How trackers can evade tracker blockers and remain hidden

Taurus-II · April 25, 2026, 4:14pm

Trackers can be “disguised” and embedded into first party domains, invisible to the user, which allows them to escape blocking, as described here: How to Fully Incapacitate Google Tag Manager and Why You Should

The uBlock Origin Firefox extension has a setting that can make these hidden trackers visible, so that uBO can then block them:

uBO main settings tab > “Privacy” section > Uncloak canonical names

About the Canonical Name (CNAME) setting: Dashboard: Settings · gorhill/uBlock Wiki · GitHub)

Taurus-II · April 25, 2026, 4:27pm

I’m unsure if iodé’s content blocker deals with those. Maybe someone from the iodé team could comment…?

Nollie8969 · April 25, 2026, 4:43pm

In Iodé browser, which has ublock by default, “Uncloak canonical names” is already On.

Taurus-II · April 25, 2026, 4:57pm

Thanks. I was wondering about the iodé tracker blocking app/subscription.
(Although may not be applicable.)

rik · April 27, 2026, 4:59pm

Trackers can be “disguised” and embedded into first party domains, invisible to the user, which allows them to escape blocking

I will see if there is anything the developers have to say, but from my understanding, there is no way for the iodé blocker app to do anything to protect against these trackers, if they are truly only “seen” by your phone as “approved web addresses”.

Effectively in that case, the traffic the iodé blocker “sees” is again only to the approved address, but possibly at the app’s cloud / server instance they mangle / inject trackers and then deliver back to you via their “approved first party domain” again.

Now if these trackers are embedded at a subdomain level or have further identifiers in the FQDN, then those could be identified (and blocked, likely by default) by the iodé blocker. But if it truly delivered to your device using the same FQDN as valid traffic then there is no way to differentiate it (and thus block it).

Taurus-II · April 30, 2026, 3:57pm

Meta and Yandex, too: Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica

Although Meta has allegedly stopped (or “paused”) its behavior.

Taurus-II · May 10, 2026, 4:02pm

Reddit discussion: https://www.reddit.com/r/webdev/comments/utwmzy/how_can_a_3rd_party_provider_drop_cookies_as_the/

Example of a company that provides tracking to website owners in the first party domain: First-Party Tracking - Snitcher Documentation (And they claim to be GDPR-compliant.)

jwalesch · May 10, 2026, 7:46pm

Sorry, but META lies and lies and lies and lies and…

Taurus-II · May 10, 2026, 9:55pm

Of course.