[ads] Confirmations should not be sent if the wildcard is in a forbidden part of the URL #38683
Comments
diracdeltas
added
security
priority/P2
|
Needs to be done on iOS/Android as well if we support wildcards in conversion/etc URLs on those platforms. |
|
see server side implementation in https://github.com/brave/ads-serve/pull/3957 |
|
@tackley Can you confirm what is being done (or going to be done) server-side for third party validations? We should probably copy those in the client as well. |
Yes, we will use the same tests cases on both server and client. I'll share them with you for your review once I've got to that point in implementation. |
tmancey
added
OS/Android
|
@diracdeltas @fmarier @tackley the PR is ready for review and supports desktop, Android and iOS. Thanks |
|
@diracdeltas @tackley @fmarier the PR also validates creative set conversions are same site. |
|
@diracdeltas we use the same test cases, however, we also support certain brave:// schemes which was approved in a previous privacy review. Thanks |
tmancey
changed the title
Description
See https://bravesoftware.slack.com/archives/CJR5902AW/p1717002819317479?thread_ts=1716931296.694229&cid=CJR5902AW for details. If the view/click/landing/conversion URLs for any ad contains a wildcard, we must validate that the wildcard is in either the URL's path or a subdomain before sending a confirmation event. Wildcards in the "base domain" (eTLD+1) part of the URL are invalid and should not trigger any kind of reporting.
The text was updated successfully, but these errors were encountered: