top | item 29617241

(no title)

As someone working on exactly this type of stuff, your'e absolutely right. *.safeframe.googlesyndication.com is Google's implementation of the IAB's safeframe standard[0], which is basically a cross origin iframe with an API that's exposed to the embedded 3rd party code (the ad). This is how its HTML looks like (some attributes removed for readability):

  <iframe src="https://*.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html" title="3rd party ad content" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" allow="attribution-reporting"></iframe>

As you can see, it has both sandbox[1] and allow[2] attributes. The former restricts certain behaviors of the embedded code (most notably, navigating the top window without user activation), and the latter restricts it from accessing certain APIs - this why the author saw errors in the console.

The script at https://cdn.js7k.com/ix/talon-1.0.37.js is an ad verification library developed by Verizon Media (formerly Oath), and it does, among other things,, fingerprinting for bot detection purposes (because they want to prevent ad fraud). It was served together with the actual ad media (so called "creative") into the safeframe.

This a relativity begin case. Iv'e seen much more terrible stuff, from fingerprinting for user taking to straight out malware being served in ads. It's a wild west (or web).

[0]: https://www.iab.com/guidelines/safeframe/

[1]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if...

[2]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if...

discuss

No comments yet.