Prebid.js: Prebid 1.0 - ETA?

Created on 20 Jun 2017  路  12Comments  路  Source: prebid/Prebid.js

@mkendall07 - What is the expected delivery date for Prebid 1.0? Will the proposed "Security" will be included in the initial release?

question

Most helpful comment

We are targeting Q3 this year. The security requirements have changed somewhat since the initial requirements where written. The biggest thing is that we are not implementing a safeFrame environment as this is expensive (in terms of performance). Instead, we are going to enforce security via JSON only payloads (no external JS can be executed) - so enforced via code review.

All 12 comments

We are targeting Q3 this year. The security requirements have changed somewhat since the initial requirements where written. The biggest thing is that we are not implementing a safeFrame environment as this is expensive (in terms of performance). Instead, we are going to enforce security via JSON only payloads (no external JS can be executed) - so enforced via code review.

@mkendall07 thanks for the update. We were excited about the SafeFrame addition - we are experiencing an increase in creatives from major SSPs redirecting users. Other than latency added by a SafeFrame environment, what were the other concerns?

@cwbeck you can enable safeFrame today if you want to help prevent these issues. Adding adapters into a "safeFrame" or "x-domain" iframe has nothing to do the the creative payload issues you may be experiencing.

@mkendall07 - very interesting. We don't use DFP or any other ad server to deliver the tags on the page. At the moment we dynamically create an iframe and dynamically write the contents of bidresponse.ad into that iframe. This creative code can access window.top and call window.top.location.href and send the user away. We trust the adapters we are plugged in with for the most part, all the malicious code is coming from third party creatives / tracking / syncs. Our prebid build also only includes the partners we work with. Is there a better way to better protect users from malicious code? How can we enable safeFrame? We are currently playing a game of whack a mole and losing!

@cwbeck I see. I think you are in the minority in terms of implementation then. Typically the adserver integration ads the safeFrame layer. It's possible to implement it yourselves though if you want - see https://sourceforge.net/p/safeframes/wiki/Home/

@mkendall07 thanks, we ended up here earlier today, but hoping there was more of a "prebid" supported solution already. When we enable safe frames in DFP during testing this significantly impacts demand for impressions and thus revenues when using Prebid. Is this usual or is there more to this setup?

Hello - so are you saying that an external adapter cannot include anything that can result in JS being run?

@matthewlane just following up on the question - is the plan that prebid 1.0 will not support any JS <script> tags within the creative, and that prebid is expecting only static html?

scripts in the creative will be allowed.

Ah - thanks - so basically, same restrictions as a regular safe frame environment, right (assuming that everyone's mostly serving us in a safe frame)?

correct.

Thanks for the response @mkendall07 . My last question (for the time being 馃槈 ) being, does the security feature you're referring to here, refer to the bid-response being a JSON only payload as opposed to html or something else? Also, is jsonp considered valid? Basically, I still don't quite understand what this issue was referring to - so thought I'd ask what the "JSON only payload" part meant.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

whatisjasongoldstein picture whatisjasongoldstein  路  6Comments

gramorris picture gramorris  路  6Comments

jdwieland8282 picture jdwieland8282  路  5Comments

aszydlo picture aszydlo  路  6Comments

mkendall07 picture mkendall07  路  5Comments