Add URL expansion constraints to AMP A4A Format

[keithwrightbos]

Short description of your issue:

AMP A4A Format needs to include constraints around URL expansion support once anchor href expansion on click is merged PR #4773. In particular, need to ensure that ad creatives do not have access to publisher page information that would not normally be available when wrapped in a cross domain iframe.

How do we reproduce the issue?

PR #4773 adds the ability for the href of an anchor within the creative to expanded on click allowing for capture of click X/Y, in addition to other expansion macros. One concern is that when the creative has been injected within a shadow root, this would allow for leaking page level information to the creative (e.g. DOCUMENT_REFERRER, PAGE_LOAD_TIME, TOTAL_ENGAGED_TIME, etc). There are a couple of ways to handle this:

1. Have the validation service check for the existence of these macros on any anchor href attributes and if present either disallow the document entirely or rewrite the href such that they are removed.
2. Attempt to generate values for some or all of these as if the creative had been wrapped in an iframe (e.g. referrer = ad request, load time = delta from page navigation start to when shadow dom was inflated, etc).

I propose item 1 for now and we can move some macros over as the need arises. Should I include this as part of the PR or wait until it is completed and then add?

What browsers are affected?

All

Which AMP version is affected?

Those after which PR #4773 is merged.

[Gregable]

Rewriting the href sounds like it could introduce subtle errors. I'd prefer invalidating completely so that the developer is aware and can make informed decisions. This could also be relaxed later if we changed our minds, but adding the validation constraint later is much harder.

These strings (e.g. TITLE) also seem likely to accidentally occur in URLs sometimes. Is it a concern, both for validation and replacement, that we might incorrectly interpret the intent of the links?

[keithwrightbos]

I've been thinking about this more and perhaps one requirement should be consistency for the network/advertiser when the creative is rendered via A4A or within cross domain iframe (could not be verified). Given that the cross domain iframe case does not use the creative modified by the validator, the only course of action is to enforce this within the AMP runtime. If the AMP runtime could determine at time of click that the target is within an iframe or Shadow DOM that was created by the amp-ad element (perhaps via the name parameter?), then it could suppress any "sensitive" macros or replace there values with ones that are localized to the ad. For instance, if within Shadow DOM PAGE_LOAD_TIME could be loaded with the ad request XHR CORS response time (assume immediate render). Point being that the runtime could decide to use alternative values.

[tdrl]

I'm not clear on the "the cross domain iframe case does not use the creative modified by the validator" point. There are two ways in which something can end up in x-domain iframe: (1) being general HTML or otherwise invalid/not validated A4A, or (2) being validated A4A but on a browser without shadow DOM support.

(2) is a simpler case. In that case, the creative will have passed through the validator and so, potentially, could have had its urls rewritten.

In case (1), then either (a) there's either no AMP runtime at all (general HTML), or (b) there is, but the doc is otherwise invalid A4A. In case (1a), there are presumably no URL params to substitute. In case (1b), there could be, I guess, and they won't have passed through the validator. But I don't know a lot about click listener behavior. Won't everything be relativized to the iframe, and no info leakage regardless?

[keithwrightbos]

Apologies I confused myself there. You are right that in the cross domain,
failed verification case the post validation version of the creative is
used so removed macros would likely be in place. I say likely given that
failure to valid means anything could be in the creative... There are no
concerns when the creative is within an iframe.

I believe there are two issues at play:

1. Does the validator strip invalid macros or mark the document as invalid?
2. Or do we all the AMP runtime to strip macros at click time?

If we later want to allow alternate, ad specific values for some of the
values (eg load time equals ad fetch time), the macros would no longer be
blacklisted and the ability to provide the alternate value added to the
runtime.

So in conclusion I am changing my mind and suggest we do handle within the
validator. I leave the decision to strip macros vs mark document as
invalid to others...

On Sep 11, 2016 8:59 PM, "Terran Lane" notifications@github.com wrote:

I'm not clear on the "the cross domain iframe case does not use the
creative modified by the validator" point. There are two ways in which
something can end up in x-domain iframe: (1) being general HTML or
otherwise invalid/not validated A4A, or (2) being validated A4A but on a
browser without shadow DOM support.

(2) is a simpler case. In that case, the creative will have passed
through the validator and so, potentially, could have had its urls
rewritten.

In case (1), then either (a) there's either no AMP runtime at all (general
HTML), or (b) there is, but the doc is otherwise invalid A4A. In case (1a),
there are presumably no URL params to substitute. In case (1b), there could
be, I guess, and they won't have passed through the validator. But I don't
know a lot about click listener behavior. Won't everything be relativized
to the iframe, and no info leakage regardless?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#4891 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABr0L5pSbahsJ83-TtWTePDXCzw8ln-nks5qpKPZgaJpZM4J5NP2
.

[jasti]

Closing since PR has been merged.