Live Demos
Breaking — March 2026

Header Bidding Is
Now Secure

The industry's first cross-origin isolated auction architecture.
Zero competitors. 140+ automated tests. Production-ready.

Cross-Origin Isolated 140+ E2E Tests Zero Competitors
01 / 13
The Problem

Your Readers Trust You.
Header Bidding Puts That At Risk.

🔒
Security
~80%
of iframes across the web lack sandbox attributes (HTTP Archive 2025). Even when present, 98.5% allow script execution. Confiant (2024) found 1 in 90 ad impressions globally is dangerous or disruptive, with ad quality violations surging 2.5x year-over-year. Meanwhile, MGID reports malicious ad activity doubled in Q2 2025, with redirect attacks accounting for 66% of all malicious ads.
Performance
100–200KB
gzipped JavaScript added to publisher pages by typical header bidding setups. 40% of online visits are plagued by user frustration from slow content (Contentsquare 2025, 90B sessions). Every 0.1s improvement drives 8–10% higher conversions (Deloitte/Google 2020, 30M sessions).
Compliance
€1.2B
in GDPR fines issued in 2025. Cross-origin consent propagation remains a regulatory minefield. CJEU ruled TC strings are personal data (March 2024), making every player in the ad tech chain a potential joint controller.
02 / 13
The Solution

Two Frames. One Auction.
Complete Isolation.

One script tag. Automatic role detection. Zero configuration. The auction runs in a secure cross-origin frame while the publisher page stays lean and fast.

graph LR subgraph PUB["Publisher Page — WORKER"] A["googletag hooks"] --> B["Thin proxy • ~15KB"] B --> C["Ad rendering"] end subgraph SEC["Secure Frame — CORE"] D["Prebid.js + adapters"] --> E["Full auction engine"] E --> F["Targeting resolution"] end PUB <-->|"woof (postMessage)"| SEC style PUB fill:#EBF4FF,stroke:#3793FF,stroke-width:2,color:#030712 style SEC fill:#E6FAEE,stroke:#27BE69,stroke-width:2,color:#030712 style A fill:#FFFFFF,stroke:#3793FF,color:#030712 style B fill:#FFFFFF,stroke:#3793FF,color:#030712 style C fill:#FFFFFF,stroke:#3793FF,color:#030712 style D fill:#FFFFFF,stroke:#27BE69,color:#030712 style E fill:#FFFFFF,stroke:#27BE69,color:#030712 style F fill:#FFFFFF,stroke:#27BE69,color:#030712
Key insight: Chrome's site isolation gives cross-origin iframes a separate renderer process. The auction literally cannot block the publisher's main thread. The publisher page never touches Prebid.js, bidder adapters, or auction logic.
03 / 13
Killer Feature #1
Reduced Bundle Size

85–90%
Less JavaScript Per Framed Placement

Per-placement savings: Each framed placement avoids loading 100–200KB of Prebid + adapter JS. But that’s just the runtime — configuration is also not loaded in the worker frame. For RON networks with large multi-publisher setups, wrapper configs alone can be 100KB–1MB. That’s megabytes of traffic and parse time eliminated across all worker frames.
Metric Traditional HB (per placement) Cross-Frame HB (per placement)
Wrapper + Prebid JS (gzipped) 100–200 KB 15–20 KB (worker proxy only)
Config payload 100KB–1MB (RON networks) 0 KB (config lives in CORE)
Parse time (mobile) 400–800 ms 60–80 ms
Main thread blocked Yes No (separate process)
Research Evidence
  • Deloitte (2020): +8–10% conversions per 0.1 second improvement in mobile load time (e-commerce study)
  • Google Page Experience: Core Web Vitals are a confirmed ranking signal. Cross-origin iframes isolate heavy JS from the publisher's CWV scores
  • V8 team guidance: "If a bundle exceeds 50–100KB, split it" — typical HB is 2–4x this limit
  • CWV benefit: Cross-origin iframe JS runs in a separate renderer process (OOPIF) — does not contribute to host page INP or block LCP
CWV & SEO tradeoff: Cross-origin iframes isolate ad JS from the publisher's INP score (separate process, separate main thread). CLS shifts inside iframes are weighted proportionally to viewport fraction. Google uses CWV as a ranking tiebreaker — "slow" domains rank 3.7 percentage points worse in visibility. Case studies: Netzwelt +18% ad revenue, iCook +10% ad revenue from CLS fix alone, Agrofy 76% reduction in load abandonment after LCP improvement.
Who benefits most: RON networks with large multi-publisher configurations see the biggest gains. In traditional setups, every framed placement loads the full wrapper + Prebid + config independently — multiplying traffic and parse time across frames. Cross-frame consolidates all of this into a single CORE, while workers carry only a 15–20KB proxy. Even gzipped, config parsing and script evaluation still consume CPU per frame. Low-tier Android devices (3–5x slower JS processing than flagships) benefit disproportionately.
04 / 13
Killer Feature #1b
Thread & Process Isolation

Auction JS Runs On
A Separate Thread

Chrome's Site Isolation and Firefox's Fission give cross-origin iframes their own renderer process — a separate thread, separate V8 heap, separate garbage collector. The auction engine literally cannot block the publisher's page.

PUBLISHER PROCESS Main Thread DOM / Layout Publisher JS Worker 15KB Paint MAIN THREAD FREE FOR INTERACTION AUCTION PROCESS (OOPIF) Separate Thread Prebid.js Adapters Config GC (isolated) CANNOT BLOCK PUBLISHER PAGE IPC MOBILE IMPACT (V8 TEAM DATA) 3–6x slower JS parse on mobile vs desktop 0 ms auction JS on publisher thread 0 GC pauses from auction on host
0 ms
TBT / INP Impact
Auction JS in OOPIF does not contribute to the publisher's Total Blocking Time or Interaction to Next Paint. Google's own RUM tools and Lighthouse confirm OOPIF work is invisible to host page metrics.
Separate Heap
GC Isolation
Each OOPIF gets its own V8 isolate with its own heap. Garbage collection for Prebid bid objects, adapter responses, and targeting maps cannot cause jank on the publisher page.
+24–30%
Revenue Signal
optAd360 case study: a Polish web portal improved INP by ~50% with better ad JS isolation. Revenue surged 24–30%. Google recommends "reduce ad JS blocking time" as a primary CWV strategy.
The compounding win: Thread isolation and bundle reduction are not separate features — they compound. Even on Safari/iOS where process isolation is absent, the worker iframe still loads only 15–20KB instead of 100–200KB. Less code to parse means less time blocking the thread, regardless of whether it's a shared thread or a separate one. Every device benefits; devices with process isolation benefit twice.
Evidence & Sources
  • V8 team (2019): JS parse/compile takes 3–4x longer on median phones (Moto G4) and 6x+ on sub-$100 devices (Alcatel 1X) vs desktop
  • Chrome Site Isolation: Cross-origin iframes get a separate renderer process with their own V8 isolate, compositor, and GC
  • Firefox Fission (v94+): Cross-site iframes get separate OS processes, matching Chrome's isolation model
  • Google Publisher Ads Audits: Explicitly recommends reducing ad JS blocking time and moving ad work off the main thread
  • web.dev INP docs: OOPIF JavaScript does not appear in host page performance entries for RUM measurement
  • Mercado Libre: 90% reduction in Max Potential FID by moving work off the main thread
05 / 13
Killer Feature #2
Cross-Origin Security Isolation

The Industry's First
Isolated Auction

Competitor Auction Isolated? Cross-Origin Comms? Reduced Bundle?
Prebid.js No No (except AMP) No (100–200KB gzipped)
Amazon TAM S2S (not iframe) N/A Thin client
Index Exchange No No Partial
PubMatic OpenWrap No No No
Magnite No No Partial
Criteo Direct Bidder No No Somewhat (~50KB)
Google Open Bidding S2S only N/A Yes (locked to Google)
Freestar No No Partial
Mediavine S2S No Partial
Playwire RAMP No No No
HBMP Cross-Frame YES YES YES (15–20KB)
Chrome site isolation gives cross-origin iframes a separate renderer process. The auction literally cannot block the publisher's main thread. While the industry trend moves toward server-side bidding (S2S), many networks and publishers still rely on client-side bidding for its transparency, speed, and reliability advantages. Cross-frame isolation gives client-side bidding the security it has always lacked — a second breath for a proven approach.
Coming soon: We are working to bring you news about Web Workers and addressing client-side Prebid performance issues. Stay tuned for benchmarks on worker-thread isolation as an alternative to iframe isolation.
06 / 13
Killer Feature #3
GDPR / TCF Compliance

Consent That Actually Works
Cross-Origin

The challenge: Cross-origin consent propagation is one of the hardest problems in ad tech. When Prebid and GPT load inside iframes, standard CMP discovery breaks — the IAB TCF __tcfapiLocator frame-walking protocol must work across frame boundaries for consent to reach all auction participants.
CJEU 2024
March 2024 ruling: TC strings = personal data. IAB Europe has joint controller liability for TC string processing. The regulatory bar keeps rising.
Feb 2026
TCF v2.3 deadline: February 28, 2026. Non-compliant implementations default to Limited Ads mode. Revenue impact is severe.
3
Same-origin TCF scenarios covering the consent lifecycle: returning user with full consent, vendor-specific consent verification, CMP discovery across frame boundaries.
Our Solution
  • 3 tested TCF scenarios covering returning user consent, vendor-specific verification, and CMP frame-walking
  • Consent propagated from host page to CORE frame via woof before any auction runs
  • Full __tcfapiLocator proxy installed in worker frames — CMP discovery works transparently across frame boundaries
  • Validated with same-origin topology — the enforced constraint for reliable auction coordination
→ TCF Same-Origin Demo
See consent propagation working live
07 / 13
Tested & Proven
Killer Feature #4

Viewability Verified
Across Frame Boundaries

The challenge: When the auction engine runs in a separate frame from where ads render, viewability reporting must still work end-to-end. GPT Active View can’t be relied upon in cross-frame mode (withDFP=0 bypasses GAM entirely). We use IntersectionObserver directly in the WORKER frame for reliable, IAB-compliant viewability detection that works with both withDFP=1 and withDFP=0.
IO-Based Detection
IntersectionObserver in WORKER detects 50% visibility for 1 second (IAB standard), relays IMPRESSION_VIEWABLE to CORE via woof — works with both withDFP=1 and withDFP=0
Refresh Strategies
Viewable-based refresh triggers correctly — placements track visible1Sec state from relayed IO events across frame boundaries, including withDFP=0 refreshes
Adapter Callbacks
Prebid onBidViewable callbacks fire for all placements (CORE + WORKER) via $pbjs$.markBidViewable bridge — resolves winning bid by adId at fire time
How Cross-Frame Viewability Works
  • IntersectionObserver in WORKER monitors ad slot containers (50% threshold + 1s IAB timer)
  • On viewable: worker sends IMPRESSION_VIEWABLE to CORE via woof, then unobserves until next refresh re-arms
  • Core emits visibility:*:visible1sec — statistics fires multitracking events 18/20, placement state updates
  • Core’s winnerTargetingHook registers a permanent viewability handler per element that calls $pbjs$.markBidViewable({ adId })
  • Prebid resolves the bid by adId, calls adapterManager.callBidViewableBidder() — adapters receive onBidViewable(bid)
  • Works on both initial auction and every refresh cycle — IO re-arms via unobserve/observe on each new creative
E2E verified: Positive path (IO fires events 18/20 + adapter /demo/viewable fetch on initial and refresh) and negative path (ad below viewport — no IO, no events, no adapter callback) both covered by automated tests.
08 / 13
Killer Feature #5
Zero Publisher Code Changes

Drop-In Integration.
Zero Developer Time.

Transparent googletag API hooking — defineSlot, display, refresh are all intercepted. The publisher's existing GPT code works completely unchanged.

Approach Time to First Auction Publisher Code Changes
DIY Prebid.js 2–4 weeks Major
Managed wrappers Days to weeks Moderate
Tag-based wrappers Hours Minor
HBMP Cross-Frame Zero (publisher-side) None
Adoption Barrier Removed
  • 31% of publishers cite "limited understanding" as their primary barrier to header bidding adoption (IAB/Prebid.org survey)
  • Cross-frame architecture removes this barrier entirely — publishers add one script tag and their existing GPT setup works
  • No Prebid.js knowledge required on the publisher side
  • No page template modifications, no async/defer configuration, no timeout tuning
The AdSense page_url problem: When ads render inside a cross-origin iframe, Google loses the publisher’s page context. Without page_url, AdSense contextual targeting breaks — Google may filter AdSense demand from the auction entirely, costing significant revenue on AdSense-heavy setups.
Our Solution: Single-Line ref= Parameter
  • Worker iframes receive the publisher’s page URL via a single ?ref= query parameter on the iframe src
  • The wrapper automatically resolves ref and sets both page_url and adsense_url on GPT via googletag.setConfig({ adsenseAttributes })
  • 3-tier fallback: ?ref= param → window.top.location.href (friendly frame) → document.referrer (cross-origin). Always resolves a value.
  • Respects site owner settings: if the publisher already set page_url via GPT config, the wrapper does not override it
  • ?lang= parameter is also supported for document_language targeting (falls back to document.documentElement.lang)
  • E2E tested across same-origin, cross-origin, sibling, and host topologies — verified GPT attributes are correctly applied before any slot operations
09 / 13
Zero Competitors
Killer Feature #6

Instant Role Resolution.
Minimal Configuration.

Other Solutions
  • Manual role assignment
  • Hardcoded frame URLs
  • Breaks on topology changes
  • Race conditions on load
VS
HBMP Cross-Frame
  • Web Locks API — atomic, instant election
  • Top-level frames → instant CORE (fast path)
  • FIF fast path — structural check, timing-immune
  • postMessage fallback for legacy browsers
0ms
Host Page
Top-level frames resolve to CORE instantly. Acquires Web Lock and broadcasts CORE_ELECTED to all child frames.
Atomic
Web Locks Election
Iframes use navigator.locks with ifAvailable: true — exactly one frame acquires the lock, all others instantly resolve as WORKER. No timeouts, no races.
0
Configuration
Works regardless of iframe count or loading order. Web Locks operates at the browser-process level — immune to Firefox postMessage throttling during page load.
0 competitors offer automatic role resolution. Every other cross-frame approach (where it exists at all) requires manual role assignment and breaks when the page topology changes. Our Web Locks election is instant, atomic, and immune to browser-level postMessage throttling — zero configuration required.
10 / 13
Proof Wall

Don't Take Our Word For It.
We Tested Everything.

140+
Automated E2E tests
across 11 spec files
11
Live demo scenarios
3
TCF / GDPR
consent scenarios
4
Topology configurations
same-origin, siblings,
host-same-origin, FIF (about:blank)
2
Refresh paths
with GAM, without GAM
Additional Coverage
  • FIF injection — about:blank and empty src iframe variants
  • Duplicate loader guard — prevents double-initialization
  • AdSense attribute relay — cross-frame attribute propagation
  • Sizemap relay — responsive size mapping across frames
  • Passback routing — fallback ad serving when no bids
  • Creative resize verification — ad creative dimensions correctly applied
→ View All 11 Demo Scenarios
Complete cross-frame demo index
11 / 13
Live Demos

See It In Action

Core Scenarios

Same Origin
Core and worker on same domain
Siblings
Sibling iframe topology

Host Scenarios

Host Same Origin
Host page with same-origin frame
Host Blank Iframe
FIF injection with about:blank
Host Empty Src
FIF injection with empty src
Host Dual Loader
Duplicate loader guard test

GDPR / TCF Scenarios

TCF Same Origin
Consent with same-origin frame

Other Scenarios

Refresh
Auction refresh cycle
AdSense Attrs (Host)
AdSense attribute relay from host
AdSense Attrs (Siblings)
AdSense attribute relay between siblings
Prerequisites: Add /etc/hosts entries for a.test, b.test, c.test pointing to 127.0.0.1. Dev server must be running.
12 / 13
References

Sources

Security & Ad Fraud

Confiant — Malvertising & Ad Quality Index (2024) GeoEdge — Q4 2024 Malvertising Report Chromium — Site Isolation Architecture Chrome Developers — Site Isolation Deep Dive

Performance & Revenue Impact

Deloitte/Google — Milliseconds Make Millions (2020, 30M sessions) Contentsquare — 2025 Digital Experience Benchmarks (90B sessions) V8 — The Cost of JavaScript in 2019 web.dev — CWV Business Impact Case Studies web.dev — Core Web Vitals HTTP Archive Web Almanac 2025 — Security (iframe sandbox data) MGID — Ad Security Report H1 2025

GDPR & TCF Compliance

GDPR Enforcement Tracker — Fine Statistics CJEU March 2024 — TC Strings Ruling IAB Europe — TCF v2.3 Specification IAB Europe — TCF v2.3 Transition Guide

CWV & SEO Impact

web.dev — Netzwelt Case Study (+18% ad revenue) Google — Page Experience Ranking Signal webperf.tips — Iframes and Process Allocation Chromium — Out-of-Process Iframes (OOPIF)

Industry Adoption

Prebid.org — Header Bidding Overview IAB — Publisher Programmatic Barriers Survey

Competitive Landscape

Prebid.js Documentation Amazon — Transparent Ad Marketplace Index Exchange PubMatic — OpenWrap Magnite (Rubicon Project) Criteo — Direct Bidder Google — Open Bidding Freestar Mediavine Playwire — RAMP Platform
13 / 13