Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exception when iframe with UC is in srcdoc iframe #147

Open
Zer0Divis0r opened this issue Nov 25, 2021 · 3 comments
Open

Exception when iframe with UC is in srcdoc iframe #147

Zer0Divis0r opened this issue Nov 25, 2021 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@Zer0Divis0r
Copy link

Problem
On web, when universal creative is loaded in an iframe with srcdoc attribute, or src=about:blank, or blob URL, an exception happens when postMessage is sent.
In my case, the specific error message would be:

DOMException: Failed to execute 'postMessage' on 'Window': Invalid target origin 'about://a65bbe00eb976c003b3913c8207a7a4f.safeframe.googlesyndication.com' in a call to 'postMessage'.

To Reproduce
The following example would create an iframe and use blob to create it's contents.

let auctionFrameCode = `
<body style="background-color:white;margin:0px;padding:0px;">\x3Cscript src=".....a code that runs auction and eventually loads UC....">\x3C/script></body>`;

let $auctionFrame = jQuery("<iframe srcdoc=''></iframe>");
// OR: let $auctionFrame = jQuery(`<iframe srcdoc='${auctionFrameCode}'></iframe>`);
// OR: let $auctionFrame = jQuery(`<iframe src='about:blank'></iframe>`);

$("body").append($auctionFrame);

const blob = new Blob([auctionFrameCode], {type: 'text/html'});
$auctionFrame.attr('src', window.URL.createObjectURL(blob));

In renderingManager in line 125 it would eventually fail, because publisherDomain would have a blob: or about: prepend/protocol.

Expected behavior
To be conceous of non-standard protocols and/or origins, and, maybe, replace targetOrigin to "*" in such cases? Not sure.

@patmmccann patmmccann added the bug Something isn't working label Apr 21, 2022
@dgirardi dgirardi self-assigned this Sep 12, 2022
@patmmccann
Copy link

@Zer0Divis0r could you expand a bit on the use case here? Why wound UC be loaded in an iframe with srcdoc attribute or src=about:blank?

@dgirardi
Copy link
Collaborator

dgirardi commented Sep 12, 2022

This should be an issue only when Prebid (not the creative) lives in an origin-less frame. I don't think just broadcasting the message to '*' is a good idea because it opens up some attacks (a malicious frame could read the message and, among other things, reply with a counterfeit ad - which can include any js code that the creative would run).

To support this use case, we could change the flow to:

  1. Prebid generates an additional nonce for each bid (let's call it adToken), which is passed to the ad server via targeting keys (in the same way adId is now).
  2. If the origin (pubUrl) is not available, creative sends request to '*', using adToken instead of adId as identifier.
  3. Prebid looks up the bid through adToken, and replies as it does now. Subsequent requests for the same adToken must be ignored.
  4. Creative discards replies whose adId does not match the one sent through targeting.

This should be backwards compatible and lock out actors that are not in possession of a valid adToken.

@Zer0Divis0r
Copy link
Author

@Zer0Divis0r could you expand a bit on the use case here? Why wound UC be loaded in an iframe with srcdoc attribute or src=about:blank?

The use case is implementation of ad stack without adserver, and the container creative frames are created manually. This is very similar to the basic implementation, but with sandboxed frames.

@patmmccann patmmccann changed the title Expection when iframe with UC is in srcdoc iframe Exception when iframe with UC is in srcdoc iframe Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Ready for Dev
Development

No branches or pull requests

3 participants