Intent to Deprecate and Remove: Protected Audience Subresource bundle directFromSellerSignals

163 views
Skip to first unread message

Paul Jensen

unread,
Nov 26, 2024, 5:12:20 PM11/26/24
to blink-dev, Caleb Raitto

Contact emails

cara...@chromium.org

paulj...@chromium.org


Summary

The Protected Audience API provides 2 mechanisms that allow signals to be passed into auctions in such a way that ensures the authenticity and integrity of the signals: the original version, which used subresource web bundles to contain the signals, and the subsequent version, which used special HTTP response headers on page-initiated fetch() requests. 


This deprecation and removal is only for the original, subresource web bundle version, and does not affect the response header version.


Use counter metrics show the feature is used on less than 1 in 500 million page loads.


Deprecating and removing the original subresource web bundle version of directFromSellerSignals will improve code health and remove potential attack surfaces. 


Motivation

Removing this unused feature will remove potential attack surface and reduce maintenance burden.


Interoperability and Compatibility Risk

Edge: not supported (Edge’s Ad Selection API, which is similar to the Protected Audience API, only supports on-server auctions which don’t use directFromSellerSignals)

Firefox: not supported

Safari: not supported


Alternative implementation suggestion for web developers

The header-based directFromSellerSignals provides the same functionality via a different mechanism.


Usage information from UseCounter

This feature is used on less than 1 in 500 million page loads: https://chromestatus.com/metrics/feature/timeline/popularity/5034


Entry on the feature dashboard

Domenic Denicola

unread,
Nov 26, 2024, 9:27:49 PM11/26/24
to Paul Jensen, blink-dev, Caleb Raitto
This Intent is missing several important fields for a deprecation and removal, such as: Web developer signals, WebView application risks, web platform test support (it's best to add negative tests which only pass after the removal), Debuggability (how hard will it be for developers to debug failures due to this feature missing?), Finch feature name / non-Finch justification, and Estimated milestones.

Some of these are probably not too serious given the low volume of usage, e.g. I suspect no special debuggability support is required. But it'd be helpful to include them all.

Additionally, the Enterprise, Debuggability, and Testing gates have not been requested yet.

Would you be able to re-generate the Intent email after filling in those fields and requesting those gates? (You can send the updated version to this thread; no need for a new one.)

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrm2zO7GX%2B88wwj_nZ9N_LUX2P_%2BhhD3t3uAfvMFm73%3D9g%40mail.gmail.com.

Daniel Bratell

unread,
Dec 4, 2024, 9:17:10 AM12/4/24
to Domenic Denicola, Paul Jensen, blink-dev, Caleb Raitto

Privacy and Security gates are also missing.

I would assume that removing this could only have a positive effect but they should still be given a heads-up in the chromestatus tool.

/Daniel

Alex Russell

unread,
Dec 11, 2024, 11:13:32 AM12/11/24
to blink-dev, Daniel Bratell, blink-dev, Caleb Raitto, Domenic Denicola, Paul Jensen
LGTM1 w/ finch control for rollout.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Rick Byers

unread,
Dec 11, 2024, 11:17:36 AM12/11/24
to Alex Russell, blink-dev, Daniel Bratell, Caleb Raitto, Domenic Denicola, Paul Jensen
I double-checked internal metrics and usage is indeed effectively zero, so compat risk should be effectively non-existent. 

LGTM2 to remove directly with just the usual kill switch in case of emergency somehow.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c14b13c1-586e-48ba-a92d-607ac7eadcb2n%40chromium.org.

Vladimir Levin

unread,
Dec 11, 2024, 11:34:04 AM12/11/24
to blink-dev, Rick Byers, blink-dev, Daniel Bratell, Caleb Raitto, Domenic Denicola, Paul Jensen, Alex Russell
LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Paul Jensen

unread,
Dec 16, 2024, 3:26:46 PM12/16/24
to Vladimir Levin, blink-dev, Rick Byers, Daniel Bratell, Caleb Raitto, Domenic Denicola, Alex Russell
Domenic,

Sorry about using the wrong template.  We accidentally used the "Intent to Deprecate" template from https://www.chromium.org/blink/launching-features/ without realizing it was not for "Intent to Deprecate and Remove"s.
We also requested the chromestatus.com gates.
Here's the proper template filled out:


Summary

The Protected Audience API provides 2 mechanisms that allow signals to be passed into auctions in such a way that ensures the authenticity and integrity of the signals: the original version, which used subresource web bundles to contain the signals, and the subsequent version, which used special HTTP response headers on page-initiated fetch() requests. 

This deprecation and removal is only for the original, subresource web bundle version, and does not affect the response header version.

Use counter metrics show the feature is used on less than 1 in 500 million page loads.

Deprecating and removing the original subresource web bundle version of directFromSellerSignals will improve code health and remove potential attack surfaces.


Blink component

Blink>InterestGroups


TAG review

For Protected Audience: https://github.com/w3ctag/design-reviews/issues/723


TAG review status

Completed for Protected Audience, resolved unsatisfied.


Risks

Interoperability and Compatibility

Edge: not supported (Edge’s Ad Selection API, which is similar to the Protected Audience API, only supports on-server auctions which don’t use directFromSellerSignals)

Firefox: not supported

Safari: not supported


Web developers: Requestor of directFromSellerSignals said header mechanism preferred to web bundle mechanism here.


WebView application risks

Protected Audience not supported on WebView.



Debuggability

Chrome DevTools allows you to place breakpoints in and debug bidding and scoring scripts where the directFromSellerSignals fields will now be null if the web bundle support is removed but relied upon.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Removing this support from all platforms that support Protected Audience, i.e. all but WebView.


Is this feature fully tested by web-platform-tests?

We added a negative WPT here


Flag name on about://flags

None


Finch feature name

FledgeDirectFromSellerSignalsWebBundles


Requires code in //chrome?

False


Estimated milestones

Planning to remove in M133.


Anticipated spec changes

None


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4926509595492352?gate=5314119119667200


This intent message was generated by Chrome Platform Status.



LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Reply all
Reply to author
Forward
0 new messages