I can think of a few simple tricks already. One: Host from the main facebook.com domain, either inserting it in the basic html page response from the server, or from an API / content location that cannot be predicted. (ad calls should be indistinguishable from 'normal' content calls). Two, do the same with content locations, so no 'div id="ad"' or anything like that. Should be easy enough.
If true I believe that this would actually be an important improvement. This removes some plausible deniability regarding malware and other abuse; Facebook (or whomever else adopts this scheme) must guard more carefully against abuse when the content is coming from their own domains, as opposed to some third party.
The efforts I've seen so far from other websites include randomized IDs and class names, and base64 encoded images inlined so the file path/hostname can't be used as a parameter for blocking.
Cthulhu_|9 years ago
topspin|9 years ago
If true I believe that this would actually be an important improvement. This removes some plausible deniability regarding malware and other abuse; Facebook (or whomever else adopts this scheme) must guard more carefully against abuse when the content is coming from their own domains, as opposed to some third party.
waterphone|9 years ago
juliand|9 years ago