Summary
Track the pre-existing sanitizer gap for nested iframe[srcdoc] content. The generic creative sanitizer handles normal attributes but does not remove or recursively sanitize HTML stored in srcdoc. The renderer permits both allow-scripts and allow-same-origin, so accepted nested markup needs an explicit policy.
This is narrower follow-up work to #401 and was identified while reviewing #916. It is not introduced by #916 and should be fixed separately so the optional rewrite setting remains focused.
Acceptance criteria
- Define whether
srcdoc is removed or recursively sanitized.
- Apply the policy before both enabled and disabled auction rewrite paths diverge.
- Add regression coverage proving unsafe nested content cannot survive with
auction.rewrite_creatives set to either true or false.
- Confirm ordinary sanitized creative markup and mandatory server-side sanitization remain unchanged.
Summary
Track the pre-existing sanitizer gap for nested
iframe[srcdoc]content. The generic creative sanitizer handles normal attributes but does not remove or recursively sanitize HTML stored insrcdoc. The renderer permits bothallow-scriptsandallow-same-origin, so accepted nested markup needs an explicit policy.This is narrower follow-up work to #401 and was identified while reviewing #916. It is not introduced by #916 and should be fixed separately so the optional rewrite setting remains focused.
Acceptance criteria
srcdocis removed or recursively sanitized.auction.rewrite_creativesset to eithertrueorfalse.