Tests whether content-filtering rules apply inside about:blank iframes
— brave-browser#40649
Before running the test, add the following custom filter rule to your browser (Brave: Settings → Brave Shields & Privacy → Content Filtering → Custom Filters):
||test-website-a.pages.dev/local-frames/local-frame-content-filtering/test.png$image
This rule should block the probe image on this page. After adding it, reload this page and click Run Test.
The test loads a small probe image (test.png) in two contexts:
about:blank iframe.
An about:blank frame has no URL of its own; its code runs with
the security origin of the parent frame. A correct implementation therefore
applies the same content-filtering rules to both contexts.
On vulnerable implementations (e.g. Brave iOS), the browser resolves the
frame’s context from window.location.href
(about:blank) rather than from the inherited parent origin,
so first-party filter rules are silently skipped inside the frame.
| Scenario | Main frame | about:blank frame |
Verdict |
|---|---|---|---|
| No filter rule active | Loads | Loads | Not meaningful — add the rule first |
| Protected browser (rule active) | Blocked | Blocked | Pass |
| Vulnerable browser (rule active) | Blocked | Loads | Fail — about:blank bypasses filtering |