You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm wondering if the technical explainer is missing some things or if I am.
Bidding Signals URL - More Strict
In the sections involving biddingSignalsUrl the spec (see 2.12 here) calls out detailed validations that include:
Valid URL
HTTPS
Same origin
Credentialless
No Query Params
No fragment
If any of those fail a TypeError is thrown.
Based on how the full request to the Trusted Bidding Signals server happens, where QS params are thrown out, this validation makes sense as the query params and fragment would be silently thrown out, which would be hard to debug, etc.
(You can see that algorithm by searching for "build trusted bidding signals url " in the spec).
Trusted Scoring Signals
In the sections involving trustedScoringSignalsUrl for validations I see:
Valid URL
HTTPS
Same origin
(Search "Let trustedScoringSignalsURL be the result of running the URL parser on" in the spec).
If any of those fail a TypeError is thrown.
So at first glance it seems that 4, 5, and 6 from the bidding URL validations are skipped here. However, looking at the stated algorithm for building the trusted scoring signals, query params and fragment would be overwritten, and so I think the credentialless applies as well.
Questions
I'm assuming that the tech spec portion for trusted scorign should add 4, 5, 6. Is that right?
Also, I suppose for any of the URLs, is there any limitation on the path?
The text was updated successfully, but these errors were encountered:
thegreatfatzby
changed the title
Clarify Validations on Sellers trustedScoringSignalsUrl
Clarify Validations on Sellers trustedScoringSignalsUrl, Path of Bidding/Scoring Signals URL
Sep 10, 2023
I'm wondering if the technical explainer is missing some things or if I am.
Bidding Signals URL - More Strict
In the sections involving
biddingSignalsUrl
the spec (see 2.12 here) calls out detailed validations that include:If any of those fail a TypeError is thrown.
Based on how the full request to the Trusted Bidding Signals server happens, where QS params are thrown out, this validation makes sense as the query params and fragment would be silently thrown out, which would be hard to debug, etc.
(You can see that algorithm by searching for "build trusted bidding signals url " in the spec).
Trusted Scoring Signals
In the sections involving
trustedScoringSignalsUrl
for validations I see:If any of those fail a TypeError is thrown.
So at first glance it seems that 4, 5, and 6 from the bidding URL validations are skipped here. However, looking at the stated algorithm for building the trusted scoring signals, query params and fragment would be overwritten, and so I think the credentialless applies as well.
Questions
I'm assuming that the tech spec portion for trusted scorign should add 4, 5, 6. Is that right?
Also, I suppose for any of the URLs, is there any limitation on the path?
The text was updated successfully, but these errors were encountered: