Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stronger xdomain checks #971

Merged
merged 6 commits into from
Feb 8, 2017
Merged

Stronger xdomain checks #971

merged 6 commits into from
Feb 8, 2017

Conversation

brondsem
Copy link
Contributor

@brondsem brondsem commented Feb 7, 2017

Type of change

  • Bugfix
  • Feature
  • New bidder adapter
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Other

Description of change

Stronger message checks for x-domain safe frame communication.

Other information

This is branched off of the changes in #955 which isn't merged yet. So the first two commits shown here are the same as that.

@brondsem
Make x-domain safe frame example work out of the box
21c9d39 
* Nest in <script> tags
* Use garden-variety JS
* Dynamically parse host domain
* Use https for ad server
@brondsem
Replace doc.write in x-domain safe frame code, so IE works
49e7d15 
IE was throwing `SEC7111: HTTPS security is compromised by (null)`
Other approaches to writing the HTML out would be to use innerHTML, but see
https://stackoverflow.com/questions/1197575/can-scripts-be-inserted-with-innerhtml
One of the suggestions there lead to http://krasimirtsonev.com/blog/article/Convert-HTML-string-to-DOM-element
but that assumes the HTML is all under a single element (doesn't work with
<p>..</p><p>..</p>) and also moves DOM elements around which might cause
<script> tags to not find nearby elements properly.  So settled on
creating a new iframe, and leaving it rather than moving its contents up into
the current frame.
@brondsem
Verify event "message" type, and event origin, as recommended by http…
0665400 
…s://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns
@brondsem
Ensure an incorrect ad can never be accidentally or maliciously rendered
02b0ccd
@brondsem
IE includes :443 in .host even though it shouldn't, so use hostname i…
398c04b 
…nstead
@protonate protonate self-assigned this Feb 7, 2017
protonate
protonate approved these changes Feb 8, 2017
View reviewed changes
Copy link
Collaborator

@protonate protonate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks.

@protonate protonate merged commit 7621658 into prebid:master Feb 8, 2017
@brondsem brondsem mentioned this pull request Feb 9, 2017
Closed
@protonate protonate mentioned this pull request Feb 14, 2017
Closed
mp-12301 pushed a commit to aol/Prebid.js that referenced this pull request Apr 10, 2017
@vzhukovsky
Merge pull request prebid#74 in AOLP_ADS_JS/prebid.js from feature/Pr…
5faf291 
…ebid-official-0.19.0 to release/1.14.0

* commit 'b13f7ba7ee8b3c168dc0af7c8bfc94747d017e70': (34 commits)
  Add changelog entry.
  Prebid 0.19.0 Release
  check truthiness of adUnitCode (prebid#990)
  fixed exception when refreshing individual Ad Units and bidder responds slowly (prebid#989)
  Stub pixel drop to prevent network request in test (prebid#988)
  Updating Komoona adapter to support future Prebid requirements (prebid#974)
  Use stable version of Chrome (prebid#984)
  Revert to running browser tests in Travis (prebid#983)
  Fix issue with appnexusAst sending `user` object in the wrong place. (prebid#980)
  Integrate Browserstack tests into Travis CI build (prebid#839)
  Add StickyAdsTV Bidder adapter (prebid#916)
  Stronger xdomain checks (prebid#971)
  added matomy as an alias for appnexus (prebid#850)
  Added 152Media Appnexus Alias (prebid#952)
  OpenX Adapter: Handles fallback ads correctly as a no fill (prebid#39) (prebid#963)
  Use package dependencies for ES6 Array shims (prebid#962)
  Make x-domain safe frame example work out of the box (prebid#955)
  added usersync for adkernel adapter (prebid#951)
  Rubicon adapter: add a floor variable (prebid#964)
  Added Lifestreet adapter. (prebid#965)
  ...
mp-12301 pushed a commit to aol/Prebid.js that referenced this pull request Apr 10, 2017
@vzhukovsky
Merge pull request prebid#75 in AOLP_ADS_JS/prebid.js from release/1.…
73af74d 
…14.0 to master

* commit 'c008f3f531ae3409f4a16bf03470d84e82aead0e': (35 commits)
  Add adapters in aolPartnersIds.json.
  Add changelog entry.
  Prebid 0.19.0 Release
  check truthiness of adUnitCode (prebid#990)
  fixed exception when refreshing individual Ad Units and bidder responds slowly (prebid#989)
  Stub pixel drop to prevent network request in test (prebid#988)
  Updating Komoona adapter to support future Prebid requirements (prebid#974)
  Use stable version of Chrome (prebid#984)
  Revert to running browser tests in Travis (prebid#983)
  Fix issue with appnexusAst sending `user` object in the wrong place. (prebid#980)
  Integrate Browserstack tests into Travis CI build (prebid#839)
  Add StickyAdsTV Bidder adapter (prebid#916)
  Stronger xdomain checks (prebid#971)
  added matomy as an alias for appnexus (prebid#850)
  Added 152Media Appnexus Alias (prebid#952)
  OpenX Adapter: Handles fallback ads correctly as a no fill (prebid#39) (prebid#963)
  Use package dependencies for ES6 Array shims (prebid#962)
  Make x-domain safe frame example work out of the box (prebid#955)
  added usersync for adkernel adapter (prebid#951)
  Rubicon adapter: add a floor variable (prebid#964)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@protonate protonate protonate approved these changes

Assignees

@protonate protonate

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brondsem @protonate