search

WICG / turtledove

TURTLEDOVE
https://wicg.github.io/turtledove/
Other
526 stars 229 forks source link

Controlling parties that will run an ad auction #857

Open eroncastro opened 1 year ago

eroncastro commented 1 year ago

Hi.

While seeking the repository documentation, we could not find a way to prevent an origin from running ad auction on our origin behalf.

For the methods joinAdInterestGroup and leaveAdInterestGroup we have the path https://owner.domain/.well-known/interest-group/permissions/?origin=frame.origin.

How about runAdAuction? Is it possible to restrict its usage based on an origin?

Thanks!

michaelkleber commented 1 year ago

Are you asking about a site owner (first party) trying to restrict what ad techs can run auctions, or an ad tech (3rd party) trying to restrict what sites your auctions happen on? That is, what do "an origin" and "our origin" mean in your question?

eroncastro commented 1 year ago

Hi @michaelkleber, thanks for checking in!

I was asking more of an ad tech (3rd party) trying to restrict what sites your auctions happen on.

Suppose I am https://protected-audience.company.com and I want https://publisher1.com to be able to run auctions on my behalf, but not https://publisher2.com. Is there already a way to achieve it like https://owner.domain/.well-known/interest-group/permissions/?origin=frame.origin?

michaelkleber commented 1 year ago

Okay, so I think you mean "How can I, an SSP, be sure that I run auctions that lead to ads appearing on publisher1.com but not publisher2.com?"

It seems like there are two opportunities to do this today, on either of the two times the browser interacts with a server run by the SSP.

First, the directFromSellerSignals field is a channel that lets you send information from your server to the browser, with the guarantee that it cannot be modified by the publisher page. So (1) the contextual call could include the publisher site hostname, (2) your server could verify that the hostname is a permitted publisher, (3) your directFromSellerSignals response could echo back the hostname if it's allowed, and (4) your scoreAd() function could verify that the publisher named in directFromSellerSignals really is the same one as in browserSignals.topWindowHostname.

The second option is to use similar logic at the time the browser contacts your trustedScoringSignalsURL. The request to that URL includes hostname=publisher1.com, and your server can pass back information about that domain to the scoreAd() function's trustedScoringSignals argument.