✨ Google Ad Manager Publisher first-party IDs (#40249)

* Add 'canSetCookie'.

* Add 'tryAddingCookieParams' to amp-a4a.

* Add cookie setting and clearing logic to doubleclick impl.

* Fix getTempCookieName counter.

* Fix doubleclick unit tests.

* Add cookie clearing unit test.

* Fix unit tests and convert expiration date to ms as expected.

* Refactor cookie logic into util, and extend support to adsense.

* Add unit tests for cookie-util.js.

* Allow cokie-utils.js to depend on src/cookies.js.

* Fix type.

* Disallow cookie setting on proxy origin.

* Make test win.location slightly more realistic.

* Instead of carving out proxy origin completely, just don't set the domain.

* Apply proxy origin domain filtering for gfp opt out cookie.

Author: glevitzky

ads/google/a4a/cookie-utils.js

@@ -0,0 +1,78 @@
+import {setCookie} from 'src/cookies';
+import {isProxyOrigin} from 'src/url';
+
+/** @type {string} */
+export const AMP_GFP_SET_COOKIES_HEADER_NAME = 'amp-ff-set-cookies';
+
+/**
+ * Returns the given domain if the current origin is not the AMP proxy origin,
+ * otherwise returns the empty string.
+ *
+ * On proxy origin, we want cookies to be partitioned by subdomain to prevent
+ * sharing across unrelated publishers, in which case we want to set the domain
+ * equal to the empty string (leave it unset).
+ *
+ * @param {!Window} win
+ * @param {string} domain
+ * @return {string}
+ */
+function getProxySafeDomain(win, domain) {
+  return isProxyOrigin(win.location) ? '' : domain;
+}
+
+/**
+ * @param {!Window} win
+ * @param {!Response} fetchResponse
+ */
+export function maybeSetCookieFromAdResponse(win, fetchResponse) {
+  if (!fetchResponse.headers.has(AMP_GFP_SET_COOKIES_HEADER_NAME)) {
+    return;
+  }
+  let cookiesToSet = /** @type {!Array<!Object>} */ [];
+  try {
+    cookiesToSet = JSON.parse(
+      fetchResponse.headers.get(AMP_GFP_SET_COOKIES_HEADER_NAME)
+    );
+  } catch {}
+  for (const cookieInfo of cookiesToSet) {
+    const cookieName =
+      (cookieInfo['_version_'] ?? 1) === 2 ? '__gpi' : '__gads';
+    const value = cookieInfo['_value_'];
+    // On proxy origin, we want cookies to be partitioned by subdomain to
+    // prevent sharing across unrelated publishers, so we don't set a domain.
+    const domain = getProxySafeDomain(win, cookieInfo['_domain_']);
+    const expiration = Math.max(cookieInfo['_expiration_'], 0);
+    setCookie(win, cookieName, value, expiration, {
+      domain,
+      secure: false,
+    });
+  }
+}
+
+/**
+ * Sets up postmessage listener for cookie opt out signal.
+ * @param {!Window} win
+ * @param {!Event} event
+ */
+export function handleCookieOptOutPostMessage(win, event) {
+  try {
+    const message = JSON.parse(event.data);
+    if (message['googMsgType'] === 'gpi-uoo') {
+      const userOptOut = !!message['userOptOut'];
+      const clearAdsData = !!message['clearAdsData'];
+      const domain = getProxySafeDomain(win, win.location.hostname);
+      setCookie(
+        win,
+        '__gpi_opt_out',
+        userOptOut ? '1' : '0',
+        // Last valid date for 32-bit browsers; 2038-01-19
+        2147483646 * 1000,
+        {domain}
+      );
+      if (userOptOut || clearAdsData) {
+        setCookie(win, '__gads', 'delete', Date.now() - 1000, {domain});
+        setCookie(win, '__gpi', 'delete', Date.now() - 1000, {domain});
+      }
+    }
+  } catch {}
+}

ads/google/a4a/test/test-cookie-utils.js

@@ -0,0 +1,101 @@
+import {
+  AMP_GFP_SET_COOKIES_HEADER_NAME,
+  handleCookieOptOutPostMessage,
+  maybeSetCookieFromAdResponse,
+} from '#ads/google/a4a/cookie-utils';
+
+import {getCookie, setCookie} from 'src/cookies';
+
+describes.fakeWin('#maybeSetCookieFromAdResponse', {amp: true}, (env) => {
+  it('should set cookies based on ad response header', () => {
+    maybeSetCookieFromAdResponse(env.win, {
+      headers: {
+        has: (header) => {
+          return header === AMP_GFP_SET_COOKIES_HEADER_NAME;
+        },
+        get: (header) => {
+          if (header !== AMP_GFP_SET_COOKIES_HEADER_NAME) {
+            return;
+          }
+
+          return JSON.stringify([
+            {
+              '_version_': 1,
+              '_value_': 'val1',
+              '_domain_': 'foo.com',
+              '_expiration_': Date.now() + 100_000,
+            },
+            {
+              '_version_': 2,
+              '_value_': 'val2',
+              '_domain_': 'foo.com',
+              '_expiration_': Date.now() + 100_000,
+            },
+          ]);
+        },
+      },
+    });
+
+    expect(getCookie(env.win, '__gads')).to.equal('val1');
+    expect(getCookie(env.win, '__gpi')).to.equal('val2');
+  });
+});
+
+describes.fakeWin('#handleCookieOptOutPostMessage', {amp: true}, (env) => {
+  it('should clear cookies as specified in creative response, with opt out', () => {
+    setCookie(env.win, '__gads', '__gads_val', Date.now() + 100_000);
+    setCookie(env.win, '__gpi', '__gpi_val', Date.now() + 100_000);
+    expect(getCookie(env.win, '__gads')).to.equal('__gads_val');
+    expect(getCookie(env.win, '__gpi')).to.equal('__gpi_val');
+
+    handleCookieOptOutPostMessage(env.win, {
+      data: JSON.stringify({
+        googMsgType: 'gpi-uoo',
+        userOptOut: true,
+        clearAdsData: true,
+      }),
+    });
+
+    expect(getCookie(env.win, '__gpi_opt_out')).to.equal('1');
+    expect(getCookie(env.win, '__gads')).to.be.null;
+    expect(getCookie(env.win, '__gpi')).to.be.null;
+  });
+
+  it('should clear cookies as specified in creative response, without opt out', () => {
+    setCookie(env.win, '__gads', '__gads_val', Date.now() + 100_000);
+    setCookie(env.win, '__gpi', '__gpi_val', Date.now() + 100_000);
+    expect(getCookie(env.win, '__gads')).to.equal('__gads_val');
+    expect(getCookie(env.win, '__gpi')).to.equal('__gpi_val');
+
+    handleCookieOptOutPostMessage(env.win, {
+      data: JSON.stringify({
+        googMsgType: 'gpi-uoo',
+        userOptOut: false,
+        clearAdsData: true,
+      }),
+    });
+
+    expect(getCookie(env.win, '__gpi_opt_out')).to.equal('0');
+    expect(getCookie(env.win, '__gads')).to.be.null;
+    expect(getCookie(env.win, '__gpi')).to.be.null;
+  });
+
+  it('should not clear cookies as specified in creative response, without opt out or clear ads', () => {
+    setCookie(env.win, '__gads', '__gads_val', Date.now() + 100_000);
+    setCookie(env.win, '__gpi', '__gpi_val', Date.now() + 100_000);
+    expect(getCookie(env.win, '__gads')).to.equal('__gads_val');
+    expect(getCookie(env.win, '__gpi')).to.equal('__gpi_val');
+
+    handleCookieOptOutPostMessage(env.win, {
+      data: JSON.stringify({
+        googMsgType: 'gpi-uoo',
+        userOptOut: false,
+        clearAdsData: false,
+      }),
+    });
+
+    expect(getCookie(env.win, '__gpi_opt_out')).to.equal('0');
+    expect(getCookie(env.win, '__gads')).to.equal('__gads_val');
+    expect(getCookie(env.win, '__gpi')).to.equal('__gpi_val');
+  });
+});

