DEP-12299 Start.io Bid Adapter: enable withCredentials on bid request to forward siouid cookie#6
Merged
Conversation
Greptile SummaryThis PR enables
Confidence Score: 3/5The change forwards a user-identifying cookie on every bid request without checking whether the user has consented; merging as-is risks non-compliant cookie transmission in GDPR-regulated contexts. The adapter now always sends the siouid cookie cross-origin regardless of GDPR or CCPA consent status. Every auction in a regulated region would transmit the cookie without a lawful basis, which is the core purpose of the change but lacks the standard Prebid consent guard that other adapters use for the same pattern. modules/startioBidAdapter.js — specifically the buildRequests function where withCredentials is set without any consent check.
|
| Filename | Overview |
|---|---|
| modules/startioBidAdapter.js | Single-line change flipping withCredentials from false to true; no consent guard added, so the siouid cookie is forwarded on every bid request regardless of GDPR/CCPA state. |
Sequence Diagram
sequenceDiagram
participant Browser
participant PrebidJS as Prebid.js (startioBidAdapter)
participant RTB as pbc-rtb.startappnetwork.com
Browser->>PrebidJS: auction triggered
Note over PrebidJS: buildRequests()<br/>withCredentials: true (changed)
PrebidJS->>RTB: "POST /1.3/2.5/getbid?account=pbc<br/>+ siouid cookie (now forwarded)"
RTB-->>PrebidJS: bid response (seatbid[])
PrebidJS-->>Browser: interpreted bids
Note over Browser,RTB: withCredentials=true requires server to respond<br/>with Access-Control-Allow-Credentials: true<br/>and a specific Access-Control-Allow-Origin (not *)
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
modules/startioBidAdapter.js:128-131
**`withCredentials` set unconditionally regardless of consent**
`withCredentials: true` is applied to every bid request with no check on `bidderRequest.gdprConsent` or `bidderRequest.uspConsent`. This means the `siouid` cookie is forwarded even when GDPR applies and the user has not consented to Start.io (GVLID 1216), which can violate the TCF requirement that vendors only process user data after receiving a lawful basis. The standard Prebid pattern is to gate `withCredentials` on consent, for example: `withCredentials: !bidderRequest.gdprConsent?.gdprApplies || !!bidderRequest.gdprConsent?.consentString`.
Reviews (1): Last reviewed commit: "Enable credentials in StartIO bid adapte..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.