-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Seller trusted server and domain #1056
Comments
The request to the seller's trusted server begins with the |
That would have to be placed in the path since Chrome builds the final URL from the "base" and the query it assembles from the parameter values, https://wicg.github.io/turtledove/#build-trusted-scoring-signals-url. Or Chrome merges params it builds with any present on the base URL. FWIW, for fun I appended ?foo=bar to my "base url" value. Chrome didn't include the value, but it did cause the request to be CORS preflighted. |
I'm surprised we don't throw if there's a query string in the trusted scoring signals URL. But yes, we do overwrite the entire query param for trusted signals URLs. |
The reason for not merging URLs is that the auctionConfig comes from a third party, and we don't want the publisher to run an auction, and insert, say, ?publisher=foo, possibly with different capitalization, so the server would get two publisher fields, and may incorrectly use the wrong one. (edit: should be hostname=, rather than publisher=) |
I understand the safety/correctness concern. Just adding for OP that including any information one knows is currently constrained to the path. |
|
Thanks @michaelkleber, we were a bit confused since it's not mentioned here https://github.com/WICG/turtledove/blob/main/FLEDGE_Key_Value_Server_API.md |
Oh good point! @peiwenhu is this just an accidental oversight, or is there any history here? It's step 2 of To build trusted scoring signals url in the spec. |
Ohh. It was an accidental oversight. When the API doc was being written, the spec didn't exist so there might have been some misunderstanding. I'll correct it ASAP. |
Hi, using the seller trusted server, we would like to verify the validity of the rendered items, for example to validate if the title meets certain publisher requirements. We see that the domain is not part of the url, unlike in the buyer trusted server, but we have to receive it since different constraints are applied for different publishers.
Can this be added?
The text was updated successfully, but these errors were encountered: