Criteo bid adapter: write cookie only on TLD+1 (#12323)

Avoid writing cookies on anything higher than TLD+1 level. e.g. We should write on orange.fr and not on actu.orange.fr
prebid · Oct 22, 2024 · fa44eac · fa44eac
1 parent 18ae4dc
commit fa44eac
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 4 deletions.
diff --git a/modules/criteoBidAdapter.js b/modules/criteoBidAdapter.js
@@ -278,10 +278,10 @@ export const spec = {
         if (response.optout) {
           deleteFromAllStorages(BUNDLE_COOKIE_NAME);
 
-          saveOnAllStorages(OPTOUT_COOKIE_NAME, true, OPTOUT_RETENTION_TIME_HOUR);
+          saveOnAllStorages(OPTOUT_COOKIE_NAME, true, OPTOUT_RETENTION_TIME_HOUR, refererInfo.domain);
         } else {
           if (response.bundle) {
-            saveOnAllStorages(BUNDLE_COOKIE_NAME, response.bundle, GUID_RETENTION_TIME_HOUR);
+            saveOnAllStorages(BUNDLE_COOKIE_NAME, response.bundle, GUID_RETENTION_TIME_HOUR, refererInfo.domain);
           }
 
           if (response.callbacks) {
@@ -428,12 +428,29 @@ function readFromAllStorages(name) {
   return fromCookie || fromLocalStorage || undefined;
 }
 
-function saveOnAllStorages(name, value, expirationTimeHours) {
+function saveOnAllStorages(name, value, expirationTimeHours, domain) {
   const date = new Date();
   date.setTime(date.getTime() + (expirationTimeHours * 60 * 60 * 1000));
   const expires = `expires=${date.toUTCString()}`;
 
-  storage.setCookie(name, value, expires);
+  const subDomains = domain.split('.');
+  for (let i = 0; i < subDomains.length; ++i) {
+    // Try to write the cookie on this subdomain (we want it to be stored only on the TLD+1)
+    const domain = subDomains.slice(subDomains.length - i - 1, subDomains.length).join('.');
+
+    try {
+      storage.setCookie(name, value, expires, null, '.' + domain);
+
+      // Try to read the cookie to check if we wrote it
+      const check = storage.getCookie(name);
+      if (check && check === value) {
+        break;
+      }
+    } catch (error) {
+
+    }
+  }
+
   storage.setDataInLocalStorage(name, value);
 }
 

diff --git a/test/spec/modules/criteoBidAdapter_spec.js b/test/spec/modules/criteoBidAdapter_spec.js
@@ -123,6 +123,7 @@ describe('The Criteo bidding adapter', function () {
       getCookieStub,
       setCookieStub,
       getDataFromLocalStorageStub,
+      setDataInLocalStorageStub,
       removeDataFromLocalStorageStub,
       triggerPixelStub;
 
@@ -146,6 +147,7 @@ describe('The Criteo bidding adapter', function () {
       getCookieStub = sinon.stub(storage, 'getCookie');
       setCookieStub = sinon.stub(storage, 'setCookie');
       getDataFromLocalStorageStub = sinon.stub(storage, 'getDataFromLocalStorage');
+      setDataInLocalStorageStub = sinon.stub(storage, 'setDataInLocalStorage');
       removeDataFromLocalStorageStub = sinon.stub(storage, 'removeDataFromLocalStorage');
 
       triggerPixelStub = sinon.stub(utils, 'triggerPixel');
@@ -160,6 +162,7 @@ describe('The Criteo bidding adapter', function () {
       getCookieStub.restore();
       setCookieStub.restore();
       getDataFromLocalStorageStub.restore();
+      setDataInLocalStorageStub.restore();
       removeDataFromLocalStorageStub.restore();
       triggerPixelStub.restore();
     });
@@ -329,6 +332,38 @@ describe('The Criteo bidding adapter', function () {
         done();
       }, 0);
     });
+
+    it('should write cookie only on TLD+1 level', function(done) {
+      const cookies = {};
+
+      const userSyncs = spec.getUserSyncs(syncOptionsIframeEnabled, undefined, undefined, undefined);
+
+      setCookieStub.callsFake((name, value, expires, _, domain) => {
+        if (domain != '.com') {
+          cookies[name] = value;
+        }
+      });
+
+      getCookieStub.callsFake((name) => cookies[name]);
+
+      const event = new MessageEvent('message', {
+        data: {
+          requestId: '123456',
+          bundle: 'bundle'
+        },
+        origin: 'https://gum.criteo.com'
+      });
+
+      window.dispatchEvent(event);
+      setTimeout(() => {
+        expect(setCookieStub.calledWith('cto_bundle', 'bundle', sinon.match.string, null, '.com')).to.be.true;
+        expect(setCookieStub.calledWith('cto_bundle', 'bundle', sinon.match.string, null, '.abc.com')).to.be.true;
+        expect(setCookieStub.calledWith('cto_bundle', 'bundle', sinon.match.string, null, '.www.abc.com')).to.be.false;
+        expect(cookies).to.deep.equal({ 'cto_bundle': 'bundle' });
+
+        done();
+      }, 0);
+    });
   });
 
   describe('isBidRequestValid', function () {