Hacker News new | past | comments | ask | show | jobs | submit login
The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion (arxiv.org)
115 points by spenvo 37 days ago | hide | past | favorite | 82 comments

CNAME-tracking is a relatively new phenomenon, where ad marketing firms (led by Salesforce and Adobe) are convincing sites to tweak CNAME records in order to get browsers to send a domain's cookie data (yes, security implications here are severe). This tracking method has become increasingly popular with tens of thousands of high-traffic sites utilizing it, and browsers have no built-in defenses against it. A more at-length layman's explanation can be found here, starting on page 8 https://www.grc.com/sn/sn-808-notes.pdf

But as the title hits upon, there is one countermeasure that uBlock Origin has implemented for its Firefox extension. But unlike Firefox, Chrome does not provide robust enough extension APIs for the countermeasure to work there. Chrome users are currently completely susceptible to having private cookie data stolen on thousands of high-traffic sites. Even in the case of this countermeasure though, it does seem insufficient as it's essentially a whack-a-mole game. Browsers must prioritize shutting this down in a more foolproof way, and I can't imagine an easy way to do that.

The submitted title ("CNAME tracking's a disaster. uBlock Origin blocks it in FF. Chrome users are SOL") broke the site guidelines. Accounts that do that eventually lose submission privileges, so please don't do that. It looks like a fine submission otherwise!

"Please use the original title, unless it is misleading or linkbait; don't editorialize."


Thanks dang, sorry—I blanked out on that rule and will try to remember moving forward (I think I’ve made this mistake before). Cheers


Appreciate you raising awareness about this!

Seems like one more nail in the coffin for Chrome versus alternatives which have a higher degree of people's true best interests at heart.

As a side note, this really deserves a blog post or singular site/page that explains the issue in a simple enough way so the word can spread.

I very much doubt that. Not only do more and more people use Chrome but even on HN you see lots of people using and recommending both Chrome but also derivatives like Brave. When Firefox is dead Google will IMO kill off what little API access is left to block tracking and ads effectively.

And how many of the people using Firefox use it with uBlock? I know I don't :)

Another nail? I’ve been hearing that for 10 years - be interesting to see if chrome usage drops a lot. With edge now chromium based I’ve been seeing usage go up not down

Anecdotally, I switched to FF after the manifest v3 changes were announced.

Chrome is the new IE. Everybody knows it's bad, but it's standard.

Except web developers love Chrome, which is why Google might actually win control of the web.

Webdev here, chrome was a breath of fresh air in the IE era, there was nothing close for dev tools. But after Firefox rewrote their rendering engine I switched to it as my personal browser, that plus the UI rewrite plus the immensely better privacy features made it more and more comfortable for personal browsing. Then I noticed the dev tools at some point had also been considerably upgraded to the point that for most work it pretty much has feature parity - so here's my anecdote, the tables have turned and I develop in Firefox, then test in chrome.

One of the main things i've noticed is a very jagged divide in performance. Firefox's renderer is generally faster and has fewer bugs, but with some APIs like canvas it's a mixed bag, some things are very slow due to significant implementation differences such as fillText. Even for the JS engine it's not so clear cut, everyone thinks of V8 as the king, but there are some cases that chromes optimizer is extremely sensitive to such as global variables.

> Webdev here, chrome was a breath of fresh air in the IE era, there was nothing close for dev tools.

Firebug was amazing, and predates Chrome by two years.

The same web devs that put all the tracking scripts into their websites so that more time and data is used for tracking and ads than for content. And then I got a website where I can't click the link I wanted to click because in that moment the link jumps down to make room for the ad. I thought it was all about UX not DX.

Yeah, from where I sit Chrome is the absolute first target, regardless of how many nails are being nailed into its coffin.

There is some thought that if Apple opens up iOS a bit Chrome could make more headway there as well.

Numbers I've heard are Chrome - 60%, Firefox < 5%.

Amen. FF’s dev tools are like Windows 95 to Chrome’s Windows 7.

How can browsers defend against sites giving away their own private cookies to trackers? They could just as well send the data from the server side.

This is false. Safari and Firefox both have strong third party cookie protections that prevent linking identities across different sites.

At this point, the only way an ad network can tell that the same user is on Website A and Website B is if both site owners tell the ad network the current user's email address or other common identifier.

If both sites are opting into this, CNAME protections won't do anything.

