Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added audit beacon to detect misuse of this bidder. Detects auctions… #1134

Merged
merged 6 commits into from
May 2, 2017
Merged

added audit beacon to detect misuse of this bidder. Detects auctions… #1134

merged 6 commits into from
May 2, 2017

Conversation

jstocker76
Copy link
Contributor

… within iframes or popup windows.

Type of change

  • Bugfix
  • [x ] Feature
  • New bidder adapter
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Other

Description of change

Added an audit beacon to detect unintended use of this bidder.

  • test parameters for validating bids
{
  bidder: 'rhythmone',
  params: {
                        placementId: "34887",
						zone: "test",
						path: "mvo",
						debug: true,
						method:"get"
                    }
}
  • contact email of the adapter’s maintainer
  • official adapter submission

Other information

…uction ended flag was set, preventing additional auctions from completing. This has been removed along with some google analytics tracking code.
@hipstern
Copy link

looks good

@ehoch
Copy link
Contributor

ehoch commented Apr 27, 2017

@mkendall07 @protonate Sorry to be a pain, but is this something we can get reviewed ASAP? This is actually a really important bug fix for multiple auctions.

@protonate protonate self-requested a review April 27, 2017 22:11
@protonate protonate self-assigned this Apr 28, 2017
Copy link
Collaborator

@protonate protonate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, some style comments. We are looking into an audit mechanism for bidders to generally obtain information about their bids in the auction, so this code may refactor at a later point.

i = new Image();

if(ao && ao.length > 0)
data.ancestor_origins = ao[ao.length-1];
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code style: please add braces to enclose function body.

data.ancestor_origins = ao[ao.length-1];

data.popped = (window.opener!==null?1:0);
data.framed = (window.top===window?0:1);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code style: parentheses can be removed.

data.response_ms = (new Date()).getTime() - loadStart;
data.placement_codes = configuredPlacements.join(",");
data.bidder_version = version;
data.prebid_timeout = (prebid_instance.cbTimeout || prebid_instance.bidderTimeout);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code style: parentheses can be removed.

data.prebid_timeout = (prebid_instance.cbTimeout || prebid_instance.bidderTimeout);

for(var k in data)
q.push(encodeURIComponent(k)+"="+encodeURIComponent((typeof data[k] === "object" ? JSON.stringify(data[k]) : data[k])));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code style: please add braces to enclose function body.

@jstocker76
Copy link
Contributor Author

updated code with style suggestions.

Copy link
Collaborator

@protonate protonate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one question about ancestorOrigins.

doc_type : "Prebid Audit",
placement_id: placementId
},
ao = document.location.ancestorOrigins,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is browser support for ancestorOrigins a concern here?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not a concern, it is only available in webkit browsers TMK so it will only be used if there.

@matthewlane matthewlane self-requested a review May 2, 2017 16:16
}

data.popped = window.opener!==null?1:0;
data.framed = window.top===window?0:1;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please place this window.top reference in a try/catch as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With all due respect, this is unnecessary. A security exception is only thrown when accessing the properties of top. The window object itself can be compared safely.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

odd, I get no exception when I run that code in a sample file with a cross domain iframe. Furthermore, I don't get that exception when running the same code by targeting chrome's console to that iframe. What sorcery is this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. It's the alert causing the exception. If you just run "window.top" no exception.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah that makes sense. This is good. Prebid core should probably just utility this function because tons of bidders do this check.

Copy link
Contributor Author

@jstocker76 jstocker76 May 2, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://jsfiddle.net/10j1yw82/

alert must automatically run .toString() on window.top, which would trigger the exception

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reeling in the proliferation of duplicate functionality must be a full time job. The list of bidders is getting quite long

@protonate protonate added this to the Prebid 0.23.0 milestone May 2, 2017
@matthewlane matthewlane merged commit 2652fc0 into prebid:master May 2, 2017
outoftime pushed a commit to Genius/Prebid.js that referenced this pull request May 4, 2017
…built

* 'master' of https://github.com/prebid/Prebid.js: (21 commits)
  add lodash as dependency (prebid#1174)
  fix size mapping for s2s (prebid#1175)
  Improve footer styling (prebid#1171)
  Bugfix: internal bids requested overwritten (prebid#1173)
  pre-release version bump
  Prebid 0.23.0 Release
  Yieldbot adapter - multiple requestBids per pageview (prebid#1146)
  Widespace adapter validate size fix (prebid#1140)
  Audience Network: bid when at least one valid slot size (prebid#1148)
  Quantcast adaptor (prebid#1063)
  AOL Adapter - ONE Mobile endpoint implemented. (prebid#1115)
  Prebid Server to Server (prebid#1165)
  Pubgears Header Bidding Adapter (prebid#953)
  remove old adloader#trackPixel (prebid#1159)
  added audit beacon to detect misuse of this bidder.  Detects auctions… (prebid#1134)
  Bidfluence CDN endpoint URL update (prebid#1163)
  AdSupply adapter (prebid#1162)
  Sonobi Adapter - Enable size overrides (prebid#1141)
  Added an editorconfig file to match jshint and jssrc files. (prebid#1147)
  force cpm to be a number (prebid#1161)
  ...
dluxemburg pushed a commit to Genius/Prebid.js that referenced this pull request Jul 17, 2018
…prebid#1134)

* added audit beacon to detect misuse of this bidder.  Detects auctions within iframes or popup windows.

* fix for bug prebid#1123 - Rhythmone: Multiple requestBids Not Working.  An auction ended flag was set, preventing additional auctions from completing.  This has been removed along with some google analytics tracking code.

* Altered the beacon logging domain to something with a functional SSL cert.

* updating s3 bucket name

* updating s3 bucket name _again_.

* Adding optional curly braces.  Removing optional parentheses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants