CDN Sheparded Creative Rendering
Exploring More Straightforward Solutions
There are some happy path possibilities for this communication which get challenging.
Post Message API
Given a single iframe with opaqueURN, the top level page could look for a message from that frame. This would allow the rendering frame and publisher to communicate things like native asset styles.
The first stop in the rabbit hole is security: it is strongly recommended to know the origin you are sending a message to or receiving from. In the case a Protected Audience Win (henceforth, PAW) the advertiser does not reliably know the top level page it is within (it is not passed by any PAAPI element, and referer is not available depending on the publishers referer policy).
You could choose to ignore origin verification (I mean, who cares about origin) and instead try a couple of routes:
- If you have a reference to the frame that is sending the message you can try to verify the source directly.
- You could embed some key in the message and do secure passing based on that.
(1) I don't believe can be relied on as this would enforce some constraints on implementation. (2) results in its own rabbit hole pretty quickly:
- A pre-known key would be easy to spoof.
- Trying to add some cryptographic security to a known key would be interesting...deserves some thought, but this could also be spoofed if the message is freely readable (right?)
- An auction ID could suffice as a one time key, but that assumes you can get the auction ID into the frame, which is impacted by the same issue we're trying to solve.
Nest Rendering Frame in Same Origin Intermediary IFrame
IF we know the origin of the rendering frame in advance, we can make a same origin frame that can be used to pass information in via the intermediary frame's location.href. This solution is demonstrated here.
The limitation here is significant: in an open auction, there is no advance knowledge of who will win, and we typically don't like to limit the DSPs rendering flexibility.