Hacker News new | past | comments | ask | show | jobs | submit login

That is the whole point of safe-frames, which are default in DFP.

>While SafeFrame shares information with ad content served to its API-enabled iframe, the publisher chooses what to share and can protect sensitive consumer information like personal email addresses, passwords, or even banking information.

Docs for DFP: https://support.google.com/admanager/answer/6023110?hl=en Spec: https://www.iab.com/guidelines/safeframe/

For people not in the adtech space: DFP is DoubleClick For Publishers, who initially served banner ads and were bought by Google in 2008. https://en.wikipedia.org/wiki/DoubleClick

Technical measures can not be required to cover security holes. The holes must be closed. Otherwise it falls on users to audit all sorts of stuff they dont understand - and by users you can include developers.

This is not really a security hole. It's the intended behavior. Web developers (should) know that they are exposing all user behavior to the third-party code they bring in. The solution is to "no do that", but developers tend to choose convenience over safety, as do their clients, as do their clients users.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact