-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy and Prebid #3590
Comments
@vamsiautomatad |
Unrelated, but somehow problematic with CSP as well. The dependency fun-hooks uses |
@snapwich for comment |
@Rendez the nature in which fun-hooks uses However, webpack has the advantage of usually being run in node environments and not worrying about CSP. I can also understand the desire for enacting CSP compliance. I think the best solution would for fun-hooks to distribute two different versions of the package, one that is more performant without CSP compliance and one that is less performant but CSP compliant; then the Prebid.js bundler could include the CSP compliant version if specified with a build flag while defaulting to the performant non-compliant version if not specified. Until these two fun-hooks versions exist CSP would require Thoughts? |
Thanks for the great answer, and being so reasonable about the issue. I understand that creating new functions during hook execution time isn't ideal for performance, but I trust the optimizing compiler to kick in after a couple of calls. Is there a way we could test the performance of both approaches, and see some numbers? |
I think implementing and testing performance of both approaches would be a great idea. It's not something I will probably get to anytime soon (within the next few weeks), but a backlog item for sure. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Any updates on this? Is there a way to define which version will be used in prebid build? |
question
For sites using CSP , it is hard to implement Prebid as bidders use multiple domains for the process of accepting bids and responding back with creatives for winning bids .
it will be extremely useful if Prebid can maintain a list of (sub)/domains that the bidders use , so that they can be whitelisted.
Description
Some sites make use of CSP to add an extra layer of security to detect and mitigate certain types of attacks ( mainly XSS ) .
for sites like those, it will be extremely hard to enforce CSP as it will be very tedious to figure out the list of hosts/domains that need to be added to the whitelist.
is it possible for Prebid to let the bidders publish the list of subdomains that they use OR create a community maintained list of the same ?
Thanks
The text was updated successfully, but these errors were encountered: