Open jeffkaufman opened 5 years ago
/cc @ampproject/wg-ads
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.
This security issue has been open for a long time, will this issue not be fixed?
For what it's worth, this behavior is still live on Google Ad Manager.
For what it's worth, this behavior is still live on Google Ad Manager.
So, It's exploitable?
@sbenhai This is a security ticket, but it isn't a vulnerability report. It is a request that the AMP project officially support this kind of friendly frame rendering and offer official guidelines on how networks should implement it.
I believe AdManager does everything listed under Recommendations above already.
I don't know whether there are any other ad networks that are rendering validated Inabox creatives friendly to the page?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.
Summary
An ad network may want to protect publishers from potentially malicious creatives, and so render third party ads in cross-domain iframes. Validated AMP creatives shouldn't allow the kind of malicious behaviors that cross domaining protects against, so AMP should (a) explicitly support rendering friendly to the page and (b) include documentation on how to do this safely.
This behavior has been live in Google Ad Manager for several months on an experimental basis, and we propose standardizing it.
Motivation
For a regular HTML creative from an untrusted source, cross-domain rendering is essential for protecting the publisher and users from the ads. For example, creatives could:
AMP creatives can't run custom JS, and the AMP JS doesn't (and shouldn't) allow any of these things, so this protection shouldn't be needed. Since cross-domain iframes are less performant than same domain ones (for example, because of site isolation in Chrome) rendering AMP creatives in same-domain iframes improves both page and ad performance.
Recommendations
We should offer a recommended configuration for serving AMP Inabox creatives friendly to the containing page. As a first cut, we propose:
<meta name="referrer" content="origin">
at the beginning of the creative<head>
to avoid accidental referrer leaks. Intentionally sending referrers is already possible in both AMP and non-AMP creatives.sandbox
attribute on the iframe. We would need to agree what specifically to recommend here./cc @ampproject/wg-approvers