Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whitelist embed types that are allowed to use amp-embed. #1723

Merged
merged 1 commit into from
Feb 2, 2016
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions 3p/integration.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@ import {register, run} from '../src/3p';
import {parseUrl} from '../src/url';
import {assert} from '../src/asserts';

/**
* Whether the embed type may be used with amp-embed tag.
* @const {!Object<string: boolean>}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can it just be @const {{string: boolean}}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, that is the type for an object that has a field called "string" :)

*/
const AMP_EMBED_ALLOWED = {
/* embed type: true */
};

register('a9', a9);
register('adreactor', adreactor);
register('adsense', adsense);
Expand All @@ -62,6 +70,9 @@ export function draw3p(win, data, configCallback) {
const type = data.type;
assert(win.context.location.originValidated != null,
'Origin should have been validated');

assert(isTagNameAllowed(data.type, win.context.tagName),
'Embed type %s not allowed with tag %s', data.type, win.context.tagName);
if (configCallback) {
configCallback(data, data => {
assert(data, 'Expected configuration to be passed as first argument');
Expand Down Expand Up @@ -257,3 +268,18 @@ export function parseFragment(fragment) {
}
return json ? JSON.parse(json) : {};
}

/**
* Not all types of embeds are allowed to be used with all tag names on the
* AMP side. This function checks whether the current usage is permissible.
* @param {string} type
* @param {string|undefined} tagName The tagName that was used to embed this
* 3p-frame.
* @return {boolean}
*/
export function isTagNameAllowed(type, tagName) {
if (tagName == 'AMP-EMBED') {
return !!AMP_EMBED_ALLOWED[type];
}
return true;
}
4 changes: 2 additions & 2 deletions builtins/amp-embed.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ The `amp-embed` element is used to allow embedding elements in to the AMP page.

#### Implementation

The `<amp-embed>` is actually an alias to the [`<amp-ad>`](amp-ad.md) tag, deriving all of it's functionality with a different tag name.
Can be used instead of `<amp-ad>` when that would be semanitcally more accurate.
The `<amp-embed>` is actually an alias to the [`<amp-ad>`](amp-ad.md) tag, deriving all of it's functionality with a different tag name.
Can be used instead of `<amp-ad>` when that would be semantically more accurate.

```html
<amp-embed width=400 height=300
Expand Down
8 changes: 0 additions & 8 deletions examples/ads.amp.html
Original file line number Diff line number Diff line change
Expand Up @@ -121,13 +121,5 @@ <h2>Challenging ad.</h2>
data-slot="/35096353/amptesting/badvideoad">
</amp-ad>

<h2>A9 as amp-embed</h2>
<amp-embed width=300 height=250
type="a9"
data-aax_size="300x250"
data-aax_pubname="test123"
data-aax_src="302">
</amp-embed>

</body>
</html>
1 change: 1 addition & 0 deletions src/3p-frame.js
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ function getFrameAttributes(parentWindow, element, opt_type) {
location: {
href: locationHref
},
tagName: element.tagName,
mode: getMode()
};
const adSrc = element.getAttribute('src');
Expand Down
6 changes: 3 additions & 3 deletions test/functional/test-3p-frame.js
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ describe('3p-frame', () => {
link.setAttribute('href', 'https://foo.bar/baz');
document.head.appendChild(link);

const div = document.createElement('div');
const div = document.createElement('my-element');
div.setAttribute('data-test-attr', 'value');
div.setAttribute('data-ping', 'pong');
div.setAttribute('width', '50');
Expand Down Expand Up @@ -99,8 +99,8 @@ describe('3p-frame', () => {
',"_context":{"referrer":"' + referrer + '",' +
'"canonicalUrl":"https://foo.bar/baz",' +
'"pageViewId":"' + docInfo.pageViewId + '","clientId":"cidValue",' +
'"location":{"href":"' + locationHref + '"},"mode":{"localDev":true,' +
'"development":false,"minified":false}}}';
'"location":{"href":"' + locationHref + '"},"tagName":"MY-ELEMENT",' +
'"mode":{"localDev":true,"development":false,"minified":false}}}';
expect(src).to.equal(
'http://ads.localhost:9876/dist.3p/current/frame.max.html' +
fragment);
Expand Down
18 changes: 18 additions & 0 deletions test/functional/test-integration.js
Original file line number Diff line number Diff line change
Expand Up @@ -187,4 +187,22 @@ describe('3p integration.js', () => {
draw3p(win, data);
}).to.throw(/Origin should have been validated/);
});

it('should throw if origin was never validated', () => {
const data = {
type: 'testAction',
};
const win = {
context: {
location: {
originValidated: true
},
data: data,
tagName: 'AMP-EMBED',
}
};
expect(() => {
draw3p(win, data);
}).to.throw(/Embed type testAction not allowed with tag AMP-EMBED/);
});
});