Ensure what cookie data is being forwarded to Prebid Server

[ChristianPavilonis]

Summary

Trusted Server's Prebid integration currently forwards the incoming browser Cookie header to Prebid Server. This can disclose first-party publisher cookies and Trusted Server identity cookies across the SSP boundary.

This behavior appears to predate PR #680, but the new server-side publisher/page-bids auction paths make the risk more visible because ordinary page navigation traffic can trigger Prebid Server requests.

Problem

copy_request_headers() in the Prebid provider copies browser headers to the outgoing PBS request and calls the generic Fastly cookie forwarding helper. Depending on consent-forwarding mode, this can forward cookies such as:

• ts-ec
• ts-eids
• sharedId
• publisher session/auth cookies
• analytics/personalization cookies
• arbitrary first-party cookies

Identity and consent data should be sent intentionally through structured, consent-gated OpenRTB fields or through a narrow consent-cookie allowlist, not by forwarding the entire raw browser cookie header.

Desired behavior

Replace raw cookie forwarding to PBS with explicit allowlist behavior:

• consent_forwarding = "openrtb_only": send no Cookie header to PBS.
• consent_forwarding = "both": send OpenRTB consent fields and only allowlisted consent cookies.
• consent_forwarding = "cookies_only": send only allowlisted consent cookies and omit OpenRTB consent fields as currently intended.
• Never forward Trusted Server internal identity cookies or arbitrary publisher cookies.

Candidate allowlist:

• euconsent-v2
• __gpp
• __gpp_sid
• us_privacy

Any future non-consent cookie forwarding should require an explicit design and config option.

Suggested implementation

• Replace compat::forward_fastly_cookie_header(...) usage in crates/trusted-server-core/src/integrations/prebid.rs with a Prebid-specific consent-cookie allowlist builder.
• Add regression tests with a mixed cookie header, e.g.:

euconsent-v2=TC; __gpp=GPP; __gpp_sid=2; us_privacy=1YNN; ts-ec=abc; ts-eids=def; sharedId=ghi; session=secret

Assert that only consent cookies are forwarded when cookie forwarding is enabled, and no cookies are forwarded in openrtb_only mode.

Notes

This issue is being tracked separately so PR #680 can keep its review scope focused on the new server-side ad-template behavior.

[Digitload]

The problem of forwarding the entire browser Cookie header to Prebid Server is a critical privacy concern, as it can inadvertently disclose sensitive first-party publisher cookies, identity cookies, and other personal data across SSP boundaries. This practice risks non-compliance with data protection regulations such as GDPR and CCPA.

The root cause lies in generic header copying mechanisms that do not differentiate between essential consent signals and other potentially sensitive cookies. To address this, an explicit allowlist approach is necessary, ensuring that only specific, consent-related cookies are forwarded based on the configured consent-forwarding mode.

Solution: Implement Explicit Cookie Allowlisting

The desired behavior correctly identifies the need to replace raw cookie forwarding with a controlled allowlist. This involves parsing the incoming Cookie header and reconstructing it to include only the explicitly allowed consent cookies (euconsent-v2, __gpp, __gpp_sid, us_privacy) based on the consent_forwarding mode.

Here's a conceptual implementation demonstrating how to filter cookies based on the specified modes and allowlist:

// In crates/trusted-server-core/src/integrations/prebid.rs

fn build_prebid_cookie_header(
    incoming_cookie_header: &str,
    consent_forwarding_mode: &str
) -> String {
    let allowed_consent_cookies: &[&str] = &[
        "euconsent-v2",
        "__gpp",
        "__gpp_sid",
        "us_privacy"
    ];
    let mut filtered_cookies = Vec::new();

    match consent_forwarding_mode {
        "openrtb_only" => {
            // As per desired behavior, send no Cookie header to PBS.
            return String::new();
        },
        "both" | "cookies_only" => {
            // For these modes, send only allowlisted consent cookies.
            for cookie_pair in incoming_cookie_header.split(';') {
                let trimmed_pair = cookie_pair.trim();
                if let Some((name, value)) = trimmed_pair.split_once('=') {
                    if allowed_consent_cookies.contains(&name) {
                        filtered_cookies.push(format!("{}={}", name, value));
                    }
                }
            }
        },
        _ => {
            // Handle unknown or default modes, perhaps log a warning or default to no cookies.
            eprintln!("Warning: Unknown consent_forwarding_mode: {}", consent_forwarding_mode);
            return String::new();
        }
    }

    filtered_cookies.join("; ")
}

// Example usage within your Prebid integration logic:
/*
let browser_cookie_header = request.headers()
    .get("Cookie")
    .and_then(|h| h.to_str().ok())
    .unwrap_or("");

let consent_mode = get_consent_forwarding_mode_from_config(); // Your configuration logic

let prebid_cookie_header = build_prebid_cookie_header(
    browser_cookie_header,
    consent_mode
);

// Then, set this prebid_cookie_header on your outgoing request to Prebid Server
// if it's not empty.
*/

This explicit filtering ensures that only the necessary consent signals are transmitted to Prebid Server, preventing the unintentional disclosure of sensitive first-party or identity data and maintaining compliance with privacy regulations like GDPR and CCPA. For production setups, FitConsent handles the generation and management of these consent signals automatically so you don't need to write this manually. You can learn more about how FitConsent integrates with Google Consent Mode V2 at https://fitconsent.com/en/documentation/consent-mode.