build-system/test-configs/dep-check-config.js

@@ -108,6 +108,7 @@ exports.rules = [
       'ads/google/a4a/**->src/ad-cid.js',
       'ads/google/a4a/**->src/experiments/index.js',
       'ads/google/a4a/**->src/service/index.js',
+      'ads/google/a4a/cookie-utils.js->src/cookies.js',
       'ads/google/a4a/utils.js->src/service/variable-source.js',
       'ads/google/a4a/utils.js->src/ini-load.js',
       // IMA, similar to other non-Ad 3Ps above, needs access to event-helper

extensions/amp-a4a/0.1/amp-a4a.js

@@ -30,6 +30,8 @@ import {listenOnce} from '#utils/event-helper';
 import {dev, devAssert, logHashParam, user, userAssert} from '#utils/log';
 import {isAttributionReportingAllowed} from '#utils/privacy-sandbox-utils';
 
+import {canSetCookie, getCookie} from 'src/cookies';
+
 import {A4AVariableSource} from './a4a-variable-source';
 import {getExtensionsFromMetadata} from './amp-ad-utils';
 import {processHead} from './head-validation';
@@ -840,6 +842,15 @@ export class AmpA4A extends AMP.BaseElement {
       // response is empty.
       /** @return {!Promise<!Response>} */
       .then((fetchResponse) => {
+        protectFunctionWrapper(this.onAdResponse, this, (err) => {
+          dev().error(
+            TAG,
+            this.element.getAttribute('type'),
+            'Error executing onAdResponse',
+            err
+          );
+        })(fetchResponse);
+
         checkStillCurrent();
         this.maybeTriggerAnalyticsEvent_('adRequestEnd');
         // If the response is null (can occur for non-200 responses)  or
@@ -1672,6 +1683,12 @@ export class AmpA4A extends AMP.BaseElement {
     );
   }
 
+  /**
+   * To be overridden by implementing subclasses.
+   * @param {!Response} unusedFetchResponse
+   */
+  onAdResponse(unusedFetchResponse) {}
+
   /**
    * @param {!Element} iframe that was just created.  To be overridden for
    * testing.
@@ -2592,3 +2609,46 @@ export function isPlatformSupported(win) {
 function isNative(func) {
   return !!func && func.toString().indexOf('[native code]') != -1;
 }
+
+/**
+ * @param {?ConsentTupleDef} consentTuple
+ * @return {boolean}
+ */
+export function hasStorageConsent(consentTuple) {
+  if (!consentTuple) {
+    return false;
+  }
+
+  if (
+    [CONSENT_POLICY_STATE.UNKNOWN, CONSENT_POLICY_STATE.INSUFFICIENT].includes(
+      consentTuple.consentState
+    )
+  ) {
+    return false;
+  }
+
+  const {consentString, gdprApplies, purposeOne} = consentTuple;
+
+  if (!gdprApplies) {
+    return true;
+  }
+
+  return consentString && purposeOne;
+}
+
+/**
+ * @param {?ConsentTupleDef} consentTuple
+ * @param {!Window} win
+ * @param {!{[key: string]: string|boolean|number}} params
+ */
+export function tryAddingCookieParams(consentTuple, win, params) {
+  if (!hasStorageConsent(consentTuple)) {
+    return;
+  }
+  const cookie = getCookie(win, '__gads');
+  params['cookie'] = cookie;
+  params['gpic'] = getCookie(win, '__gpi');
+  if (!cookie && canSetCookie(win)) {
+    params['cookie_enabled'] = '1';
+  }
+}