-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added audit beacon to detect misuse of this bidder. Detects auctions… #1134
Conversation
…within iframes or popup windows.
…uction ended flag was set, preventing additional auctions from completing. This has been removed along with some google analytics tracking code.
looks good |
@mkendall07 @protonate Sorry to be a pain, but is this something we can get reviewed ASAP? This is actually a really important bug fix for multiple auctions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good, some style comments. We are looking into an audit mechanism for bidders to generally obtain information about their bids in the auction, so this code may refactor at a later point.
src/adapters/rhythmone.js
Outdated
i = new Image(); | ||
|
||
if(ao && ao.length > 0) | ||
data.ancestor_origins = ao[ao.length-1]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code style: please add braces to enclose function body.
src/adapters/rhythmone.js
Outdated
data.ancestor_origins = ao[ao.length-1]; | ||
|
||
data.popped = (window.opener!==null?1:0); | ||
data.framed = (window.top===window?0:1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code style: parentheses can be removed.
src/adapters/rhythmone.js
Outdated
data.response_ms = (new Date()).getTime() - loadStart; | ||
data.placement_codes = configuredPlacements.join(","); | ||
data.bidder_version = version; | ||
data.prebid_timeout = (prebid_instance.cbTimeout || prebid_instance.bidderTimeout); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code style: parentheses can be removed.
src/adapters/rhythmone.js
Outdated
data.prebid_timeout = (prebid_instance.cbTimeout || prebid_instance.bidderTimeout); | ||
|
||
for(var k in data) | ||
q.push(encodeURIComponent(k)+"="+encodeURIComponent((typeof data[k] === "object" ? JSON.stringify(data[k]) : data[k]))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code style: please add braces to enclose function body.
updated code with style suggestions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, one question about ancestorOrigins
.
doc_type : "Prebid Audit", | ||
placement_id: placementId | ||
}, | ||
ao = document.location.ancestorOrigins, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is browser support for ancestorOrigins
a concern here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not a concern, it is only available in webkit browsers TMK so it will only be used if there.
} | ||
|
||
data.popped = window.opener!==null?1:0; | ||
data.framed = window.top===window?0:1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please place this window.top
reference in a try/catch as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With all due respect, this is unnecessary. A security exception is only thrown when accessing the properties of top. The window object itself can be compared safely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jstocker76 run this: https://jsfiddle.net/04o2funn/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
odd, I get no exception when I run that code in a sample file with a cross domain iframe. Furthermore, I don't get that exception when running the same code by targeting chrome's console to that iframe. What sorcery is this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. It's the alert causing the exception. If you just run "window.top" no exception.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah that makes sense. This is good. Prebid core should probably just utility this function because tons of bidders do this check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://jsfiddle.net/10j1yw82/
alert must automatically run .toString() on window.top, which would trigger the exception
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reeling in the proliferation of duplicate functionality must be a full time job. The list of bidders is getting quite long
…built * 'master' of https://github.com/prebid/Prebid.js: (21 commits) add lodash as dependency (prebid#1174) fix size mapping for s2s (prebid#1175) Improve footer styling (prebid#1171) Bugfix: internal bids requested overwritten (prebid#1173) pre-release version bump Prebid 0.23.0 Release Yieldbot adapter - multiple requestBids per pageview (prebid#1146) Widespace adapter validate size fix (prebid#1140) Audience Network: bid when at least one valid slot size (prebid#1148) Quantcast adaptor (prebid#1063) AOL Adapter - ONE Mobile endpoint implemented. (prebid#1115) Prebid Server to Server (prebid#1165) Pubgears Header Bidding Adapter (prebid#953) remove old adloader#trackPixel (prebid#1159) added audit beacon to detect misuse of this bidder. Detects auctions… (prebid#1134) Bidfluence CDN endpoint URL update (prebid#1163) AdSupply adapter (prebid#1162) Sonobi Adapter - Enable size overrides (prebid#1141) Added an editorconfig file to match jshint and jssrc files. (prebid#1147) force cpm to be a number (prebid#1161) ...
…prebid#1134) * added audit beacon to detect misuse of this bidder. Detects auctions within iframes or popup windows. * fix for bug prebid#1123 - Rhythmone: Multiple requestBids Not Working. An auction ended flag was set, preventing additional auctions from completing. This has been removed along with some google analytics tracking code. * Altered the beacon logging domain to something with a functional SSL cert. * updating s3 bucket name * updating s3 bucket name _again_. * Adding optional curly braces. Removing optional parentheses.
… within iframes or popup windows.
Type of change
Description of change
Added an audit beacon to detect unintended use of this bidder.
Other information