LGTM1 - this seems like an important privacy bugfix. Compatibility-wise, this won't affect user experience (if my mental model is correct), but sites using the API may receive less info than expected - but that's kinda the point.

On 9/11/24 6:03 PM, 'Akash Nadan' via blink-dev wrote:
Contact emails

akashna...@google.com <mailto:akashna...@google.com>, lin...@chromium.org <mailto:lin...@chromium.org>, johni...@chromium.org <mailto:johni...@chromium.org>


Explainer

Attribution Reporting with event-level reports <https://github.com/WICG/attribution-reporting-api/blob/main/EVENT.md>

Attribution Reporting API with Aggregatable Reports <https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATE.md>

Aggregation Service for the Attribution Reporting API <https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATION_SERVICE_TEE.md>


Specification

https://wicg.github.io/attribution-reporting-api/ <https://wicg.github.io/attribution-reporting-api/>


Blink component

Internals > AttributionReporting <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EAttributionReporting>


TAG review

Still under review <https://github.com/w3ctag/design-reviews/issues/724>under the original I2S for the Attribution Reporting API


TAG review status

Pending


Summary

We are landing the following changes to the Attribution Reporting API focused on:

 *

    Improving privacy for debug keys


This change helps to mitigate a potential privacy gap with debug keys.


Currently the API allows a source debug key or a trigger debug key to be specified if third party cookies are available and can be set by API callers. If either a source or trigger debug key is specified then it will be included in the attribution report. This may lead to a privacy leak if third party cookies are only allowed on either the publisher or the advertiser site but not both.


This change mitigates this issue by enforcing that source debug keys and trigger debug keys are only included in the attribution report if they’re present on both the source and trigger, which would mean that third party cookies were available on both the publisher and advertiser site. This change will apply to both event-level reports and aggregatable reports.



Explainer/Spec changes

1.

    Explainer & Spec:
    https://github.com/WICG/attribution-reporting-api/pull/1403
    <https://github.com/WICG/attribution-reporting-api/pull/1403>


Risks
Interoperability and Compatibility

This is a backwards incompatible change. API callers will continue to receive Attribution Reporting API reports but the information contained in the report may change if the API caller only specifies a debug key on only the source or trigger registration. If they only specify a debug key on one side, then they will no longer receive debug key information in the report they receive but they will continue to receive reports. We expect this to have minimal impact since the API caller will continue to receive attribution reports as expected.


Gecko: No signal (Original request: https://github.com/mozilla/standards-positions/issues/791 <https://github.com/mozilla/standards-positions/issues/791>)


WebKit: No signal (Original request: https://github.com/WebKit/standards-positions/issues/180 <https://github.com/WebKit/standards-positions/issues/180>)



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

The attribution reporting feature will be supported on all platforms with the exception of Android WebView


Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?

Yes


Estimated milestones

This feature is anticipated to ship as part ofChrome 130 <https://chromiumdash.appspot.com/schedule>.


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6257907243679744 <https://chromestatus.com/feature/6257907243679744>


Links to previous Intent discussions

Previous I2S:

Intent to Ship: Attribution Reporting API <https://groups.google.com/a/chromium.org/g/blink-dev/c/2Rmj5V6FSaY>

Intent to Ship: Attribution Reporting features M117 <https://groups.google.com/a/chromium.org/g/blink-dev/c/nWF61c8xu-M/m/uMmH1ewcAQAJ>

Intent to Ship: Attribution Reporting features M118 <https://groups.google.com/a/chromium.org/g/blink-dev/c/Mh-mJiyJZFk/m/HlgzpphYBQAJ>

Intent to Ship: Attribution Reporting features M119 <https://groups.google.com/a/chromium.org/g/blink-dev/c/6e44SBtEtcQ>

Intent to Ship: Attribution Reporting features M120 <https://groups.google.com/a/chromium.org/g/blink-dev/c/jSk3xpNPzGQ/m/VZPsdYgGCAAJ>

Intent to Ship: Attribution Reporting features M121 <https://groups.google.com/a/chromium.org/g/blink-dev/c/g9KiC6Rg_mA/m/V679WcWuAQAJ>

Intent to Ship: Attribution Reporting features M123 <https://groups.google.com/a/chromium.org/g/blink-dev/c/NE7VGke1Bjc/m/bIX00t4CAAAJ>

Intent to Ship: Attribution Reporting features M124 <https://groups.google.com/a/chromium.org/g/blink-dev/c/aregp1li6xk/m/IhBB2z8tBQAJ>

Intent to Ship: Attribution Reporting features M125 <https://groups.google.com/a/chromium.org/g/blink-dev/c/9UyhI6SRyxM/m/zgWWckgWAQAJ>

Intent to Ship: Attribution Reporting features M126 <https://groups.google.com/a/chromium.org/g/blink-dev/c/7UQR2lPn5KE/m/q_kL6ZiJDgAJ>

Intent to Ship: Attribution Reporting features M127 <https://groups.google.com/a/chromium.org/g/blink-dev/c/LAgnyPsJyJg?pli=1>

Intent to Ship: Attribution Reporting features M128 (1) <https://groups.google.com/a/chromium.org/g/blink-dev/c/qlsv7fn0zRE/m/SK8upePCCAAJ>

Intent to Ship: Attribution Reporting features M128 (2) <https://groups.google.com/a/chromium.org/g/blink-dev/c/VKGn41wMYlg/m/VsNXktqvCAAJ>


Thanks,
Akash
--
You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/19b60fd8-79c3-462d-9ff5-1ece30fb64fen%40chromium.org <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/19b60fd8-79c3-462d-9ff5-1ece30fb64fen%40chromium.org?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a5c21fe3-d87f-4b39-ab6a-897b875ba05a%40chromium.org.

Reply via email to