Same Origin and Redirects

Here we try to bypass the same origin requirements for the URLs of the IG attributes using redirects, in particular for static files to re-route to a CDN.
The goal is to see if we can take www.dsp.com/cdn/x and redirect to cdn.dsp.com/x

Conclusion: It turns out redirecting the static file to a different origin, even same site but different domain does not work.

Set Up

You can see the client side JS by inspecting the page, but here are the relevant snippets client and server side

Instructions to set up Chrome to bypass attestion here

Client Side

We join an IG, all URLs in the www subdomain of the current site.

          
            const myGroup = {
              'owner': 'https://www.privacy-sandbox-testing-one.com/',
              'name': 'test-redirect',
              'biddingLogicUrl': 'https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/biddingfunction.js',
              'ads': [{renderUrl: 'https://www.privacy-sandbox-testing-one.com/creative?id=23'}],
              'trustedBiddingSignalsURL':  'https://www.privacy-sandbox-testing-one.com/buyer-kv-call',
              'trustedBiddingSignalsKeys': ['a', 'b', 'c'],
              'lifetimeMs': 3600
            };
            const joinPromise = navigator.joinAdInterestGroup(myGroup);
          
        

Note the cleverly named biddingLogicUrl, which indeed does not exist. This simulates the goal of taking www.dsp.com/cdn/x and redirecting to cdn.dsp.com/x

Here, the IG will successfully join, as it seems the URL is not verified on join.

Server Side

Here is the fastify routing

          
            fastify.get("/same-origin-issues/with-redirect/idontexist/biddingfunction.js", function(request, reply) {
              reply.redirect("https://auctions.privacy-sandbox-testing-one.com/biddingfunction.js");
            });
            
            fastify.get("/same-origin-issues/with-redirect/idontexist/scoreads.js", function(request, reply) {
              reply.redirect("https://auctions.privacy-sandbox-testing-one.com/scoreads.js");
            });
          
        

Verify redirect of biddingLogicUrl https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/biddingfunction.js

Verify redirect of scoreads https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/scoreads.js

Auction

Now we go to run the auction with the IG that was successfully joined

          
            const myAuctionConfig = {
                'seller': 'https://www.privacy-sandbox-testing-one.com/',
                'decisionLogicURL': 'https://www.privacy-sandbox-testing-one.com/same-origin-issues/with-redirect/idontexist/scoreads.js',
                'interestGroupBuyers': ['https://www.privacy-sandbox-testing-one.com/'],
                'auctionSignals': {'a': 'lkj'},
                'trustedScoringSignalsURL': 'https://www.privacy-sandbox-testing-one.com/seller-kv-call'
            };
            const result = await navigator.runAdAuction(myAuctionConfig);
          
        

Results

If you open console in the dev tools you will see:

• The result of the IG join is a successful promise.
• There is at least one error saying "worket encountered an unexpected redirect" (sometimes it errors on just the scoreads function, others on both)
• The return result is null, and any console logging from the bid, score ad, or reporting function, doesn't show up.
  The null return value is not dispositive, but the console logging from the bidding function not showing up indicates it did not run.
  You can verify the "success case" here

The error is something like this: