How it works Login Sign up

AdBlocking: Why a Client Side Solution Will Never be Good Enough

Post image

According to the EasyList policy, “Domains specifically serving adverts should be blocked on all third-party websites”.

In this document, we looked at a variety of “re-insertion ads” techniques focused on the ad domain source in response to ad blocking. We followed several sites which implemented re-inserting ads by changing and randomizing their ads resource URL, using WebSocket protocol plus Base64 techniques, and trying to take advantage of other temporary extensions exploits.

We have seen that using these techniques leads ad blockers to escalate their filters dramatically in order to block reinsertion ads.

We found that sites that changed their domain name frequently led to ad blockers subsequently blocking entire groups of domain extensions (such as any ending .xyz, .site, .info, .website, and the Amazon S3 domain s3.amazonaws.com), and even arbitrarily blocking any third party domains, scripts and images on these sites, which severely restricts a website’s capabilities (such as limiting the ability of the publisher to run analytical tools, and offering certain new services).

This fact is changing the paradigm from a situation where blockers determine which domains are forbidden to one where they determine which domains are permissible.

Example: Blocking any third-party resource on jpost.com:

The Ghost Logo

Source: https://easylist.to/easylist/easylist.txt, November 2016.

Sites that have adopted some WebSocket protocol plus Base64 techniques leads ad blockers to use new blocking methods like changing the website's CSP header (content security policy) which provides a standard method for site owners to declare approved origins of content that browsers should be allowed to load on that website. The adblocking software overrides the original site owner setting enforce a new CSP that prevents any loading of HTML5 Media or WebSocket resources from any source such as child-src or frame-src, that severely restricts part of the website’s capabilities.

Example: Override the original site CSP:

Easylist Github - Blocking WebSockets by adding a connect-src restriction:

adblockpluschrome csp easylist

Source: https://github.com/adblockplus/adblockpluschrome/blob/f4225ac4869e2cffa1dce38829a5c58cd52d2d81/lib/csp.js

Websocket Ads - Easylist rules:

easylist rules

Override the original site CSP in tomsguide.com:
Override the original site CSP

Sources: https://easylist.to/easylist/easylist.txt, www.tomsguide.com; November 2016.

Our conclusion supporting the use of a first party domain is not currently an industry norm, but we trust our methodology which included the widest possible variety of case studies to serve as a compass and strengthen what we believe is the optimal long-term and most sustainable solution.

The Secured Ads Layer Web Application Platform we developed at ChameleonX protects desktop and mobile browsers from ad blocking, third party unauthorized ads, and malware attacks. Our open approach is designed to integrate with other third-party technologies, including valuable analytic and verification systems.

Get the full White Paper