Adding a4a support to TripleLift amp-ads

[szach]

Issue #6883

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please let us know the company's name.

[keithwrightbos]

Test coverage?

[keithwrightbos]

Add /** @type {string} */ here and below

[keithwrightbos]

Given you're only calling super, why is this necessary?

[oliy]

This was actually in our template code as a placeholder, to show where initialization code could go. I'm adding comments to the template code that this is an optional block and can be removed if there is no content.

[keithwrightbos]

replace var with let

[keithwrightbos]

you should check for the src attribute within isA4A predicate as isValidElement returning false will cause the ad request to be dropped meaning it does not fallback to 3p

[keithwrightbos]

I would suggest at least the same check as you have in your current 3p implementation (https://github.com/ampproject/amphtml/blob/master/ads/triplelift.js):
validateSrcPrefix('https://ib.3lift.com/', src);

[keithwrightbos]

Do you want to verify that the src attribute has the TRIPLELIFT_BASE_URL to start? I noticed that you're 3p implementation includes validateSrcPrefix('https://ib.3lift.com/'. Without it, this could allow a callout to ANY XHR CORS end point (e.g. src to doubleclick). This is supplied by the publisher so what if it includes javascript(sendMeYourCookies())?

[keithwrightbos]

I would add check in the config use A4A predicate as well as isValidElement. Both will ensure proper value well before getAdUrl would execute.

[keithwrightbos]

Why not just
return !!element.getAttribute('data-use-a4a');

[keithwrightbos]

I have reopened the PR. Sorry I did not see notifications because the PR was closed.
@lannka & @jridgewell to look ASAP given we are hoping to get into today's canary cut

[googlebot]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for the commit author(s). If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.

[keithwrightbos]

Let's add check for src attribute and starting with base url you expect just to be safe.

[keithwrightbos]

I was being overly cautious... we do not need to include it

[keithwrightbos]

Can we add a negative test here (create instance of amp-ad-network-triplelift element instead of amp-ad) as well as checks regarding src.

[keithwrightbos]

Agreed

[googlebot]

CLAs look good, thanks!

[lannka]

remove only