The CNAMEs change it to a same site / first party relationship. It says it right in the article summary. I assume the way it works is that instead of `tracking.example.com` where everyone can block `example.com`, they have users set up CNAMEs instead. So you get:

- extras.example.net --> tracking company IP behind a huge CDN

- awesone.example.org --> tracking company IP behind a huge CDN

The sites are different, but when you visit them you're hitting the tracking servers who get to see you hit both sites. Even worse, they can set cookies on the the domain, which is why someone else said there are security implications.

I've been saying it for years. Eventually everything will appear to be first party and hitting huge CDN IPs. It's easy to do right now already. Go read the Cloudflare blog article on proxying Google Fonts via Workers. Then think about the Cloudflare Apps and how easy it would be to build an app that rotated first party CNAMES and used Workers to dynamically rewrite HTML to proxy the tracking to ad companies.

TLDR; We're super screwed.

Nope, not super screwed at all. Safari even limits http cookies if the cname doesnt match.

„On Safari 14 (requires Big Sur) and on all major iOS and iPadOS 14.2+ browser apps, expiration of cookies set with Set-Cookie HTTP response headers is 7 days at most, if the response originates from a subdomain that has a CNAME alias to a cross-site origin“


You should read the paper, it literally discusses how they were getting around that and discovered vulnerabilities because of it.

We're not super screwed.

extras.example.net is still third-party to awesome.example.org.

The tracking company has no way of knowing that an HTTP request to extras.example.net is from the same user as an HTTP request to awesome.example.org.

If you were operating the tracking company, how would you try to determine the same user is behind both requests? Happy to be proven wrong, but I don't believe it's possible with third-party cookie protections in place.

Based on reading the links someone posted, my understanding is that the way this CNAME stuff works is:

1. awesome.example.org would add a CNAME record that resolves tracking-you.example.org to the server referenced by evil.com

2. awesome.other.net would add a CNAME record that resolves tracking-you.other.net to the server referenced by evil.com

3. etc everywhere on the internet

Because these are CNAME, DNS hides all of this from the browser and it just sees the resolved address and the original requested name.

So tracking-you.example.org and tracking-you.other.net both now think the server controlled by evil.com is first-party. evil.com now gets all the first-party cookies. In the past they would have only got third-party cookies and the first-party cookies wouldn't be seen by evil.com.

But it gets worse because evil.com is also tracking you (it's what they're explicitly doing) so they can link users across the sites. This means evil.com has all it needs to spoof you cross-site because they now have all the first-party auth tokens. Unless you diligently never use the sites simultaneously and remember to log out between using websites. But even if you did, they can still do anything they want as you while you're logged in to the site.

So, yeah. It actually looks like a disaster and we're super screwed.

This doesn’t work because browsers only see the original domain names. A page loaded from awesome.example.org can only set cookies on awesome.example.org and on example.org and not on evil.com, no matter what CNAME tricks you pull.

What's said is that query on CNAME returns the resolved address of evil.com, not "evil.com" as a name that needs to be further resolved.

Isn't cookie validity selected by the site? A diligent site could setup subdomains to isolate the tracking cookines. Say, .awesome.example.org rather than .example.org. tracking-you.example.org wouldn't match anymore. But then it's a third-party cookie again and ad-block could just keep cookie whitelists for .awesome.example.org and throw any other .example.org cookies out.

It doesn’t work like this. Cookie domains, like cookie paths, are not a security feature because scripts in documents can manipulate other documents that are considered by the browser to have the same origin. A site can’t change the origin rules, the origin for both ‘awesome.example.org’ and ‘tracking-you.example.org’ both is example.org .

Yeah, exactly. awesome.example.org is the example.org site's code and tracking-you.example.org is evil.com's code.

Your example is reliant on UserA visiting example.com having the same "auth token" as UserA visiting other.net.

That's not the case. Both example.com and other.net are likely to be generating completely unique auth tokens.

example.org and other.net can certainly both coordinate with evil.com to manually share more detail (e.g. the current user is UserA@gmail.com), but if that's the threat then browsers have no chance at offering protection.

No, it's not reliant on that at all. The CNAME trick means that the browser forwards each site's auth tokens directly to evil.com's servers whenever you use that site. And since evil.com's entire reason d'etre is to track you across sites, it's trivial for them to store and link your auth tokens from all the sites you visit.

> The bottom line is that evil.com would not be asking sites to install CNAME tricks in their domains if evil.com cannot leverage those tricks to track users across sites. That should be obvious.

