Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
A Consent Management Platform (CMP) for Tab for a Cause. Creates IAB-compliant window.__tcfapi
and window.__uspapi
functions and saves users' data privacy options.
tagModified.html
code to the <head />
of the page.yarn add tab-cmp
import tabCMP from 'tab-cmp'
tabCMP.initializeCMP({
// Set configuration as needed.
displayPersistentConsentLink: false,
onError: (err) => {
console.error(err)
},
primaryButtonColor: '#9d4ba3',
publisherName: 'Tab for a Cause',
publisherLogo: tabLogoWithText,
})
GVLError
. This is a network failure when fetching the vendor list.Failed to read the 'localStorage' property from 'Window': Access is denied for this document.
. This is an expected error for the new tab page cross-domain frame in some browsers.There are two reasons we aren't simply relying on another vanilla, third-party CMP:
If a third-party CMP can support these needs, we can consider deprecating this module.
Required before calling other methods. Determines the user's country location, runs the QC Choice JS, and sets default USP data as needed.
Resolves to true if the user is in the EU. Use this to know whether to render GDPR-related privacy options.
Resolves to true if the user is in the US. Use this to know whether to render CCPA-related privacy options.
Opens the GDPR consent dialog.
Opens the CCPA data privacy dialog.
This module wraps the Quantcast Choice CMP. We modify its behavior in a few ways:
SameSite=None
(from SameSite=Lax
) so the CMP works in a cross-domain iframe. We package a static version of QC Choice's CMP JS file with the necessary changes.Upgrading or modifying Quantcast Choice settings requires a combination of modifying the settings in the QC Choice management panel and modifying local code. Note that some of our CMP settings use the QC Choice panel settings directly, but many settings are hardcoded locally.
tab.gladly.dev
settings in the QC Choice management panelquantcast:cmp-js:download
to match the portal versionyarn run quantcast:update
./quantcast/qcChoiceOriginal.js
to update ./src/qcChoiceModified.js
and ./src/initCMP.js
./quantcast/qcCmpOriginal.js
has changed:
quantcast:cmp-js:copy-with-edits
NPM script)yarn run quantcast:cmp-js:copy-with-edits
tab.gladly.io
settings in the QC Choice management panel to match the tab.gladly.dev
settingstabCMPDebug=true
URL parameter to the page to enable debug loggingtab-ads
, which is useful to test ad partner behavior: add a tabAdsDebug=true
URL parameter to the page to enable debug loggingWe'll want to test
for each combination of
This section has info on how to set up these test contexts.
To reset CMP state:
tabCMP*
local storage valueseuconsent-v2
, usprivacy
, addtl_consent
tabCMP.clientLocation.isInEU
has a value of true
and tabCMP.clientLocation.countryISOCode
has a value of FR
(or some other EU country ISO code).tabCMP.clientLocation.isInEU
has a value of false
and tabCMP.clientLocation.countryISOCode
has a value of US
.Our app often loads in the new tab page iframe, in the context of a browser extension. CMP and ad partner behavior can be different in an iframe, so we have to specifically test it.
src
to use that domain. To refresh, modify the src
rather than refreshing the top-level page.Basic CMP functionality
A new user has the expected default privacy string. Clear the CMP data, then run:
__uspapi('getUSPData', 1, (uspData, success) => {
console.log('cmp responded:', uspData, success)
})
The uspString
property value should be 1YNN
.
Works on:
GDPR should not apply. Run:
__tcfapi('getTCData', 2, (tcData, success) => {
console.log('cmp responded:', tcData, success)
})
The gdprApplies
property value should be false
.
Works on:
CMP Consent Dialog
The user's account page should show a "Do Not Show My Info" link that opens the CCPA dialog.
Works on:
The user's choice should persist. Open the dialog, opt out of data sale, and save. Refresh the app, open the dialog, and confirm you are still opted out.
Works on:
After opting out of data sale, the USP string changes. Run:
__uspapi('getUSPData', 1, (uspData, success) => {
console.log('cmp responded:', uspData, success)
})
The uspString
property value should be 1YYN
.
Works on:
Ad Partner Behavior
The request to Google Ad Manager includes the expected privacy options. For the request to securepubads.g.doubleclick.net/gampad/
: the us_privacy
query string value is 1YNN
and the gdpr
value is 0
.
Works on:
The request to Amazon has expected privacy options. For the request to https://c.amazon-adsystem.com/e/dtb/bid
: the pj
query string value is {"us_privacy":"1YNN"}
, the gdpre
value is 0
, and the gdprl.status
value is tcfv2-success
.
Works on:
A Prebid partner uses expected privacy options. E.g., for the Sonobi request to apex.go.sonobi.com/trinity.json
: the us_privacy
query string value is 1YNN
and the gdpr
value is false
.
Works on:
Index Exchange uses expected privacy options. For the request to htlb.casalemedia.com/cygnus
: the r
query string value includes the regs
property equal to {"ext":{"gdpr":0,"us_privacy":"1YNN"}}
.
Works on:
The request to fetch ads is not substantially slower than prior to making CMP changes. Compare the request time of securepubads.g.doubleclick.net/gampad/
to a prior deployment.
Confirmed on:
It's challenging to accurately test timing in the iframe, so no need to.
Basic CMP functionality Start by clearing the CMP data, then consenting to data usage.
The CMP responds with expected data. Run:
__tcfapi('getTCData', 2, (tcData, success) => {
console.log('cmp responded:', tcData, success)
})
The gdprApplies
property value should be true
, and the tcString
and addtlConsent
properties should be set.
Works on:
CCPA should not apply. Run:
__uspapi('getUSPData', 1, (uspData, success) => {
console.log('cmp responded:', uspData, success)
})
The uspString
property value should be 1---
.
Works on:
CMP Consent Dialog
The consent dialog appears on first use.
Works on:
The user's account page should show a "Privacy Options" button that opens the GDPR dialog. Opening it should show the options you previously selected.
Works on:
The user's choices should persist. Open the dialog, change your options, and save. Refresh the app, open the dialog, and confirm your changes are still there.
Works on:
Ad Partner Behavior
The request to Google Ad Manager includes the expected privacy options. For the request to securepubads.g.doubleclick.net/gampad/
: the us_privacy
query string value is 1---
, the gdpr
value is 1
, the gdpr_consent
value is the consent string (matching the euconsent-v2
cookie value), and addtl_consent
is a string of numbers.
Works on:
The request to Amazon has expected privacy options. For the request to https://c.amazon-adsystem.com/e/dtb/bid
: the pj
query string value is {"us_privacy":"1---"}
, the gdpre
value is 1
, the gdprc
value is the consent string, and the gdprl.status
value is tcfv2-success
.
Works on:
A Prebid partner uses expected privacy options. E.g., for the Sonobi request to apex.go.sonobi.com/trinity.json
: the us_privacy
query string value is 1---
, the gdpr
value is true
, and the consent_string
value is the consent string.
Works on:
Index Exchange uses expected privacy options. For the request to htlb.casalemedia.com/cygnus
: the r
query string value includes the regs
property equal to {"ext":{"gdpr":1,"us_privacy":"1---"}}
and an ext
property with a consent
value equal to the consent string.
Works on:
The request to fetch ads is not substantially slower than prior to making CMP changes. Compare the request time of securepubads.g.doubleclick.net/gampad/
to a prior deployment.
Confirmed on:
It's challenging to accurately test timing in the iframe, so no need to.
FAQs
A consent management platform wrapper for Tab for a Cause
The npm package tab-cmp receives a total of 41 weekly downloads. As such, tab-cmp popularity was classified as not popular.
We found that tab-cmp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.