Same Origin and Redirects
Here we try to bypass the same origin requirements for the URLs of the IG attributes using redirects, in particular for static files to re-route to a CDN.
The goal is to see if we can take www.dsp.com/cdn/x and redirect to cdn.dsp.com/x
Conclusion: It turns out redirecting the static file to a different origin, even same site but different domain does not work.
Set Up
You can see the client side JS by inspecting the page, but here are the relevant snippets client and server side
Instructions to set up Chrome to bypass attestion here
Client Side
We join an IG, all URLs in the www subdomain of the current site.
const myGroup = {
'owner': 'https://www.privacy-sandbox-testing-one.com/',
'name': 'test-redirect',
'biddingLogicUrl': 'https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/biddingfunction.js',
'ads': [{renderUrl: 'https://www.privacy-sandbox-testing-one.com/creative?id=23'}],
'trustedBiddingSignalsURL': 'https://www.privacy-sandbox-testing-one.com/buyer-kv-call',
'trustedBiddingSignalsKeys': ['a', 'b', 'c'],
'lifetimeMs': 3600
};
const joinPromise = navigator.joinAdInterestGroup(myGroup);
Note the cleverly named biddingLogicUrl, which indeed does not exist. This simulates the goal of taking www.dsp.com/cdn/x and redirecting to cdn.dsp.com/x
Here, the IG will successfully join, as it seems the URL is not verified on join.
Server Side
Here is the fastify routing
fastify.get("/same-origin-issues/with-redirect/idontexist/biddingfunction.js", function(request, reply) {
reply.redirect("https://auctions.privacy-sandbox-testing-one.com/biddingfunction.js");
});
fastify.get("/same-origin-issues/with-redirect/idontexist/scoreads.js", function(request, reply) {
reply.redirect("https://auctions.privacy-sandbox-testing-one.com/scoreads.js");
});
Verify redirect of biddingLogicUrl https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/biddingfunction.js
Verify redirect of scoreads https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/scoreads.js
Auction
Now we go to run the auction with the IG that was successfully joined
const myAuctionConfig = {
'seller': 'https://www.privacy-sandbox-testing-one.com/',
'decisionLogicURL': 'https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/scoreads.js',
'interestGroupBuyers': ['https://www.privacy-sandbox-testing-one.com/'],
'auctionSignals': {'a': 'lkj'},
'trustedScoringSignalsURL': 'https://www.privacy-sandbox-testing-one.com/seller-kv-call'
};
const result = await navigator.runAdAuction(myAuctionConfig);
Results
If you open console in the dev tools you will see:
- The result of the IG join is a successful promise.
- There is at least one error saying "worket encountered an unexpected redirect" (sometimes it errors on just the scoreads function, others on both)
- The return result is null, and any console logging from the bid, score ad, or reporting function, doesn't show up.
The null return value is not dispositive, but the console logging from the bidding function not showing up indicates it did not run.
You can verify the "success case" here
The error is something like this: