-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post Bid SSP Macro Replacement: Spoofing Top Level Url #1227
Comments
There are a variety of different answers here, some of which you may find more or less desirable.
|
Thanks for the timely response and apologies for the delay on our end. Addressing your comments below:
Thanks again. |
Providing Any sort of exceptional carve-out for specific use cases would need to be more careful with data stewardship. The Privacy Sandbox approach to this would be something like a separate network request that goes to a server running inside a TEE. |
Thanks. Just to clarify context, for the network request made to the server running inside a TEE, are you speaking to a network request originating from a Fenced Frame (a request made from our script to one of our servers running in a TEE), or are you speaking to a request made from a worklet during bidding time? |
Since we don't have a hook for this kind of thing right now, we'd need to start by understanding enough about the structure of your integration into the auction to figure out what sorts of solutions were viable. Something happening at bidding time is certainly more akin to the existing PA design, but I think we have wide latitude to figure out a design that can address this need. |
Assessment
Today, in a Protected Audience auction, the SSP has the ability to replace macros on the
renderUrl
of the winning ad viadeprecatedReplaceInURN
.In order to preserve post-bid brand safety for advertisers, verification vendors will rely on the top level URL to be provided via this macro replacement mechanism on the winning ad’s
renderUrl
in order to have access to this value from within Fenced Frames.When ads are delivered via cross domain iframes, verification vendors have the ability to check
ancestorOrigins
to verify that, at the very least, the domain of the page matches the top level URL provided by this macro replacement mechanism (this applies to both traditional ORTB/Contextual auctions as well as Protected Audience auctions).Problem Statement
The introduction of Fenced Frames and the loss of the
ancestorOrigins
signal will prevent verification vendors from verifying the top-level URL provided by the SSP via macro replacement. This could lead to inaccurate post-bid brand safety and fraud detection results for advertisers.Key Issues
1. Accuracy of Macro Replacement:
2. Loss of Verification Signal:
ancestorOrigins
in Fenced Frames creates a significant verification gap. Alternative methods need to be identified.Questions
1. New Verification Mechanisms:
2. Alternative Signals:
The text was updated successfully, but these errors were encountered: