Search result ad click confirmation. #13444
Conversation
components/brave_ads/content/browser/search_result_ad/search_result_ad_info.h
Outdated
Show resolved
Hide resolved
components/brave_ads/content/browser/search_result_ad/search_result_ad_parsing.cc
Outdated
Show resolved
Hide resolved
components/brave_ads/content/browser/search_result_ad/search_result_ad_info.h
Outdated
Show resolved
Hide resolved
components/brave_ads/content/browser/search_result_ad/search_result_ad_redirect_throttle.cc
Outdated
Show resolved
Hide resolved
|
|
||
| request->url = *search_result_ad_target_url; | ||
| request->credentials_mode = network::mojom::CredentialsMode::kOmit; | ||
| request->referrer_policy = net::ReferrerPolicy::NO_REFERRER; |
There was a problem hiding this comment.
Removed site_for_cookies changing code.
Also added credentials_mode and referrer_policy modification as suggested here: https://github.com/brave/security/issues/876#issuecomment-1139044261
There was a problem hiding this comment.
@aseren not sure that is necessary. Just to verify, this url is the ad landing page, right? The actual confirmation happens in the background somewhere from MaybeTriggerSearchResultAdClickedEvent, correct?
There was a problem hiding this comment.
actually looking more closely I think this functionality is not correct. We should not be navigating to the click confirmation link here, we should be navigating directly to the landing page and the confirmation should happen in the background from a non-profile context
There was a problem hiding this comment.
so after talking to @pes10k we don't need to do anything special here in terms of referrer, credentials mode, etc..., but there are other issues here because we have all this extra infrastructure and complications that aren't necessary if we're just following the click-through url. We don't need to parse ad info from the page and associate it with the tab, we can just put everything we need in the url.
There was a problem hiding this comment.
we should be navigating directly to the landing page and the confirmation should happen in the background from a non-profile context
just a reminder if this functionality is enabled in Tor windows, then any background requests associated with a confirmation that happens in a Tor window needs to still go through Tor; otherwise the ads server can link the user's real IP address to the ID of an ad that they saw in a Tor window
There was a problem hiding this comment.
also seriously please add a test for Tor and private
There was a problem hiding this comment.
actually we do have tests for private tab: https://github.com/brave/brave-core/pull/13444/files#diff-e2eb5fe1f2ab08f0a20e5e835b489e48211466cdf25bac21263315e165ffc508R432
and SearchResultAdService won't be created for incognito, see factory code:
https://github.com/brave/brave-core/blob/93a3167ac3722808b044d06d46b7ab727382aa9d/browser/brave_ads/search_result_ad/search_result_ad_service_factory.cc
There was a problem hiding this comment.
I did look at the factory code and it will be created for incognito and it will have a null AdsService
There was a problem hiding this comment.
The way to prevent it from being created in incognito is to return null in SearchResultAdServiceFactory::BuildServiceInstanceFor
There was a problem hiding this comment.
When requesting service we run KeyedServiceFactory::GetServiceForContext https://source.chromium.org/chromium/chromium/src/+/main:components/keyed_service/core/keyed_service_factory.cc;l=56?q=KeyedServiceFactory::GetServiceForContext&ss=chromium%2Fchromium%2Fsrc
GetContextToUse call eventually goes to BrowserContextKeyedServiceFactory::GetBrowserContextToUse which returns nullptr for incognito profiles:
https://source.chromium.org/chromium/chromium/src/+/main:components/keyed_service/content/browser_context_keyed_service_factory.cc;l=64
To create service in incognito we need to override GetBrowserContextToUse method, like here:
https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/safe_browsing/advanced_protection_status_manager_factory.cc;l=52
components/brave_ads/content/browser/search_result_ad/search_result_ad_redirect_throttle.cc
Outdated
Show resolved
Hide resolved
components/brave_ads/content/browser/search_result_ad/search_result_ad_service.cc
Outdated
Show resolved
Hide resolved
components/brave_ads/content/browser/search_result_ad/search_result_ad_service.cc
Outdated
Show resolved
Hide resolved
components/brave_ads/content/browser/search_result_ad/search_result_ad_redirect_throttle.cc
Outdated
Show resolved
Hide resolved
components/brave_ads/content/browser/search_result_ad/search_result_ad_service.cc
Outdated
Show resolved
Hide resolved
| DCHECK(search_result_ad->target_url.is_valid() && | ||
| search_result_ad->target_url.SchemeIs(url::kHttpsScheme)); | ||
|
|
||
| TriggerSearchResultAdClickedEvent(search_result_ad->Clone()); |
There was a problem hiding this comment.
Added triggering of an ad click event as it was removed during refactoring.
components/brave_ads/content/browser/search_result_ad/search_result_ad_redirect_throttle.cc
Outdated
Show resolved
Hide resolved
wknapik
dismissed stale reviews from diracdeltas, tmancey, fmarier, and goodov
via
cc4b150
| DCHECK(web_contents); | ||
|
|
||
| if (!search_result_ad_service || !request.request_initiator || | ||
| !request.has_user_gesture || !request.is_outermost_main_frame || |
There was a problem hiding this comment.
why are you checking user_gesture here?
There was a problem hiding this comment.
also if we only care about the main frame, why are you using URLLoaderThrottle instead of NavigationThrottle?
There was a problem hiding this comment.
why are you checking user_gesture here?
I thought there was such a requirement. Will double check it.
also if we only care about the main frame, why are you using URLLoaderThrottle instead of NavigationThrottle?
Yes, NavigationThrottle is also possible here. I will change
|
|
||
| SessionID tab_id = sessions::SessionTabHelper::IdForTab(web_contents); | ||
| content::WebContents* original_web_contents = | ||
| web_contents->GetFirstWebContentsInLiveOriginalOpenerChain(); |
There was a problem hiding this comment.
the tab id does not change so this is not necessary
There was a problem hiding this comment.
Link target can be opened in a new tab if it has target="_blank” attribute. In this case, tab id is changed.
Anyway, in the latest code we moved from KeyedService to TabHelper, so we don’t use Tab id values at all.
aseren
force-pushed
the
issues/23002
branch
2 times, most recently
from
a9b393a to
fd78efc
Compare
|
Decline the PR, because basing on the latest spec changes, https://search.anonymous.ads.brave.com/v3/click request interception is not required: |
|
The new PR, which is based on the recent spec changes: #16179 |
Spec: https://docs.google.com/document/d/1ncuyw0Yv_qawR-FM0_e1r4pNU2pGDhS49KfwfHqqrqs/edit#heading=h.txs9x3akav5
Description is here: https://github.com/brave/security/issues/876
Resolves brave/brave-browser#23002
Submitter Checklist:
QA/YesorQA/No;release-notes/includeorrelease-notes/exclude;OS/...) to the associated issuenpm run test -- brave_browser_tests,npm run test -- brave_unit_tests,npm run lint,npm run gn_check,npm run tslintgit rebase master(if needed)Reviewer Checklist:
gnAfter-merge Checklist:
changes has landed on
Test Plan:
Test case 1
Test case 2
Viewed search result ad with placement idmessage in rewards-internals log.Clicked search result ad with placement idmessage in rewards-internals log.