Stronger xdomain checks (#971)

* Make x-domain safe frame example work out of the box * Nest in <script> tags * Use garden-variety JS * Dynamically parse host domain * Use https for ad server * Replace doc.write in x-domain safe frame code, so IE works IE was throwing `SEC7111: HTTPS security is compromised by (null)` Other approaches to writing the HTML out would be to use innerHTML, but see https://stackoverflow.com/questions/1197575/can-scripts-be-inserted-with-innerhtml One of the suggestions there lead to http://krasimirtsonev.com/blog/article/Convert-HTML-string-to-DOM-element but that assumes the HTML is all under a single element (doesn't work with <p>..</p><p>..</p>) and also moves DOM elements around which might cause <script> tags to not find nearby elements properly. So settled on creating a new iframe, and leaving it rather than moving its contents up into the current frame. * Verify event "message" type, and event origin, as recommended by https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns * Ensure an incorrect ad can never be accidentally or maliciously rendered * IE includes :443 in .host even though it shouldn't, so use hostname instead
prebid · Feb 8, 2017 · 7621658 · 7621658
1 parent 48fbd15
commit 7621658
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/integrationExamples/gpt/x-domain/creative.html b/integrationExamples/gpt/x-domain/creative.html
@@ -4,7 +4,7 @@
 
 var urlParser = document.createElement('a');
 urlParser.href = '%%PATTERN:url%%';
-var publisherDomain = urlParser.protocol + '//' + urlParser.host;
+var publisherDomain = urlParser.protocol + '//' + urlParser.hostname;
 var adServerDomain = 'https://tpc.googlesyndication.com';
 
 function renderAd(ev) {
@@ -16,7 +16,11 @@
       return;
     }
 
-    if (adObject.ad || adObject.adUrl) {
+    var origin = ev.origin || ev.originalEvent.origin;
+    if (adObject.message && adObject.message === 'Prebid Response' &&
+        publisherDomain === origin &&
+        adObject.adId === '%%PATTERN:hb_adid%%' &&
+        (adObject.ad || adObject.adUrl)) {
       var body = window.document.body;
       var ad = adObject.ad;
       var url = adObject.adUrl;

diff --git a/src/secure-creatives.js b/src/secure-creatives.js
@@ -43,6 +43,7 @@ function sendAdToCreative(adObject, remoteDomain, source) {
       message: 'Prebid Response',
       ad,
       adUrl,
+      adId,
       width,
       height
     }), remoteDomain);