-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Safe frame issue fix #64
Conversation
The legacy safe frame creative at https://github.com/prebid/Prebid.js/blob/master/integrationExamples/gpt/x-domain/creative.html is also affected and could use a PR too |
Here are the results of a Selenium Test which: Runs across the latest stable versions of: Chrome, Safari, Firefox, IE , Microsoft Edge loads a test page via HTTP Gets a rubicon bid via prebid Calls DFP Returns the dfp creative which uses the universal creative via Safe frame. Then asserts that:
IT is the same test page an assertions, but using the NEW creative from this PR, or the current production creative. |
Hi @kizzard, thanks for pointing this out, we will update once this PR gets hashed out and approved. |
@jaiminpanchal27 I think something is wrong with Browserstack? Looks like some of the browsers are failing to initialize or something, going to try and re-run. |
Code LGTM, waiting on circleci for final approval |
Circle CI is just super flakey right now for some reason. Not sure what the problem is but they finally passed. I even created a test branch of master and ran them and they still fail! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code change looks good, but are there tests that need to be updated?
@robertrmartinez I have seen this happening in this repo with one of my PR's as well. Nothing related to your fix. |
does the cross domain example creative on prebid.js integration examples need fixing too? |
specifically, is this render function now broken also? https://github.com/prebid/Prebid.js/blob/master/integrationExamples/gpt/x-domain/creative.html |
@patmmccann Yep! If you look a couple comments up @kizzard brought this up already :)
Hi @kizzard, thanks for pointing this out, we will update once this PR gets hashed out and approved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Updating for the new safe frame issue discovered, see prebid/prebid-universal-creative#64 for more details!
Here is the fix for Prebid.js's legacy x-domain creative. |
Thanks!! |
Updating for the new safe frame issue discovered, see prebid/prebid-universal-creative#64 for more details!
I'm a little confused on the fix merged to prebid.js. The adapters respond with http ads which still won't render in a secure tpc.googlesyndication.com frame; we've been looking at changing the http: to https: in the markup and that seems to get us over the edge. Have other publishers found this fixed their issues? |
From Reddit adops: warning that this doesn't fully fix the issue. It fixes the Prebid rendering issue, but some (maybe most) Prebid adapters mimic the page protocol when requesting bids, so will be requesting insecure ads which then won't necessarily render correctly in the now secure safe frame context. Fixes are to either monkey patch prebid to use all secure bidder URLs, or force your traffic onto a secure version of the site. |
Hi @patmmccann I brought this up a few days ago before the merge in reddit adops. I am not very keen on many real world setups, but I have a feeling simply having custom code to change the scripts and replace Google did this for a reason, whatever that reason is, it may be an indicator that we need to push for https ads only in prebid now maybe? As of now a large portion of the adapters detect the pages protocol and use that for their ad requests. I am guessing that simply altering adapters markups to be https may cause some issues depending on how each adapters ad system works. We probably need to have a larger discussion about making all ad requests https perhaps? I do not know the impact of this. |
@patmmccann This "fix" is a band aid and we need to come up with the right solution for prebid overall. It looks like DFP will now send over safeframes as Wether that be:
|
From what I can tell each endpoint is using if it was called securely to
determine if it can return insecure mark up, secure only is a bidder
parameter to prebid server. I'm hoping changing all the endpoints will work.
…On Tue, Jul 2, 2019, 5:38 PM Robert Ray Martinez III < ***@***.***> wrote:
Hi @patmmccann <https://github.com/patmmccann>
I brought this up a few days ago before the merge in reddit adops.
https://redditadops.slack.com/archives/C0HVALS8P/p1561680898099500?thread_ts=1561595865.094600&cid=C0HVALS8P
I am not very keen on many real world setups, but I have a feeling simply
having custom code to change the scripts and replace http with https is
not a great idea.
Google did this for a reason, whatever that reason is, it may be an
indicator that we need to push for https ads only in prebid now maybe?
As of now a large portion of the adapters detect the pages protocol and
use that for their ad requests.
I am guessing that simply altering adapters markups to be https may cause
some issues depending on how each adapters ad system works.
We probably need to have a larger discussion about making all ad requests
https perhaps?
I do not know the impact of this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#64?email_source=notifications&email_token=AAM25Z3L2ZZ5PGMDOWTKARLP5PDGBA5CNFSM4H3736G2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZCT5BI#issuecomment-507854469>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAM25ZYFEJBAQJHVJQKFXNDP5PDGBANCNFSM4H3736GQ>
.
|
Updating for the new safe frame issue discovered, see prebid/prebid-universal-creative#64 for more details!
Updating for the new safe frame issue discovered, see prebid/prebid-universal-creative#64 for more details!
Seems like recently GAM has started always returning Safe Frames as HTTPS.
So our code which assumes our current executing iframe had the same protocol as the publishers domain needs to be updated.
We will get the protocol from the
window.location
now.Here are examples of this in different browsers when my test page is loaded via HTTP but the iframe delivered is in HTTPS:
CHROME:
Before:
After:
Notice the
Mixed-Content
warning will happen now because prebid and bidders expected HTTP, so may have responded with HTTP content.FireFox:
Before:
Notice that Firefox actually logged the error that caused ads not to render in this scenario!
After:
Safari:
Before:
After:
IE 11
Before:
After: