Local Frames: Exploiting Inherited Origins to Bypass Content Blockers

We present a study of how local frames (i.e., iframes with non-URL sources like "about:blank") are mishandled by a wide range of popular Web security and privacy tools. As a result, users of these tools remain vulnerable to the very attack techniques they seek to protect against, including browser fingerprinting, cookie-based tracking, and data exfiltration. The tools we study are vulnerable in different ways, but all share a root cause: legacy Web functionality interacting with browser privacy boundaries in unexpected ways, leading to systemic vulnerabilities in tools developed, maintained, and recommended by privacy experts and activists.

@article{ukani2025_2506.00317,
  title={ Local Frames: Exploiting Inherited Origins to Bypass Content Blockers },
  author={ Alisha Ukani and Hamed Haddadi and Alex C. Snoeren and Peter Snyder },
  journal={arXiv preprint arXiv:2506.00317},
  year={ 2025 }
}