This is the leap I believe is incorrect. The paper doesn't explain how CNAME cloaking helps evil.com track users across sites. It says that it does, but it doesn't actually explain the attack vector.

It is far more plausible to me that CNAME tricks are being added so that evil.com can track a user on an individual site. When uBlock Origin is putting a hard block on all traffic to evil.com, there's still quite a bit to be gained by shifting evil.com to evil.foo.com if that means requests start succeeding again.

Another poster said something similar here: https://news.ycombinator.com/item?id=26349987

When evil.com receives an auth token for a user visiting example.org, how does it know which user that token is associated with?

Then, when evil.com receives a different auth token for the same user visiting other.net, how does evil.com know that new auth token correlates to the same user on example.org?

This is the third-party identity linking that's now impossible for evil.com to accomplish independently. They need other.net and example.org to share some common information (like an email address) to make the link. For logged out users, it should be impossible without resorting to fingerprinting.

This was Firefox and Safari's entire reason d'etre for launching Total Cookie Protection and Intelligent Tracking Protection. I don't believe CNAME cloaking overcomes their protections, or at the very least, I don't see where this paper explains an attack vector.

Except your auth tokens on the each site should be opaque identifiers and can’t be linked. Unless both sites are using the disaster that is JWT/JOSE as their token format with signing only and not encryption.

The reason sites are adding these CNAME tricks is specifically to enable evil.com to track you across sites to sell ads. So it's not just the CNAME trick, it's specifically what evil.com is doing that links accounts across sites.

The bottom line is that evil.com would not be asking sites to install CNAME tricks in their domains if evil.com cannot leverage those tricks to track users across sites. That should be obvious.

It's the other way around. The main site is example.com and the ads/tracking are at ads.example.com (which is a CNAME pointing to some server controlled by the advertiser). So they have the same second-level domain and are considered related origins.

Of course ads.example.com could just as well have A/AAAA records pointing to the same ad server, which would neutralize any attempt to infer separate origins based on CNAME records. It would just be slightly more difficult to administer since the owner of example.com would need to update their DNS records whenever the ad server's IP address changed—but that could be automated, and the IPs are probably mostly static anyway.

It's called "CNAME Flattening" (or "ALIAS records") and has been widely available from hosting providers since 2014. I was talking about server-side aliases a decade before that, and I was far from the only person doing so.

You have the explanation right. But your hypothetical future dystopia is actually the world of today. (-:

I always thought that was a bad decision, thinking that subdomains could be related security-wise to other domains looking the same.

DNS was thought out from the beginning so you could split it anywhere you wanted to delegate things, and you can also delegate with CNAME too.

I'd welcome a security model that does not use origins. It's doable, but the origin trick was a convenient way to enforce some security measures bolted on as an after thought without breaking much the compatibility.

They can both set and read cookies for example.org .

You can specify the domain when you set cookies, but it is limited to the domain your page is on (and browsers have lists of domain parts that are banned so you can’t for instance set cookies on co.uk )

> extras.example.net is still third-party to awesome.example.org

Yes, that's right. I'm making the assumption that letting the request succeed at all is on the losing side of the battle.

For me, I know I'm 100% trackable across the internet with my IP address (it hasn't changed in 2 years) and my screen resolution (the only 4k monitors behind that IP). If I don't block the request in the first place, the tracking company fingerprints my browser and sets that as a cookie.

The reason I say we're completely screwed is that I think we'll see all kinds of dirty tricks. Ex: auth = ads under the header and auth.example.net is actually a tracking domain. That's much harder to prevent than sending ads.example.com to a black hole.

Agreed - letting the request fire at all is the critical point, and I believe that's the true motivation behind using CNAMEs (they evade blacklists).

CNAMEs and first-party cookie access aren't helping networks link identities across sites in Firefox and Safari - at this point they're stuck relying on browser fingerprinting. And as you point out, fingerprinting can be quite effective, especially for people on static IPs :|

This paper is claiming that CNAMEs are evading the protections offered by Safari and Firefox but that's just not the case. Or at least, the paper hasn't explained how.

You are talking about the rules for javascript access to cookies, or other rules for "cross-domain cookies".

The rules for "block third-party cookies" features are different than these, and are browser-specific rather than bound by a standard.

I believe that both Chrome and Firefox will not block cookies from a subdomain of the same base domain as "third-party". Although I'm not totally sure where to find this documented. I think if they did, it would break many more sites than "block third-party cookies" do now.

The way tracking used to work is:

1. UserA visits foo.com which embeds a script from evil.com. When the script is requested, evil.com sees there's no tracking cookie for this user yet, so it drops one.

2. When evil.com was loaded, the Referer header showed the request was coming from foo.com. EvilCo adds an entry that UserA visited foo.com.

3. UserA now visits bar.com which also embeds a script from evil.com. Now, the tracking cookie from Step 1 already exists, so it's sent with the request to load the script from evil.com.

4. evil.com looks at the Cookie and Referer header, and adds an entry that UserA has visited bar.com.


Now, what Firefox and Safari have done, is they've made it impossible for ANY third party to access their cookies while a user is visiting a different site.

I completely understand that evil.com is promoting itself to first-party by routing under evil.foo.com and evil.bar.com, and that allows it to set and receive cookies on those hosts, but that alone isn't enough to break out of the new browser protections.

In this new world, evil.foo.com and evil.bar.com are still third party to each other, and so there's no way to sync identifiers between them, even though they're both operated by evil.com.

To sync identities across evil.foo.com and evil.bar.com, EvilCo is forced to do some kind of browser fingerprinting, or to rely on the operators of foo.com and bar.com to manually share additional data about the user.


Source - I've tried it! Run two separate domains and see if you can get the same unique identifier in cookies on both domains. The only workarounds are OAuth2 and the Storage Access API - both of which require explicit user permission.

Thanks for trying to explain.

What I'm not following is that you say:

> In this new world, evil.foo.com and evil.bar.com are still third party to each other, and so there's no way to sync identifiers between them, even though they're both operated by evil.com.

But in your original 1-4 description, foo.com and evil.com already were third-party to each other. So apparenty that was not a barrier? Your original description doesn't actually mention mention any shared identifiers between evil.com and foo.com, just that evil.com would use a referer header to see that the rquest was coming from foo.com.

Won't this work exactly the same way with evil.foo.com and evil.bar.com?

Your original 1-4 stopped working because FF and Chrome stopped letting evil.com set cookies at all when loaded from foo.com. That is the restriction that broke 1-4 (it wasn't other restrictions that were in place when 1-4 was working fine), and that is the restriction you get around with evil.foo.com, restoring the situation where your 1-4 steps worked.

What am I missing?

Trying my best! This is really confusing stuff, and I probably shouldn't have come out so hot with "This is false." Safari's rollout of ITP broke my company's code three times over, so I've been in the weeds on this for a while.

I think you're missing that setting cookies alone isn't what allowed evil.com to sync identities. They needed to set the cookie from one site, and receive that same cookie when the user visited a different site.

With CNAME cloaking, it's true that EvilCo can set cookies on both evil.foo.com and evil.bar.com. But when a user is on evil.foo.com, there's no way to make a request to evil.bar.com that includes evil.bar.com's cookies. This is the mechanism that stops syncing identities.

Does that help?

OK, so here's the basic issue.

What did banning third-party cookies actually stop then? Nothing?

So whatever they were able to do before banning third-party cookies, why did banning third-party cookies matter at all?

The whole point of the CNAME as described is to get around third-party cookie bans. If getting around the third-party cookie ban doesn't actually help -- that seems to suggest the third-party cookie ban in the first place didn't actually do anything, if getting around it doesn't give you anything? no?

It stopped syncing identities with the first-class web APIs, and forced trackers to use browser fingerprinting.

That _does_ help. It adds noise to things and helps us shift our focus to stopping fingerprinting.

You now need to read the next step in the dance, which the NextDNS people explained back in 2019 as "Security implications of CNAME Cloaking".

* https://medium.com/nextdns/cname-cloaking-the-dangerous-disg... (https://news.ycombinator.com/item?id=21604825)

The cookie protections I'm referencing are Safari's "Intelligent Tracking Protection" and Firefox's "Total Cookie Protection."

Efforts would be much better spent trying to stop fingerprinting, trying to convince Chrome to add third party cookie protection, or lobbying for regulation.

The third of those. This isn't a technical problem, it's a "greedy maw of the surveillance economy" problem.

"Chrome users are currently completely susceptible to having private cookie data stolen on thousands of high-traffic sites"

Not true, sure it's a workaround solution but with frogeye's block list [0] and uBO you're pretty much covered on Chrome regarding CNAME-tracking

[0]:Geoffrey Frogeye's block list of first-party trackers https://hostfiles.frogeye.fr/

Related threads, for those interested. Are there others?

