NewTabAttributionParent.sys.mjs

Enable keyboard shortcuts

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

// eslint-disable-next-line mozilla/use-static-import

const { newTabAttributionService } = ChromeUtils.importESModule(

  "resource://newtab/lib/NewTabAttributionService.sys.mjs"

);

const lazy = {};

ChromeUtils.defineLazyGetter(lazy, "logConsole", function () {

  return console.createInstance({

    prefix: "NewTabAttributionParent",

    maxLogLevel: "Warn",

});

});

ChromeUtils.defineESModuleGetters(lazy, {

  RemoteSettings: "resource://services-settings/remote-settings.sys.mjs",

});

/**

 * Allowed fields in the conversion event payload from advertisers.

 * - partnerId: Mozilla-generated UUID associated with the advertiser

 * - impressionType: How attribution should be determined (view/click/default)

 * - lookbackDays: Number of days in the past to look for an attributable interaction (1, 7, 14, or 30)

*/

const CONVERSION_KEYS = new Set([

  "partnerId",

  "impressionType",

  "lookbackDays",

]);

/**

 * Checks if an object is a plain object (not null, not an array, not a function).

 * This is necessary because JSWindowActor messages use structured clones,

 * which have a different prototypes than normal objects

 * @param {object} obj - The value to check.

 * @returns {boolean} True if obj is a plain object, false otherwise.

*/

function isPlainObject(obj) {

  return (

    typeof obj === "object" &&

    obj !== null &&

    !Array.isArray(obj) &&

    Object.prototype.toString.call(obj) === "[object Object]"

);

const ATTRIBUTION_ALLOWLIST_COLLECTION = "newtab-attribution-allowlist";

let gAllowList = new Set([]);

let gAllowListClient = null;

/**

 * Parent-side JSWindowActor for handling attribution conversion events.

 * This actor receives FirefoxConversionNotification custom events from advertiser websites

 * Upon successful validation, the conversion data is passed to NewTabAttributionService

*/

export class AttributionParent extends JSWindowActorParent {

  constructor() {

    super();

    this._onSync = this.onSync.bind(this);

/**

   * TEST-ONLY: Override the allowlist from a test.

   * @param {Array<string>} origins - Array of origin strings to allow.

*/

  setAllowListForTest(origins = []) {

    gAllowList = new Set(origins);

/**

   * TEST-ONLY: Reset the Remote Settings client.

*/

  resetRemoteSettingsClientForTest() {

    gAllowListClient = null;

/**

   * This thin wrapper around lazy.RemoteSettings makes it easier for us to write

   * automated tests that simulate responses from this fetch.

*/

  RemoteSettings(...args) {

    return lazy.RemoteSettings(...args);

/**

   * Updates the global allowlist with the provided records.

   * @param {Array} records - Array of Remote Settings records containing domain fields.

*/

  updateAllowList(records) {

    if (records?.length) {

      const domains = records.map(record => record.domain);

      gAllowList = new Set(domains);

    } else {

      gAllowList = new Set([]);

/**

   * Retrieves the allow list of advertiser origins from Remote Settings.

   * Populates the internal gAllowList set with the retrieved origins.

*/

  async retrieveAllowList() {

    try {

      if (!gAllowListClient) {

        gAllowListClient = this.RemoteSettings(

          ATTRIBUTION_ALLOWLIST_COLLECTION

);

        gAllowListClient.on("sync", this._onSync);

        const records = await gAllowListClient.get();

        this.updateAllowList(records);

    } catch (error) {

      lazy.logConsole.error(

        `AttributionParent: failed to retrieve allow list: ${error}`

);

/**

   * Handles Remote Settings sync events.

   * Updates the allow list when the collection changes.

   * @param {object} event - The sync event object.

   * @param {Array} event.data.current - The current records after sync.

*/

  onSync({ data: { current } }) {

    this.updateAllowList(current);

  didDestroy() {

    if (gAllowListClient) {

      gAllowListClient.off("sync", this._onSync);

/**

   * Validates a conversion event payload from an advertiser.

   * Ensures all required fields are present, correctly typed, and within valid ranges.

   * @param {*} data - The conversion data to validate.

   * @returns {object|null} The validated conversion data object, or null if validation fails.

   * Validation checks:

   * - Must be a plain object

   * - Must contain only allowed keys (partnerId, impressionType, lookbackDays)

   * - partnerId: must be a non-empty string

   * - impressionType: must be a string

   * - lookbackDays: must be a positive number

*/

  validateConversion(data) {

    // confirm that data is an object

    if (!isPlainObject(data)) {

      return null;

    // Check that only allowed keys are present

    for (const key of Object.keys(data)) {

      if (!CONVERSION_KEYS.has(key)) {

        return null;

    // Validate required fields are present

    if (

      !data.partnerId ||

      !data.impressionType ||

      data.lookbackDays === undefined

) {

      return null;

    // Validate types

    if (typeof data.partnerId !== "string") {

      return null;

    if (typeof data.impressionType !== "string") {

      return null;

    if (typeof data.lookbackDays !== "number" || data.lookbackDays <= 0) {

      return null;

    return data;

/**

   * Receives and processes conversion event messages from the child actor.

   * This method is called when a FirefoxConversionNotification custom event is triggered

   * on an advertiser's website.

   * @param {object} message - The message from the child actor.

   * @param {object} message.data - The message data.

   * @param {object} message.data.detail - The custom event detail.

   * @param {object} message.data.detail.conversion - The conversion payload.

   * @returns {Promise}

*/

  async receiveMessage(message) {

    let principal = this.manager.documentPrincipal;

    // Only accept conversion events from secure origins (HTTPS)

    if (!principal.isOriginPotentiallyTrustworthy) {

      lazy.logConsole.error(

        `AttributionParent: conversion events must be sent over HTTPS`

);

      return;

    if (!gAllowList.size) {

      await this.retrieveAllowList();

    // Only accept conversion events from allowlisted origins

    if (!gAllowList.has(principal.originNoSuffix)) {

      lazy.logConsole.error(

        `AttributionParent: conversion events must come from the allow list`

);

      return;

    const { detail } = message.data || {};

    if (detail) {

      const validatedConversion = this.validateConversion(detail);

      if (!validatedConversion) {

        lazy.logConsole.error(

          `AttributionParent: rejected invalid conversion payload from ${principal}`

);

        return;

      const { partnerId, lookbackDays, impressionType } = validatedConversion;

      await newTabAttributionService.onAttributionConversion(

        partnerId,

        lookbackDays,

        impressionType

);