Skip to content

Secure Offer

Jump to bottom
Andrei A edited this page Sep 25, 2017 · 9 revisions

Secure Offer extension for at.js library is used to sanitize offers fetched via at.js getOffer() calls.
The extension is intended as a drop-in replacement for getOffer(), featuring the same parameter specification.

Prerequisites

  1. AT.js library
  2. Secure Offer module

Integration Instructions

  1. Include at.js
  2. Choose an appropriate at-secure-offer extension distribution and add it to your page after at.js OR add the extension to the end of at.js in the Target Tool configuration of DTM.
  3. Replace adobe.target.getOffer(options) calls in your application with adobe.target.ext.getSecureOffer(options) (see the extension README for additional info).
    This will sanitize all CSS and HTML offer content, removing any Javascript code and any potential arbitrary code execution vulnerabilities, that might be present in fetched offer content.

Example

adobe.target.ext.getSecureOffer({
    mbox: 'myMbox',
    success: function (offers) {
      console.log('Sanitized offer content', offers[0].content);
    },
    error: function (status, error) {
      console.log(status, error);
    }
});

Example replacing Target Global Mbox call

First, disable global mbox auto create (this must be placed before at.js in the page):

<script type="text/javascript">
    window.targetGlobalSettings = {
        globalMboxAutoCreate: false
    }
</script>

Next, call getSecureOffer/applyOffer for Target global mbox (this assumes the global mbox name is target-global-mbox):

adobe.target.getSecureOffer({
    mbox: 'target-global-mbox',
    success: function(offer) {
        adobe.target.applyOffer({
            mbox: 'target-global-mbox',
            offer: offer
        });
    },
    error: function(status, error) {
        console.warn(status, error);
    }
});

Notes

  • The extension will strip the HTML/CSS offer content of any Javascript code, as well as of any potential arbitrary code execution vulnerabilities that might be present in offer content, such as onclick, onload, onerror attributes, obfuscated <script> tags, etc.
  • Fetched offers will also be stripped of any plugins / customCode actions
  • Current version of the extension uses Google Caja JsHtmlSanitizer. In future versions support for other sanitizers, such as DOMPurify may be added.

These extensions are provided free to developers as a starting point to integrate at.js with their Single Page Application. Extensions are not always updated for the latest at.js version. Customization may be required to integrate successfully with your single page app.

Issues: place send feedback and questions through Github issues. We will respond as best we can. Please note, these extensions are not supported by Adobe Client Care or Target Engineering.

Clone this wiki locally