Skip to content

Commit dcb3865

Browse files
committed
Align ts-debug auction dump docs with redaction and note bid fail-open
The ts-debug comment doc on prepend_auction_debug_comment, the auction_html_comment setting, and the [debug] example config still described the pre-redaction behaviour (full auction result, raw adm markup). Update all three to describe the redacted view: creatives previewed to MAX_BID_CREATIVE_DUMP_BYTES and metadata filtered to the fail-closed DEBUG_DUMP_METADATA_ALLOWLIST. Narrow the SECURITY comment so it no longer implies bid-level metadata is allowlisted; Bid.metadata/nurl/burl pass through today (safe because aps.rs is the only writer, emitting opaque targeting keys). Fail-closed bid allowlist tracked in #925.
1 parent 43ae70c commit dcb3865

3 files changed

Lines changed: 27 additions & 18 deletions

File tree

crates/trusted-server-core/src/publisher.rs

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -935,10 +935,12 @@ fn redact_bid_for_dump(bid: &crate::auction::types::Bid) -> serde_json::Value {
935935
value
936936
}
937937

938-
/// Prepend a `<!-- ts-debug: ... -->` HTML comment carrying the full auction
939-
/// result — pipeline stats plus every provider response, including each bid's
940-
/// raw `adm` creative markup — onto the shared `ad_bids_state` so it lands
941-
/// directly before the injected bids `<script>`. Gated by
938+
/// Prepend a `<!-- ts-debug: ... -->` HTML comment carrying a redacted view of
939+
/// the auction result — pipeline stats plus, per provider, its status, bids
940+
/// (each creative previewed to [`MAX_BID_CREATIVE_DUMP_BYTES`]), and allowlisted
941+
/// metadata — onto the shared `ad_bids_state` so it lands directly before the
942+
/// injected bids `<script>`. Identity-bearing metadata (notably prebid's `debug`
943+
/// subtree) is dropped; see [`DEBUG_DUMP_METADATA_ALLOWLIST`]. Gated by
942944
/// [`auction_html_comment`](crate::settings::DebugConfig::auction_html_comment);
943945
/// never enable in production.
944946
///
@@ -960,10 +962,14 @@ pub(crate) fn prepend_auction_debug_comment(
960962
//
961963
// SECURITY: `Bid.creative` and provider metadata are attacker/partner-
962964
// influenced. Two layers protect the DOM:
963-
// 1. `redact_response_for_dump` drops all non-allowlisted metadata (notably
964-
// the identity-bearing `debug` subtree) and previews each creative, so
965-
// the visitor's identity graph never enters the comment and one large
966-
// creative cannot dominate the payload.
965+
// 1. `redact_response_for_dump` drops all non-allowlisted *response-level*
966+
// metadata (notably the identity-bearing `debug` subtree) and previews
967+
// each creative, so the visitor's identity graph never enters the
968+
// comment and one large creative cannot dominate the payload. Bid-level
969+
// fields (`Bid.metadata`, `nurl`, `burl`) are NOT yet allowlisted; they
970+
// pass through today because the only writer (`integrations/aps.rs`)
971+
// emits opaque targeting keys. Tightening this to a fail-closed bid
972+
// allowlist is tracked in #925.
967973
// 2. `render_dump` below neutralises HTML comment terminators and caps the
968974
// total serialized size.
969975
//

crates/trusted-server-core/src/settings.rs

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1902,11 +1902,13 @@ pub struct DebugConfig {
19021902
#[serde(default)]
19031903
pub ja4_endpoint_enabled: bool,
19041904

1905-
/// Inject a `<!-- ts-debug: ... -->` HTML comment before `</body>` dumping
1906-
/// the full per-provider auction result: pipeline stats (SSP count, mediator
1907-
/// status, winning bid count) plus every provider response — including each
1908-
/// bid's raw `adm` creative markup and provider metadata. Never enable in
1909-
/// production — visible in page source and injects raw HTML from SSPs.
1905+
/// Inject a `<!-- ts-debug: ... -->` HTML comment before `</body>` dumping a
1906+
/// redacted per-provider auction result: pipeline stats (SSP count, mediator
1907+
/// status, winning bid count) plus every provider response — each bid's
1908+
/// creative previewed (not the full `adm` markup) and provider metadata
1909+
/// filtered to a fail-closed allowlist that drops identity-bearing keys.
1910+
/// Never enable in production — visible in page source and injects (bounded)
1911+
/// raw HTML from SSPs.
19101912
#[serde(default)]
19111913
pub auction_html_comment: bool,
19121914

trusted-server.example.toml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -137,11 +137,12 @@ example_segments = "segments"
137137
[debug]
138138
ja4_endpoint_enabled = false
139139

140-
# Inject a `<!-- ts-debug: ... -->` HTML comment before `</body>` dumping the
141-
# per-provider auction result: pipeline stats plus every provider response,
142-
# including each bid's creative markup and allowlisted provider metadata.
143-
# Visible in page source and injects raw HTML from SSPs. NEVER enable in
144-
# production.
140+
# Inject a `<!-- ts-debug: ... -->` HTML comment before `</body>` dumping a
141+
# redacted per-provider auction result: pipeline stats plus every provider
142+
# response, with each bid's creative previewed (not the full markup) and
143+
# provider metadata filtered to a fail-closed allowlist.
144+
# Visible in page source and injects (bounded) raw HTML from SSPs. NEVER enable
145+
# in production.
145146
auction_html_comment = false
146147

147148
[creative_opportunities]

0 commit comments

Comments
 (0)