frontend icon indicating copy to clipboard operation
frontend copied to clipboard
verified publisher icon guardian

Commercial - Ensure iframes provided by Google DFP are sandboxed to prevent redirection

Open mchv opened this issue 7 years ago • 8 comments

What does this change?

The associated changes enabled sandbox option for the iframe returned by Google DFP and force the usage of Safeframe to reduce the possibility of redirection from an ads. The redirection issue is unfortunately a know problem of the adtech, and you can notably find more details on this prebid issue.

Safeframe

A SafeFrame is an iFrame that is served off a different domain meaning it doesn't benefit from the Same-Origin policy; it also provides an API around viewability and positioning, among other things. :nerd_face:.

SafeFrame offer the following benefits for a publisher such as the Guardian: screenshot 2019-03-04 at 09 24 22

Google recommend using the SafeFrame and sandbox feature.

To minimize the chances of malicious creatives serving, we recommend enabling SafeFrame whenever possible, in conjunction with the HTML5 sandbox attribute to prevent top-level navigation.

Using sandbox attribute of iframe can prevent redirection to happen because allow-top-navigation value is not added.

Screenshots

Here is an example of a redirection to a dodgy website who happened yesterday to a user:

unnamed

What is the value of this and can you measure success?

Additional work

As @jeteve mentioned we need to let our partners knows, that their creative work will need to to be working in the context of SafeFrame with the sandbox attribute.

Before turning on SafeFrame, work with the advertisers or vendors who provide your creatives to determine if those creatives are SafeFrame-compatible. If you're using the sandbox attribute, work with the agency or advertiser to ensure that clicks open the landing page in a new tab rather than navigating from the current page.

Prebid implemenation

[Todo write about our work on Prebid safeframe]

mchv avatar Mar 01 '19 09:03 mchv

PRbuilds results:

Screenshots wide.pngdesktop.pngtablet.pngmobile.png

💚 Exceptions thrown-exceptions.js

💚 A11y validation a11y-report.txt

💚 Microdata Validation microdata.txt

Apache Benchmark Load Testing loadtesting.txt

LightHouse Reporting 1551434670.report.html

--automated message

PRBuilds avatar Mar 01 '19 10:03 PRBuilds

According to https://github.com/prebid/Prebid.js/issues/1099 this sandbox setting only works when we use Safeframe. Unfortunately we don't use Safeframes for the Prebid line items (we tried in the past but we ran into difficulties with some partners). We should probably re-evaluate our partners in this light.

Nevertheless, the sandbox attribute is a good idea as explained by Google itself: https://support.google.com/admanager/answer/6023110?hl=en but it also says:

"Before turning on SafeFrame, work with the advertisers or vendors who provide your creatives to determine if those creatives are SafeFrame-compatible. If you're using the sandbox attribute, work with the agency or advertiser to ensure that clicks open the landing page in a new tab rather than navigating from the current page."

I don't think we can roll it out blindly without working with our partners to make sure it will not impair the advertisement.

jeteve avatar Mar 01 '19 10:03 jeteve

Iframe with sandbox option are referred as safe-frame.

This isn't true; you can have SafeFrames without a sandbox attribute, however, Google recommend using the sandbox feature.

To minimize the chances of malicious creatives serving, we recommend enabling SafeFrame whenever possible, in conjunction with the HTML5 sandbox attribute to prevent top-level navigation.

Safeframe

A SafeFrame is an iFrame that is served off a different domain meaning it doesn't benefit from the Same-Origin policy; it also provides an API around viewability and positioning, among other things. :nerd_face:

janua avatar Mar 01 '19 10:03 janua

@janua @jeteve I have included part of your comments to update the PR

mchv avatar Mar 01 '19 11:03 mchv

Hi there @mchv! Should this PR remain open? It's been around for a while and should probably either ship or be closed. If it needs to remain open, could you please change the base branch to main? See mention above for context.

🧹💨

mxdvl avatar Aug 28 '20 08:08 mxdvl

I don't think this is ready for being merged yet, but I know we have been working to have more partners using SafeFrame

mchv avatar Nov 16 '20 14:11 mchv

"This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days"

github-actions[bot] avatar Aug 02 '22 06:08 github-actions[bot]

I will have a look to rebase it from main, but I think it will be great to look back at how many partners we still have to migrate to use safe frame and how much effort there is to merge something like this.

mchv avatar Aug 02 '22 08:08 mchv

"This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days"

github-actions[bot] avatar Sep 05 '22 06:09 github-actions[bot]

This PR was closed because it has been stalled for 3 days with no activity.

github-actions[bot] avatar Sep 12 '22 06:09 github-actions[bot]