Intent to Deprecate and Remove: Protected Audience Subresource bundle directFromSellerSignals

[Paul Jensen]

Contact emails

cara...@chromium.org

paulj...@chromium.org

Summary

The Protected Audience API provides 2 mechanisms that allow signals to be passed into auctions in such a way that ensures the authenticity and integrity of the signals: the original version, which used subresource web bundles to contain the signals, and the subsequent version, which used special HTTP response headers on page-initiated fetch() requests. 

This deprecation and removal is only for the original, subresource web bundle version, and does not affect the response header version.

Use counter metrics show the feature is used on less than 1 in 500 million page loads.

Deprecating and removing the original subresource web bundle version of directFromSellerSignals will improve code health and remove potential attack surfaces. 

Motivation

Removing this unused feature will remove potential attack surface and reduce maintenance burden.

Interoperability and Compatibility Risk

Edge: not supported (Edge’s Ad Selection API, which is similar to the Protected Audience API, only supports on-server auctions which don’t use directFromSellerSignals)

Firefox: not supported

Safari: not supported

Alternative implementation suggestion for web developers

The header-based directFromSellerSignals provides the same functionality via a different mechanism.

Usage information from UseCounter

This feature is used on less than 1 in 500 million page loads: https://chromestatus.com/metrics/feature/timeline/popularity/5034

Entry on the feature dashboard

https://chromestatus.com/feature/4926509595492352

[Domenic Denicola]

This Intent is missing several important fields for a deprecation and removal, such as: Web developer signals, WebView application risks, web platform test support (it's best to add negative tests which only pass after the removal), Debuggability (how hard will it be for developers to debug failures due to this feature missing?), Finch feature name / non-Finch justification, and Estimated milestones.

Some of these are probably not too serious given the low volume of usage, e.g. I suspect no special debuggability support is required. But it'd be helpful to include them all.

Additionally, the Enterprise, Debuggability, and Testing gates have not been requested yet.

Would you be able to re-generate the Intent email after filling in those fields and requesting those gates? (You can send the updated version to this thread; no need for a new one.)

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrm2zO7GX%2B88wwj_nZ9N_LUX2P_%2BhhD3t3uAfvMFm73%3D9g%40mail.gmail.com.

[Daniel Bratell]

Privacy and Security gates are also missing.

I would assume that removing this could only have a positive effect but they should still be given a heads-up in the chromestatus tool.

/Daniel

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_YaLByRw%3DXcJd1-Xg1Z_spSg3vW1w0L8%3D9mOBChcXkjw%40mail.gmail.com.

[Alex Russell]

LGTM1 w/ finch control for rollout.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrm2zO7GX%2B88wwj_nZ9N_LUX2P_%2BhhD3t3uAfvMFm73%3D9g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

[Rick Byers]

I double-checked internal metrics and usage is indeed effectively zero, so compat risk should be effectively non-existent. 

LGTM2 to remove directly with just the usual kill switch in case of emergency somehow.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrm2zO7GX%2B88wwj_nZ9N_LUX2P_%2BhhD3t3uAfvMFm73%3D9g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_YaLByRw%3DXcJd1-Xg1Z_spSg3vW1w0L8%3D9mOBChcXkjw%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c14b13c1-586e-48ba-a92d-607ac7eadcb2n%40chromium.org.

[Vladimir Levin]

LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrm2zO7GX%2B88wwj_nZ9N_LUX2P_%2BhhD3t3uAfvMFm73%3D9g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_YaLByRw%3DXcJd1-Xg1Z_spSg3vW1w0L8%3D9mOBChcXkjw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

[Paul Jensen]

Domenic,

Sorry about using the wrong template.  We accidentally used the "Intent to Deprecate" template from https://www.chromium.org/blink/launching-features/ without realizing it was not for "Intent to Deprecate and Remove"s.

We also requested the chromestatus.com gates.

Here's the proper template filled out:

Contact emails

cara...@chromium.org

paulj...@chromium.org

Explainer

https://github.com/WICG/turtledove/blob/main/FLEDGE.md#251-using-subresource-bundles

Removal here: https://github.com/WICG/turtledove/pull/1368

Specification

New version specified in https://github.com/WICG/turtledove/pull/771; version being removed was not specified.

Summary

The Protected Audience API provides 2 mechanisms that allow signals to be passed into auctions in such a way that ensures the authenticity and integrity of the signals: the original version, which used subresource web bundles to contain the signals, and the subsequent version, which used special HTTP response headers on page-initiated fetch() requests. 

This deprecation and removal is only for the original, subresource web bundle version, and does not affect the response header version.

Use counter metrics show the feature is used on less than 1 in 500 million page loads.

Deprecating and removing the original subresource web bundle version of directFromSellerSignals will improve code health and remove potential attack surfaces.

Blink component

Blink>InterestGroups

TAG review

For Protected Audience: https://github.com/w3ctag/design-reviews/issues/723

TAG review status

Completed for Protected Audience, resolved unsatisfied.

Risks

Interoperability and Compatibility

Edge: not supported (Edge’s Ad Selection API, which is similar to the Protected Audience API, only supports on-server auctions which don’t use directFromSellerSignals)

Firefox: not supported

Safari: not supported

Web developers: Requestor of directFromSellerSignals said header mechanism preferred to web bundle mechanism here.

WebView application risks

Protected Audience not supported on WebView.

Debuggability

Chrome DevTools allows you to place breakpoints in and debug bidding and scoring scripts where the directFromSellerSignals fields will now be null if the web bundle support is removed but relied upon.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Removing this support from all platforms that support Protected Audience, i.e. all but WebView.

Is this feature fully tested by web-platform-tests?

We added a negative WPT here. 

Flag name on about://flags

None

Finch feature name

FledgeDirectFromSellerSignalsWebBundles

Requires code in //chrome?

False

Estimated milestones

Planning to remove in M133.

Anticipated spec changes

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4926509595492352?gate=5314119119667200

This intent message was generated by Chrome Platform Status.

LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrm2zO7GX%2B88wwj_nZ9N_LUX2P_%2BhhD3t3uAfvMFm73%3D9g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_YaLByRw%3DXcJd1-Xg1Z_spSg3vW1w0L8%3D9mOBChcXkjw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.