automattic / adbusters Goto Github PK

Summary: On 12/21 we were notified that third-party files are potentially vulnerable to Ad XSS attacks. To resolve vulnerabilites identified files are being removed from the Adbusters plugins.

All entries in the config should have a corresponding file in templates.

All files in templates should have a corresponding confign.

For any known adbusters that we've nixed, we should serve a nice 403 page :)

It would be useful for other code to have access to the array of supported iframe busters, for example, to see if a file is supported by the plugin or not.

Should provide a method wpcom_vip_get_supported_ad_busters() (or refactor into a class).

See Automattic/vip-scanner#31

URL is /eyewonder/interim.html. I can provide HTML if needed.

URL is /vizu/vizu-interim.html. I can provide HTML if needed.

/master/templates/pictela/Pictela_iframeproxy.html is not safe according to Randy Westergren

Reference: https://randywestergren.com/xss-vulnerabilities-in-multiple-iframe-busters-affecting-top-tier-sites/

URL is /mediaplex/mojofb_v9.html. I can provide HTML if needed.

Some sites have ads which have been configured to expect the files at a specific URL -- usually example.com/wp-content/themes/my_themes/ads/something.html, or similar.

To allow VIP sites to transition to Adbusters quickly (people don't want to/have time to reconfigure ads before the changeover), let's add a filter to the path.

Sites should have to select which adbusters they want served and any others should return a 403 error. No point in serving adbusters that a VIP doesn't want/need.

This will remove the existing undertone duplication in the plugin which is a quick hackaround to let a certain site use it.

We sometimes need crossdomain.xml support as well, for instance for Doubleclick ads. I can provide an example if needed.

Confirm current list of ad providers; make sure they are all still supported. If not, open a PR to remove them - such as:

#50

URL is /eyeblaster/addineyeV2.html. I can provide HTML if needed.

For the future, it would be worth getting approval from all the contributors so this could be licensed under "GPLv2 or later", which is standard for plugins, and used by WP core.

As noted at https://www.gnu.org/licenses/license-list.en.html:

Please note that GPLv3 is not compatible with GPLv2 by itself. However, most software released under GPLv2 allows you to use the terms of later versions of the GPL as well. When this is the case, you can use the code under GPLv3 to make the desired combination.

My understanding of what this means is that if someone is running a plugin that only has GPLv2, they can't then use this GPLv3 in the same site. By switching licenses, we provide as much leeway for sites to use this with other plugins.

Hello!

I work for GumGum and we love that you included our iframe buster file in your plugin, thanks for that!
I do have some questions for you:

• What is your plan to update the Wordpress.org hosted plugin with the current repo version? We would love to recommend your plugin to more people.
• When installed in WP, what is the final url where our iframebuster file lives?
• Is there a chance the user could enable/disable a special URL for each iframebuster? Like http://site.com/gumgum.html to serve our file. That would help our partners a lot!

Thanks for your time and answers.