Open Zer0Divis0r opened 2 years ago
@Zer0Divis0r could you expand a bit on the use case here? Why wound UC be loaded in an iframe with srcdoc attribute or src=about:blank?
This should be an issue only when Prebid (not the creative) lives in an origin-less frame. I don't think just broadcasting the message to '*'
is a good idea because it opens up some attacks (a malicious frame could read the message and, among other things, reply with a counterfeit ad - which can include any js code that the creative would run).
To support this use case, we could change the flow to:
adToken
), which is passed to the ad server via targeting keys (in the same way adId
is now).pubUrl
) is not available, creative sends request to '*'
, using adToken
instead of adId
as identifier. adToken
, and replies as it does now. Subsequent requests for the same adToken
must be ignored.adId
does not match the one sent through targeting.This should be backwards compatible and lock out actors that are not in possession of a valid adToken
.
@Zer0Divis0r could you expand a bit on the use case here? Why wound UC be loaded in an iframe with srcdoc attribute or src=about:blank?
The use case is implementation of ad stack without adserver, and the container creative frames are created manually. This is very similar to the basic implementation, but with sandboxed frames.
Problem On web, when universal creative is loaded in an iframe with
srcdoc
attribute, orsrc=about:blank
, orblob
URL, an exception happens when postMessage is sent. In my case, the specific error message would be:To Reproduce The following example would create an iframe and use blob to create it's contents.
In renderingManager in line 125 it would eventually fail, because
publisherDomain
would have ablob:
orabout:
prepend/protocol.Expected behavior To be conceous of non-standard protocols and/or origins, and, maybe, replace targetOrigin to "*" in such cases? Not sure.