Specifically, he worried same-origin restrictions would not be enough because sites like GitHub can have the same origin () while giving different people control over content on different pages. Raymond Hill, the creator of rival content blocking extension uBlock Origin, last year said he would not be implementing $rewrite because of security concerns. "This method allows delivering payloads on a per request basis, you may be targeted, exploited and the evidence cleared from the extension storage, without needing to publish the payload as part of a public filter list," he said.
Sebastian said he was unaware of whether anyone has been exploiting filtering lists thus, but said manipulation would be difficult to detect. That is quite the leap from how users perceive ad blockers to work." The $rewrite filter option, when chained with other security issues from web services, enables account takeovers and the exfiltration of private data. "In the past the worst that could have happened was for a malicious filter list provider to block access to a site, which would have been a minor annoyance that is easy to spot. "The new feature is a fundamental shift from how ad blockers are understood to work," said Sebastian in a Twitter conversation with The Register.