[rmi_]

I am really interested in the technical details. I think we have yet to see a working (and practical) approach to this.

[Cthulhu_]

I can think of a few simple tricks already. One: Host from the main facebook.com domain, either inserting it in the basic html page response from the server, or from an API / content location that cannot be predicted. (ad calls should be indistinguishable from 'normal' content calls). Two, do the same with content locations, so no 'div id="ad"' or anything like that. Should be easy enough.

[topspin]

"Host from the main facebook.com domain..."

If true I believe that this would actually be an important improvement. This removes some plausible deniability regarding malware and other abuse; Facebook (or whomever else adopts this scheme) must guard more carefully against abuse when the content is coming from their own domains, as opposed to some third party.

[pbhjpbhj]

Must they? The uninformed layman probably already things the ads come from Facebook[.com] as that's the address site they're visiting.

I expect them still manage to hide behind "common carrier" arguments.

[awad]

As far as I am aware, all ad creative is hosted and served exclusively by Facebook anyway.

[waterphone]

The efforts I've seen so far from other websites include randomized IDs and class names, and base64 encoded images inlined so the file path/hostname can't be used as a parameter for blocking.

[juliand]

Me too. This is clearly a cat vs mouse game or more like a lion vs mouse and that's what makes it interesting to me.