AdGuard publishes a list of 6K+ trackers abusing the CNAME cloaking technique - https://news.ycombinator.com/item?id=26349857 - March 2021 (49 comments)

Cname / DNS based third party tracking - https://news.ycombinator.com/item?id=26297984 - Feb 2021 (46 comments)

Plausible Analytics Isn't GDPR Compliant - https://news.ycombinator.com/item?id=24868012 - Oct 2020 (75 comments)

uBlock Origin 1.25.0 uncloaks CNAME-masked network requests in Firefox - https://news.ycombinator.com/item?id=22404808 - Feb 2020 (4 comments)

NextDNS first to block ALL third-party trackers disguised as first-party - https://news.ycombinator.com/item?id=21610386 - Nov 2019 (4 comments)

Cname cloaking, a disguise of third-party trackers - https://news.ycombinator.com/item?id=21604825 - Nov 2019 (196 comments)

Chrome's crippling of uBO's protections are what drove me away, once and for all.

In this case, me means my household and customer base. I setup everyone on Firefox for their protection. Most stick with it.

Some vendors request FF. Lightspeed is one.

The real problem with CNAME-tracking is that it provides the loaded adtech libraries the security privileges from the hosted domain.

This means, tracking libs can now also access everything of the website they are hosted in, attach any event handlers etc. It is essentially the same as hosting the tracking library from the content server, except that the tracking provider can change the source code anytime without requiring any consent.

This is a security nightmare imo.

This makes me dream of making social media decentralized again. If there were some way to make it peer-to-peer so that it didn't require running servers and yet some way to make it so that visibility is reduced to only your actual connections or maybe sometimes one degree from your immediate connections so that you could get introductions from others and explicitly made impossible thereby to spider or otherwise hoover up all the data by any party, effectively making it part of the 'dark' web. So if you want to search it should be the small dataset from your own connections and local to you.

At least that's the vision, to make the web "smaller" again like it was before Eternal September, and to create some protocol implementing a vision like that to take over and wrest things from giant oligarchs controlling all social media. I have no idea if making that is even feasible, though I've seen some attempts vaguely similar to that. I see tons of practical challenges with actually implementing such a thing, though, but the idea would be to make all the communication opaque and explicitly take it away from harvesters.

Granted, there's no way that could end things... I'm sure clients might get subverted via various methods to re-enable harvesting but at least it would limit their scope and you could remove such folks as connections if you knew.

One asked for by folks on HN who said third party cookies should be blocked - well, the ad tech companies are making them first party.

I'm surprised they even setup another domain, you could do path rewriting at load balancer level to route the /extras path to the ad tech software / provider.

The advertisement providers do not trust the content providers not to generate fake page fetches. This rules out any sort of mechanism where the advertisement providers trust reverse proxies or any other sort of request relaying on the content providers' parts.

Not much more of a security nightmare than loading Javascript from a random ad server, really.

I think the main point is just to make it harder to block using pi-hole like solutions.

"That will kill any ability to use heuristics for blocking" was a pretty common response to Google's Manifest V3 stuff. They knew this was coming.

Manifest V3 was always a massive advertiser land grab. Their intent is to kill effective ad blockers and replace them with ad blockers on the payroll ("acceptable" ads) or nothing at all.

Gorhill told the Chrome team that this would effectively kill ad blocking. He was ignored (are you surprised?).

using a CNAME to allow third party trackers seems like a horrible idea... You risking exposing cookies and other sensitives data to some third party... I guess these sites don't care.

It's not any worse than third party scripts, which give you full access to the DOM.

It's a different attack vector.

Session tokens should be stored in an httpOnly cookie, so they're not accessible to a third party script.

CNAMEs could absolutely lead to leaked session tokens, but website owners should already be somewhat accustomed to hiding cookies away from third party subdomains. These days, lots of third party services run on subdomains... blogs, status pages, email click trackers, support desks, etc.

>Session tokens should be stored in an httpOnly cookie, so they're not accessible to a third party script.

You can't steal cookies, but you can perform actions as the user, eg.

    $.post("/api/transfer_funds", {"recipient": "attacker", "amount": 999999})

So tired of this arms race. The Web is an absolute joke.

Bring back geocities!

No, really

So... Gemini?

From the full-text article:

> visits to different websites cannot be attributed to the same user using standard web development features.

This was stated in a section about the limitations of CNAME tracking.

Maybe the article mentions this later, but wouldn't a single call from the web server to the ad server negate this limitation? That is cross-site tracking is simply a matter of running a little more ad tracker code in your server.

