerable in different ways, but all share a root cause: legacy Web functionality interacts with browser privacy boundaries in unexpected ways, leading to systemic vulnerabilities in tools developed, maintained, and recommended by privacy experts and activists. We consider four core capabilities supported by most privacy tools and develop tests to determine whether each can be evaded through the use of local frames. We apply our tests to six popular Web privacy and security tools -- identifying at least one vulnerability in each for a total of 19 -- and extract common patterns regarding their mishandling of local frames. Our measurement of popular websites finds that 56% employ local frames and that 73.7% of the requests made by these local frames should be blocked by popular filter lists but instead trigger the vulnerabilities we identify. From another perspective, 14.3% of all sites that we crawl make requests that should be blocked inside of local frames. We disclosed these vulnerabilities to the tool authors and discuss both our experiences working with them to patch their products and the implications of our findings for other privacy and security research.
format Preprint
id arxiv_https___arxiv_org_abs_2506_00317
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Local Frames: Exploiting Inherited Origins to Bypass Content Blockers
Ukani, Alisha
Haddadi, Hamed
Snoeren, Alex C.
Snyder, Peter
Cryptography and Security
We present a study of how local frames (i.e., iframes loading content like "about:blank") are mishandled by a wide range of popular Web security and privacy tools. As a result, users of these tools remain vulnerable to the very attack techniques against which they seek to protect themselves, including browser fingerprinting, cookie-based tracking, and data exfiltration. The tools we study are vulnerable in different ways, but all share a root cause: legacy Web functionality interacts with browser privacy boundaries in unexpected ways, leading to systemic vulnerabilities in tools developed, maintained, and recommended by privacy experts and activists. We consider four core capabilities supported by most privacy tools and develop tests to determine whether each can be evaded through the use of local frames. We apply our tests to six popular Web privacy and security tools -- identifying at least one vulnerability in each for a total of 19 -- and extract common patterns regarding their mishandling of local frames. Our measurement of popular websites finds that 56% employ local frames and that 73.7% of the requests made by these local frames should be blocked by popular filter lists but instead trigger the vulnerabilities we identify. From another perspective, 14.3% of all sites that we crawl make requests that should be blocked inside of local frames. We disclosed these vulnerabilities to the tool authors and discuss both our experiences working with them to patch their products and the implications of our findings for other privacy and security research.
title Local Frames: Exploiting Inherited Origins to Bypass Content Blockers
topic Cryptography and Security
url https://arxiv.org/abs/2506.00317