Use of SafeFrame creative example leads to 100% discrepancy

[sonemic]

Type of issue

Bug

Description

The SafeFrame creative example provided here does not function properly. Although the creative does properly load the ad code inside a SafeFrame, the impression is not registered by the partner, and the ad shown does not reflect the bid; rather, a PSA is most often displayed. This leads to a 100% discrepancy (zero revenue).

There seems to be a lack of necessary context (cookie data, query strings, etc) provided to the window in order to serve the correct ad and credit the publisher.

Steps to reproduce

Use a standard Prebid installation, but replace the creative with the one provided here and enable the "safeframe" option for the creative in DFP.

Expected results

An ad will be shown that represents the bid provided (e.g. for a $2.00 bid, an ad would be shown that would expect to fetch a $2.00 bid). Impression would be counted and credited to publisher.

Actual results

All winning bids, regardless of bid amount, display an ad that is either a PSA or an obvious low-CPM remnant ad. Impression is not counted and publisher is not credited, leading to 100% discrepancy.

Platform details

Tested with Prebid at the 0.19.0 and 0.20.0 checkpoints, built with Gulp. Tested with appnexusAST, aliased appnexusAST, districtmDMX, sekindoUM, and sovrn. All counted zero impressions despite serving ad units.

Other information

Was marked as implemented/working in #927, but can't find any verifiable examples of successful implementation.

[protonate]

I had things working at one point and will test that again. Please disregard earlier comment (deleted), I mistook the context to be AMP creatives.

[ialex]

I will hack this thread we are trying to use iframes but they always load in a 1x1 container instead of the actual ad size 300x250/728x90 any hint what could cause this would be helpful thanks. we are using same set of line items just replacing the creative and enable safe frames.

[mkendall07]

@mercuryyy I believe you are running safeFrames successfully with prebid. Was there anything you had to change to get it to work?

[ialex]

You have to change your creatives in the orders from using size override to add 1 creative per size, otherwise they render as a line.

[sonemic]

@mkendall07 I actually did followup with @mercuryyy but didn't get any info on real-world implementations (I can understand if that info is confidential or if he doesn't want to publish specific sites).

This has become a fairly serious issue for us - as a small publisher, we aren't being given the resources by our partners to determine who is responsible for popups and redirects that are showing up on our site, so we need to find a way to solve it on our end, and sandboxing/safeframe seems like a good first step. If there's anything we can do to help resolve this, please let us know.

[pribeh]

@sonemic did you end up solving this? We're looking into this but can't find out how to implement this. Do we simply add this to our creatives in DFP and turn on safeframe?

[sonemic]

@pribeh Yes, it turned out that @ialex's problem was the same as ours – the discrepancy was caused by the SafeFrames serving in a 1x1 frame. There are several ways to fix it: Either create separate creatives for every possible ad size, or use some trickery to override the size of the div that DFP creates for the frame (such as a JS or CSS hack).

But if you're doing this to try to stop redirects and popups, I have bad news: it doesn't help at all. We saw no noticeable drop in complaints about those ads after implementing SafeFrames, so after 3 months we decided to revert this change (since we also saw some revenue loss with SafeFrames).

[mercuryyy]

@sonemic no secret :) as i mentioned if your creatives are at 1x1 size overide as most peoples are you need to hard code the iframe or divs in css "width and height".

We are actually considering taking safeframe off and reverting back to the regular tags. I would like to know how well ad networks and buyers can measure viewability without safeframes, few sources are saying that most view ability buyers only bid and measure on safeframes.

[pribeh]

@sonemic I just gave it a go and used height: auto !important and width: auto !important to override the width/height issue. It's sad to hear that these ads are still getting through. Do you have any idea why/how? Is there anything else anyone has come up with to combat these malicious ads? These redirects are very upsetting to our audience.

[BartVB]

We haven't solved that problem yet we managed to reduce this problem quite a bit.

Set a floor CPM We had a bug in our Prebid implementation which allowed extremely low CPM bids. This seems to be the preferred territory for redirect ads. We haven't had a lot of problems with these campaigns but the last instance used bids of $0.01 and the like. The higher you can afford to go, the lower your chances to get malvertising on your site.

Act quickly and report/block One of our main challenges in dealing with these campaigns is that they are really hard to track. Screenshots from users don't help, you can't get a click URL, most of the time they are limited to mobile, they are hard to reproduce. Because of that we've created a (rudimentary) system to allow our users to report bad ads, even after they have seen them. I.e. after they have been redirected. We hope that this enables us to report these campaigns much, much quicker to the relevant network. In the end it should even allow us to block these ads on our side.

[mkendall07]

Just to be clear, the ads are redirecting even when using SafeFrame? Does anyone have ideas how they accomplish this technically?

[CarsonBanov]

@mkendall07 Not sure what google's safe frame script does exactly, but these come to mind: https://stackoverflow.com/questions/16135465/how-to-programatically-remove-sandbox-attribute-from-an-iframe-with-javascript https://stackoverflow.com/questions/21652320/toggling-iframe-sandbox

[mkendall07]

they use hard enforcement via loading the iframe from another domain (so same origin policy applies).

[pribeh]

@mkendall07 We've been running the safeframe creative as referenced here and it looks like some redirects are still happening. It looks like that's what a few others are reporting.

I'm not sure how this is happening but in some cases when the user is redirected to the app store it looks like the issue could pertain to how apps handle external protocol handlers (see this).

I realize this is off topic of this thread but, as for setting a universal CPM floor, would I do it by adding a bidCpmAdjustment like so:

pbjs.bidderSettings = {
  bidCpmAdjustment : function(bidCpm){
         // set a price floor to 50 cents
         return bidCpm * 0.50;
       }
}

[mercuryyy]

@mkendall07 Yeah Matt even with safeFrames we are getting the same auto redirect ads. Today after 8 months using safeframes i'v decided to drop safeframes. for now higher CPM floors seem to be the only thing that does the trick.

Also Matt from what i understand safeFrames wont be a priority of maybe even an option in prebid V1, so is it safe to say, moving away from safeframes at this point is preferred?

[BartVB]

Experimenting with SafeFrames was high on our lists but that would be rather moot if this won't stop redirects.

Just like Matt I'm really curious how these creatives pull this off. Has anyone been able to capture one of these 'ads'?

[pribeh]

I think @mkendall07 is attempting to move the conversation over to this open thread https://github.com/prebid/Prebid.js/issues/1039

[bretg]

@pribeh - the bidCpmAdjustment function you gave as an example would halve the bids rather than setting a floor.

Most bidders should be able to enforce a floor on their side -- this is probably the easiest approach. i.e. drop a line to each of your SSPs and ask them how to set a floor.

Alternately, you could set a floor in the page by updating the bidsBackHandler code -- look through the responses and avoid calling pbjs.getAdserverTargeting() if the highest bid is a penny.

[lsv1]

Hi there,

Have you confirmed that the demand source can read the SafeFrame API and identify your domain as the valid URL instead of the DFP SafeFrame https://tpc.googlesyndication.com/safeframe/1-0-10/html/container.html ? I've seen issues with using SafeFrame (from DFP) with ad servers which do not support the SafeFrame API, they either fail or read the URL as googlesyndication.com.

[lanceloti]

I'm running this creative since 2017/07/31. No more redirects until now.

[tedrand]

Hi all,

I am attempting to implement the solution suggested by @ialex. I have set up the creative for the appropriate size. I am still seeing this error on a majority of the page loads.

Uncaught DOMException: Blocked a frame with origin "http://tpc.googlesyndication.com" from accessing a cross-origin frame.

Is this unavoidable?

[mkendall07]

it shouldn't be happening. Are you serving on secure pages? The protocols must match.

[spormeon]

where do you have to change the height and width to auto to get this to work?