Content Security Policy and Prebid

[vamsiautomatad]

question

For sites using CSP , it is hard to implement Prebid as bidders use multiple domains for the process of accepting bids and responding back with creatives for winning bids .

it will be extremely useful if Prebid can maintain a list of (sub)/domains that the bidders use , so that they can be whitelisted.

Description

Some sites make use of CSP to add an extra layer of security to detect and mitigate certain types of attacks ( mainly XSS ) .

for sites like those, it will be extremely hard to enforce CSP as it will be very tedious to figure out the list of hosts/domains that need to be added to the whitelist.
is it possible for Prebid to let the bidders publish the list of subdomains that they use OR create a community maintained list of the same ?

Thanks

[mkendall07]

@vamsiautomatad
I'd suggest taking a look at https://github.com/prebid/headerbid-expert/blob/master/bidderPatterns.js
This will give you the domains in question.

[Rendez]

Unrelated, but somehow problematic with CSP as well. The dependency fun-hooks uses new Function(...) which requires the source unsafe-eval to be in CSP headers. This forces us to downgrace the CSP strictness. Is there a way to either stop relying on that library or see if it can be fixed?

[mkendall07]

@snapwich for comment

[snapwich]

@Rendez the nature in which fun-hooks uses new Function isn't unsafe (the code isn't generated from any user input and is limited in scope) and is actually used to improve performance. The idea came from webpack which also uses a similar code generation technique to improve performance in its hooking library: https://github.com/webpack/tapable/blob/master/lib/HookCodeFactory.js#L19

However, webpack has the advantage of usually being run in node environments and not worrying about CSP. I can also understand the desire for enacting CSP compliance.

I think the best solution would for fun-hooks to distribute two different versions of the package, one that is more performant without CSP compliance and one that is less performant but CSP compliant; then the Prebid.js bundler could include the CSP compliant version if specified with a build flag while defaulting to the performant non-compliant version if not specified. Until these two fun-hooks versions exist CSP would require unsafe-eval (I think this is also already required for the Criteo adapter).

Thoughts?

[Rendez]

Thanks for the great answer, and being so reasonable about the issue. I understand that creating new functions during hook execution time isn't ideal for performance, but I trust the optimizing compiler to kick in after a couple of calls. Is there a way we could test the performance of both approaches, and see some numbers?

[snapwich]

I think implementing and testing performance of both approaches would be a great idea. It's not something I will probably get to anytime soon (within the next few weeks), but a backlog item for sure.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dmitriyshashkin]

Any updates on this? Is there a way to define which version will be used in prebid build?