You need more cooperation from the domains that do the CNAME cloaking. In fact, the CNAME just makes it a little easier to deploy -

The domain server could -- on the backend, without you having any idea or way to intervene -- notify TrackerCompany that "I now see user xyz who registered with email abc@def.com first name "john" last name "smith" claiming to be 43; he is coming from ip i.j.k.l and is browsing /blah/widget/plan.html, a page about widgets"

But the site owners don't trust the TrackerCompany with this much information. And the TrackerCompany doesn't trust site owners to be honest (they have an incentive to provide false/inflated data).

They started eith 3rd party scripts and cookies, which was a middle ground (site owners have to work harder to lie and must leave some trail if they do; trackercompany must introduce malicious javascript if they want more than was agreed upon). Browsers are making this unusable, so it's shifting to CNAME - website owners have to do a little more work, and have to trust trackercompany more; In the trust/power balance, the sites lose power and give trust (both of which go to trackercompany). But they haven't noticed yet.

So, you are absolutely right, it's just a matter of trust and convenience, which is being shifted - but ultimately, all it takes is just one call from the backend server to undo all privacy protections.

The next step will be to proxy the 3rd party site. For example, if you run www.example.com, you set up tracker.example.com pointing to your own web server. You configure your web server to proxy tracker.ad_tech_company.com.

As long as tracker.ad_tech_company.com is smart enough not to give away that it's not part of example.com, there's no way for one's browser to notice this. tracker.example.com is not a cname, and it will almost certainly refer to an IP that is within your corporation's or host's IP space.

This is minimal complexity. It's not a ton of bandwidth if it's mainly cookies.

Similar is to use use the engagement tools inside your own web content management system. The majors (Adobe AEM, Sitecore, etc.) are already offering it.

The ad company isn't going to trust any data which is routed through the backend of your web server. Otherwise spoofing page views/clicks is trivial.

The next step is to get a CDN to proxy both www.example.com and tracker.example.com and promise to be independent, or for the ad company to operate the proxy themselves.

Aaaaaaaand, I'm now reading this from FF. Google needs to get its shit together.

Outside of the fact that sites would be mad is there a problem is browsers just chase cnames and set the origin to the last one?

Yes sites could switch to A records or proxies but that's way more of a PITA on the tracker side.

Yes, it would cause issues with hosting services that use CNAMES in the way they were intended. e.g www.example.com might be CNAMEd to example.bigwebhost.com so that bigwebhost can change the IP addresses used by example.com without having access to example.com's DNS. Your proposed change would make every site hosted by bigwebhost part of the same domain, potentially leaking cookies to each other.

You could do something similar to how FF implemented their new cookie isolation.

Make the key (original domain ^ final CNAME).

Which probably would still have issues, but I think it's worth looking into.

`dnscrypt-proxy` blocks these, as well as the SVCB and HTTPS variants.

The web sites in question can make their subdomains point anywhere they want. They can forward all their tracking info to the ad companies without any real technical innovation. This fight is ultimately futile. The only real solution here is legislative.

BTW, why do browsers not treat subdomains as separate entities for the purposes of figuring out what is a third party? Why don't they restrict things on the basis of IP addresses and skip all this complexity? One connection, one IP address...

Interesting. I'm hoping Brave fixes it downstream, it's the kind of thing they can use to prove themselves as the privacy-oriented Chromium fork.

It's already included in the native adblocker in Brave (oct 2020)


Edit: not exactly bringing the feature to extension but people usually use Brave Shield + uBlock.

Stupid question: Can I block this with a host file?

I know Adguard published a list. Kudos to them, but can this be used in an extensive host file?


Just updated my AdguardHome's block list. Non tech savvy people are screwed. Honestly, how could the majority win this game even when people surfing HN are scrambling to catch up?

Strange, I don't see this option in my uBlock for FF.

It's enabled by default since 1.25.0, but it can be disabled or fine-tuned through advanced settings.[1]

In next release, the option is moved from advanced settings to normal user settings, i.e. it will become visible in the Settings pane of uBO's dashboard.[2]


[1] https://github.com/gorhill/uBlock/wiki/Advanced-settings#cna...

[2] https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#u...

I don't think it's a visible option. It just uncloaks CNAMES so that putting those domains on the block list works. It does highlight them in blue.

See here: https://github.com/gorhill/uBlock/releases/tag/1.25.0

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact