Skip to content

Sanitize or remove nested iframe srcdoc in auction creatives #929

Description

@ChristianPavilonis

Summary

Track the pre-existing sanitizer gap for nested iframe[srcdoc] content. The generic creative sanitizer handles normal attributes but does not remove or recursively sanitize HTML stored in srcdoc. The renderer permits both allow-scripts and allow-same-origin, so accepted nested markup needs an explicit policy.

This is narrower follow-up work to #401 and was identified while reviewing #916. It is not introduced by #916 and should be fixed separately so the optional rewrite setting remains focused.

Acceptance criteria

  • Define whether srcdoc is removed or recursively sanitized.
  • Apply the policy before both enabled and disabled auction rewrite paths diverge.
  • Add regression coverage proving unsafe nested content cannot survive with auction.rewrite_creatives set to either true or false.
  • Confirm ordinary sanitized creative markup and mandatory server-side sanitization remain unchanged.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions