Safari trying to download setuid result

[Hamper]

When setuid endpoint requested from prebid.js in safari browser it shows Do you want to allow downloads on "site" dialog. If we try directly open setuid in safari like https://prebid-server/setuid?bidder=lunamedia&gdpr=0&gdpr_consent=&uid=$UID we get Do you want to download "setuid" dialog. I think safari interprets 200 responses without Content-Type header as downloadable files.

[bretg]

I'm not seeing this behavior with either prebid.adnxs.com or prebid-server.rubiconproject.com.

https://prebid-server.rubiconproject.com/setuid?bidder=33across&gdpr=&gdpr_consent=&us_privacy=&uid=210745218046930

Anyhow, it's possible that we need to tune something here, but need someone to define the solution. PBS currently responds with empty content regardless of whether that bidder's usersync type is redirect or iframe.

1. should PBS set content-type: text/html for iframe usersyncers? Is it valid to respond with content-length:0?
2. should PBS set content-type: image/png for redirect usersyncers? Is it valid to respond with content-length:0 instead of a blank pixel?
3. should we add a 'format' parameter to /setuid to let the caller define the desired response? (we did that with the /event endpoint)

[bretg]

Discussed in PBS committee. We agreed to modify the PBS /setuid endpoint:

0. If the request is in GDPR scope (gdprApplies==1 or geo-lookup) and the consent string is missing or invalid, return HTTP 400
1. If we do not have permission to set a cookie, the response should be HTTP 451 with a blank body.
2. Else, if the /setuid query string contains f=i (stands for format=image), PBS will respond with a blank 1x1 PNG, set the Content-Length to the appropriate number of bytes, and set Content-Type to image/png
3. Else, if the /setuid string contains f=b (stands for format=blank), PBS will response with empty HTML with Content-Length 0 and Content-Type to text/html
4. else if the named bidder has a preferred usersync type of "redirect", PBS will respond with a blank 1x1 PNG, set the Content-Length to the appropriate number of bytes, and set Content-Type to image/png
5. else if the named bidder has a preferred usersync type "iframe", PBS will response with empty HTML with Content-Length 0 and Content-Type to text/html

[bretg]

Extended the algorithm with f=i and f=b in light of the changes being made in #1554

[bretg]

Implemented in PBS-Java 1.62

However, I think there's a gap now with the support for bidders having both redirect and iframe syncs -- we need PBS to update the /setuid URL to add f=i when it's a redirect or f=b when it's an iframe. Opened #1831 to track.

[SyntaxNode]

Implemented in PBS-Go 0.173.0.