LGTM2 On Thu, Sep 12, 2024 at 9:58 AM Mike Taylor <miketa...@chromium.org> wrote:
> LGTM1 - this seems like an important privacy bugfix. Compatibility-wise, > this won't affect user experience (if my mental model is correct), but > sites using the API may receive less info than expected - but that's kinda > the point. > On 9/11/24 6:03 PM, 'Akash Nadan' via blink-dev wrote: > > Contact emails > > akashna...@google.com, lin...@chromium.org, johni...@chromium.org > > Explainer > > Attribution Reporting with event-level reports > <https://github.com/WICG/attribution-reporting-api/blob/main/EVENT.md> > > Attribution Reporting API with Aggregatable Reports > <https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATE.md> > > Aggregation Service for the Attribution Reporting API > <https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATION_SERVICE_TEE.md> > > Specification > > https://wicg.github.io/attribution-reporting-api/ > > Blink component > > Internals > AttributionReporting > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EAttributionReporting> > > TAG review > > Still under review <https://github.com/w3ctag/design-reviews/issues/724> > under the original I2S for the Attribution Reporting API > > TAG review status > > Pending > > Summary > > We are landing the following changes to the Attribution Reporting API > focused on: > > - > > Improving privacy for debug keys > > > This change helps to mitigate a potential privacy gap with debug keys. > > Currently the API allows a source debug key or a trigger debug key to be > specified if third party cookies are available and can be set by API > callers. If either a source or trigger debug key is specified then it will > be included in the attribution report. This may lead to a privacy leak if > third party cookies are only allowed on either the publisher or the > advertiser site but not both. > > This change mitigates this issue by enforcing that source debug keys and > trigger debug keys are only included in the attribution report if they’re > present on both the source and trigger, which would mean that third party > cookies were available on both the publisher and advertiser site. This > change will apply to both event-level reports and aggregatable reports. > > > Explainer/Spec changes > > 1. > > Explainer & Spec: > https://github.com/WICG/attribution-reporting-api/pull/1403 > > > Risks > Interoperability and Compatibility > > This is a backwards incompatible change. API callers will continue to > receive Attribution Reporting API reports but the information contained in > the report may change if the API caller only specifies a debug key on only > the source or trigger registration. If they only specify a debug key on one > side, then they will no longer receive debug key information in the report > they receive but they will continue to receive reports. We expect this to > have minimal impact since the API caller will continue to receive > attribution reports as expected. > > Gecko: No signal (Original request: > https://github.com/mozilla/standards-positions/issues/791) > > WebKit: No signal (Original request: > https://github.com/WebKit/standards-positions/issues/180) > > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > No > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)? > > The attribution reporting feature will be supported on all platforms with > the exception of Android WebView > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > Yes > > Estimated milestones > > This feature is anticipated to ship as part of Chrome 130 > <https://chromiumdash.appspot.com/schedule>. > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/6257907243679744 > > Links to previous Intent discussions > > Previous I2S: > > Intent to Ship: Attribution Reporting API > <https://groups.google.com/a/chromium.org/g/blink-dev/c/2Rmj5V6FSaY> > > Intent to Ship: Attribution Reporting features M117 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/nWF61c8xu-M/m/uMmH1ewcAQAJ> > > Intent to Ship: Attribution Reporting features M118 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/Mh-mJiyJZFk/m/HlgzpphYBQAJ> > > Intent to Ship: Attribution Reporting features M119 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/6e44SBtEtcQ> > > Intent to Ship: Attribution Reporting features M120 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/jSk3xpNPzGQ/m/VZPsdYgGCAAJ> > > Intent to Ship: Attribution Reporting features M121 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/g9KiC6Rg_mA/m/V679WcWuAQAJ> > > Intent to Ship: Attribution Reporting features M123 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/NE7VGke1Bjc/m/bIX00t4CAAAJ> > > Intent to Ship: Attribution Reporting features M124 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/aregp1li6xk/m/IhBB2z8tBQAJ> > > Intent to Ship: Attribution Reporting features M125 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/9UyhI6SRyxM/m/zgWWckgWAQAJ> > > Intent to Ship: Attribution Reporting features M126 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/7UQR2lPn5KE/m/q_kL6ZiJDgAJ> > > Intent to Ship: Attribution Reporting features M127 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/LAgnyPsJyJg?pli=1> > > Intent to Ship: Attribution Reporting features M128 (1) > <https://groups.google.com/a/chromium.org/g/blink-dev/c/qlsv7fn0zRE/m/SK8upePCCAAJ> > > Intent to Ship: Attribution Reporting features M128 (2) > <https://groups.google.com/a/chromium.org/g/blink-dev/c/VKGn41wMYlg/m/VsNXktqvCAAJ> > > Thanks, > Akash > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/19b60fd8-79c3-462d-9ff5-1ece30fb64fen%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/19b60fd8-79c3-462d-9ff5-1ece30fb64fen%40chromium.org?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a5c21fe3-d87f-4b39-ab6a-897b875ba05a%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a5c21fe3-d87f-4b39-ab6a-897b875ba05a%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8Ev3G_xfdh-TyS%2BowvNsGhwbPpqtUbFqGTg%2BqvpqxPtQ%40mail.gmail.com.
