Trust Me: Our Adservers Are Secure
Many people wholeheartedly hate them: Advertisements. Be it a commercial break in their favorite TV show, in-game ads or classical print campaigns in newspapers and magazines. Despite the serious dislikes, advertising works in many occasions, be it by directly sparking an interest in the shown product or by shaping a new image for the brand in question. Bigger posters, interactive bus-stop commercials or split-screen spots during sport events – there seems to be no end to new and more aggressive types of marketing which sometimes even push the actual main content into the background. And of course what worked for the so-called real world was soon adapted to the internet.
There is just one tiny problem: The users found a way to fight back! Almost all modern browsers now come with popup suppression enabled by default, support the blocking of cookies or have plugins like Adblock or Ghostery to fully cleanse the website from any type of tracking or advertising. And it seems to work, as a recent campaign by various german online publishers reveals. These publishers asked their readers to disable the adblocking software, arguing they would cause more harm than good and result in serious losses of income.
<script> element into the
Back in the days when XHTML was defined, the adserver companies at first ignored these problems, telling everyone who complained to switch back to HTML 4 or force the browser into compat- or quirksmode to stop it from using the XML parser. After a while, instead of fixing the real problem – the use of inline scripting – the adserver vendors merely changed the scriptcode to work without the problematic functions, making it work in HTML and XHTML variants. And while I guess it seems like a "good enough" solution at first, I already back than was waiting for the problem to return. And, voila, in 2013 the problem is back.
While that approach is technically fixing the XSS issues on the wrong end, it feels a bit like self-defense again: Since the backend developers obviously fail at escaping the output properly – despite the fact that XSS is decades old and every developer should know how to protect his or her website – the browser seems to be the last line of defense.
Of course, as with pretty much all solutions that try to fix things at the wrong place, the protection won't be 100%: I can come up with multiple ways to work around these "limitations" already and I bet the bad guys will come up with even more in almost no time. But at least the adserver vendors are going to be forced to finally fix their adtags to work without inline scripting and without downloading additional code from unknown sources. Better than nothing.
This article originally appeared in Web & PHP magazine.