Exception when iframe with UC is in srcdoc iframe

[Zer0Divis0r]

Problem
On web, when universal creative is loaded in an iframe with srcdoc attribute, or src=about:blank, or blob URL, an exception happens when postMessage is sent.
In my case, the specific error message would be:

DOMException: Failed to execute 'postMessage' on 'Window': Invalid target origin 'about://a65bbe00eb976c003b3913c8207a7a4f.safeframe.googlesyndication.com' in a call to 'postMessage'.

To Reproduce
The following example would create an iframe and use blob to create it's contents.

let auctionFrameCode = `
<body style="background-color:white;margin:0px;padding:0px;">\x3Cscript src=".....a code that runs auction and eventually loads UC....">\x3C/script></body>`;

let $auctionFrame = jQuery("<iframe srcdoc=''></iframe>");
// OR: let $auctionFrame = jQuery(`<iframe srcdoc='${auctionFrameCode}'></iframe>`);
// OR: let $auctionFrame = jQuery(`<iframe src='about:blank'></iframe>`);

$("body").append($auctionFrame);

const blob = new Blob([auctionFrameCode], {type: 'text/html'});
$auctionFrame.attr('src', window.URL.createObjectURL(blob));

In renderingManager in line 125 it would eventually fail, because publisherDomain would have a blob: or about: prepend/protocol.

Expected behavior
To be conceous of non-standard protocols and/or origins, and, maybe, replace targetOrigin to "*" in such cases? Not sure.

[patmmccann]

@Zer0Divis0r could you expand a bit on the use case here? Why wound UC be loaded in an iframe with srcdoc attribute or src=about:blank?

[dgirardi]

This should be an issue only when Prebid (not the creative) lives in an origin-less frame. I don't think just broadcasting the message to '*' is a good idea because it opens up some attacks (a malicious frame could read the message and, among other things, reply with a counterfeit ad - which can include any js code that the creative would run).

To support this use case, we could change the flow to:

1. Prebid generates an additional nonce for each bid (let's call it adToken), which is passed to the ad server via targeting keys (in the same way adId is now).
2. If the origin (pubUrl) is not available, creative sends request to '*', using adToken instead of adId as identifier.
3. Prebid looks up the bid through adToken, and replies as it does now. Subsequent requests for the same adToken must be ignored.
4. Creative discards replies whose adId does not match the one sent through targeting.

This should be backwards compatible and lock out actors that are not in possession of a valid adToken.

[Zer0Divis0r]

@Zer0Divis0r could you expand a bit on the use case here? Why wound UC be loaded in an iframe with srcdoc attribute or src=about:blank?

The use case is implementation of ad stack without adserver, and the container creative frames are created manually. This is very similar to the basic implementation, but with sandboxed frames.