Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
@iabtcf-preprod/cmpapi
Advanced tools
Ensures other in-page digital marketing technologies have access to CMP transparency and consent information for the iab. Transparency and Consent Framework (TCF).
Ensures other in-page digital marketing technologies have access to CMP transparency and consent information for the IAB's Transparency and Consent Framework (TCF).
CmpApi
is the only class needed to provide in-page digital marketing technologies access to a CMP transparency and consent information.
The process involves setting the state of a few properties and/or a validly ecnoded TC string
npm
npm install @iabtcf/cmpapi --save
yarn
yarn add @iabtcf/cmpapi
To create an instance of the CmpApi. Pass in your Cmp ID (assigned by IAB) and the Version (integer), and whether or not this instance is configured to use a service-specific scope to the constructor.
A custom commands object map may optionally be passed to extend the page-call functionality as well.
import {CmpApi} from '@iabtcf/cmpapi';
const cmpApi = new CmpApi(1, 3, true);
During construction of the CmpApi
, the window.__tcfapi
stub is replaced
with CmpApi
's own function for handling window.__tcfapi
command requests.
Commands that were waiting to be executed in the stub are filtered out if not
valid. Ping and custom commands are executed and removed from the queue while
all other commands remain queued until a valid TC
string
is set.
Note: After creation, window.__tcfapi
will respond to "ping" commands and custom commands only. All other commands
will be queue until update()
is called for the first time.
In the specification, events occur and registered callbacks are called "whenever the TC String is changed and a new one is available". CmpApi
will trigger an event whenever update
is called.
cmpApi.update(encodedTCString || '' || null);
update()
may be called either an encoded TC
string
an empty string (''
) or null
.
CmpApi
will decode the string and respond to TCData
with the decoded values.
gdprApplies
will be set to true
''
), CmpApi
will respond to TCData
with the correct structure but all primitive values will be empty.
gdprApplies
will be set to true
null
, CmpApi
will respond to TCData
with the correct structure but all primitive values will be empty.
gdprApplies
will be set to false
CmpApi
needs to know when you are going to show the user the UI to the user
to recapture consent in order to set the correct
eventStatus
.
The second parameter is a boolean
letting CmpApi
know that the UI is now
visible to the user (it defaults to false
).
// showing the ui to the user
cmpApi.update(encodedTCString, true);
/** CMP gathers user preferences */
cmpApi.update(updatedEncodedTCString, false);
// not showing the ui to the user, only one update is needed
cmpApi.update(encodedTCString, false);
// showing the ui to the user
cmpApi.update('', true);
/** CMP gathers user preferences */
cmpApi.update(updatedEncodedTCString, false);
In the case that GDPR does not apply, simply update with null. That's all.
// only one update needed to let CmpApi that gdpr doesn't apply
cmpApi.update(null);
If, for any reason, we are unable to perform the operations in compliance with
the TCF and thus should not continue to serve page request commands (other than ping),
the CmpApi
provides a disable method. Calling the disabled method will put the CmpApi
into a permanent error state. Only ping and custom commands will continue to be executed
for page requests.
cmpApi.disable();
CmpApi
has an optional parameter to pass in your map of custom commands.
CmpApi
will not perform any validation on custom commands. The CMP is
responsible for handling validations and errors. Custom function signatures
must have a callback and may define additonal params that will be passed from
the calling script.
Example
import {CmpApi} from '@iabtcf/cmpapi';
const cmpApi = new CmpApi(1, 3, false, {
'bingo': (callback, dogName) => {
callback(`There was a farmer who had a dog, and ${dogName} was his name-o`);
},
'connectBones': (callback, startBone, endBone) => {
callback(`The ${startBone} bone is connected to the ${endBone} bone.`);
},
});
const songLyricCallback = (lyrics, success) => {
if(success) {
console.log(lyrics)
} else {
console.error('Error: could not get song lyrics')
}
}
__tcfapi('bingo', 2, songLyricCallback, 'Bingo');
// ouput: There was a farmer who had a dog, and Bingo was his name-o
__tcfapi('connectBones', 2, songLyricCallback, 'knee', 'thigh');
// ouput: The knee bone is connected to the thigh bone
Beginning in 1.1.0, if a custom command is defined that overlaps with a built-in command ("ping"
, "getTCData"
, "getInAppTCData"
, "getVendorList"
) then the custom command will act as a "middleware" being passed the built-in command's response and expected to pass along the response when finished.
Note: "addEventListener"
and "removeEventListener"
can not be overwritten. "addEventListener"
utilizes the "getTCData"
command, so to modify TCData
responses, write a Built-In custom command for that command and both "getTCData"
and "addEventListener"
will utilize it. If the "removeEventListener"
command is also used with a custom "getTCData"
command, note that "removeEventListener"
will not return tcData
but rather a boolean that indicates if the listener was removed. So it is important to add a check, otherwise the CmpApi will catch that error and the callbacks will return with tcData: null
.
Example
import {CmpApi} from '@iabtcf/cmpapi';
const cmpApi = new CmpApi(1, 3, false, {
'getTCData': (next, tcData, status) => {
/*
* If using with 'removeEventListener' command, add a check to see if tcData is not a boolean. */
if (typeof tcData !== 'boolean') {
// tcData will be constructed via the TC string and can be added to here
tcData.reallyImportantExtraProperty = true;
}
// pass data and status along
next(tcData, status);
},
});
Note: If the next()
function is not called with the TCData
object, then the caller's callback will not be executed.
FAQs
Ensures other in-page digital marketing technologies have access to CMP transparency and consent information for the iab. Transparency and Consent Framework (TCF).
We found that @iabtcf-preprod/cmpapi demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.