Intent to Ship: Private Aggregation API bundled enhancements

190 views
Skip to first unread message

Alex Turner

unread,
Sep 25, 2023, 9:52:31 PM9/25/23
to blink-dev

Contact emails

ale...@chromium.org

Specification


Summary

We're planning a few bundled changes to Private Aggregation:

  • Null report fixes: Currently reports with no contributions are inadvertently dropped. This change ensures that, when a context ID is specified, a null report is sent even if budget is denied. Separately, it fixes a bug causing budget to always be denied for null reports.

  • Debug mode eligibility changes: Currently, debug mode is always available. This change only allows debug mode for callers that are allowed access to third-party cookies, silently dropping the debug mode otherwise. Note that this will allow debug mode to automatically sunset when third-party cookies are deprecated.

  • Padding report payloads: To avoid the payload size being dependent on the number of contributions, we will pad it with 'null' contributions to a fixed length. **Note**: this change will also affect Attribution Reporting’s aggregatable reports.

  • Reducing delay: When a context ID is specified, we remove the randomized 10-60 minute delay, which is superfluous as a report is always sent in this case. Instead, we just wait until the Shared Storage operation timeout.


Blink component

Blink>PrivateAggregation

TAG review

https://github.com/w3ctag/design-reviews/issues/846 (We have not requested a signal for these changes specifically.)

TAG review status

Pending

Risks



Interoperability and Compatibility

  • Null report fixes: Increases the number of reports sent to reporting endpoints, reporting endpoints using plaintext debug payloads will need to handle the null report case.
  • Debug mode eligibility changes: Backwards incompatible for callers using enableDebugMode() without third-party cookie eligibility.
  • Padding report payloads: Compatible with existing aggregation service versions. Reporting endpoints will see larger payloads and null contributions added to the plaintext debug payloads (if used).
  • Reducing delay: Should not require any reporting endpoint changes, reports will simply arrive earlier.

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/805). We have not requested a signal for these changes specifically. The Gecko position on Shared Storage (one of the ways Private Aggregation is exposed) is negative.

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/189). We have not requested a signal for these changes specifically

Web developers: Positive for reducing delay

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

No new debug capabilities beyond the existing internals page (chrome://private-aggregation-internals) and temporary debug mode.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

All but Webview



Is this feature fully tested by web-platform-tests?

WPTs will be added when features are enabled.

Flag name on chrome://flags

None

Finch feature name

Padding: PrivacySandboxAggregationServiceReportPadding
All other features: PrivateAggregationApiBundledEnhancements

Requires code in //chrome?

Only for settings checks

Tracking bug

https://crbug.com/1481761

Launch bug

https://launch.corp.google.com/launch/4272421

Estimated milestones

We intend to ship in M119. 


Anticipated spec changes

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5205079858085888

Links to previous Intent discussions

Previous I2S


This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Sep 27, 2023, 6:14:08 AM9/27/23
to Alex Turner, blink-dev
On Mon, Sep 25, 2023 at 11:52 PM Alex Turner <ale...@chromium.org> wrote:

Contact emails

ale...@chromium.org

Specification


Summary

We're planning a few bundled changes to Private Aggregation:

  • Null report fixes: Currently reports with no contributions are inadvertently dropped. This change ensures that, when a context ID is specified, a null report is sent even if budget is denied. Separately, it fixes a bug causing budget to always be denied for null reports.

  • Debug mode eligibility changes: Currently, debug mode is always available. This change only allows debug mode for callers that are allowed access to third-party cookies, silently dropping the debug mode otherwise. Note that this will allow debug mode to automatically sunset when third-party cookies are deprecated.

  • Padding report payloads: To avoid the payload size being dependent on the number of contributions, we will pad it with 'null' contributions to a fixed length. **Note**: this change will also affect Attribution Reporting’s aggregatable reports.

  • Reducing delay: When a context ID is specified, we remove the randomized 10-60 minute delay, which is superfluous as a report is always sent in this case. Instead, we just wait until the Shared Storage operation timeout.


Blink component

Blink>PrivateAggregation

TAG review

https://github.com/w3ctag/design-reviews/issues/846 (We have not requested a signal for these changes specifically.)

TAG review status

Pending

Risks



Interoperability and Compatibility

  • Null report fixes: Increases the number of reports sent to reporting endpoints, reporting endpoints using plaintext debug payloads will need to handle the null report case.
Do you know if current reporting endpoints are ready to handle this change? 
  • Debug mode eligibility changes: Backwards incompatible for callers using enableDebugMode() without third-party cookie eligibility.
Were callers already ready to have the enableDebugMode() call fail? Does it throw, or silently fails? 
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA%2BBiF%3DMBk5ra9sn9i4ajaNSd9aMFKE_9DpxE8pziGY6YXB9Mg%40mail.gmail.com.

Chris Harrelson

unread,
Sep 27, 2023, 4:02:24 PM9/27/23
to Yoav Weiss, Alex Turner, blink-dev
Please also fill out the other chromestatus review categories for this Intent, in particular for Privacy and Security, thanks.

Alex Turner

unread,
Sep 27, 2023, 4:03:04 PM9/27/23
to Yoav Weiss, blink-dev
This should only affect endpoints that are using the debug payloads. For them, the reports should look similar, but they will need to allow for a contribution's value to be zero (for both this change and the padding change). While this is already possible today, it's probably not used. I'll plan to highlight this requirement when we send out notifications to the developer mailing lists.
  • Debug mode eligibility changes: Backwards incompatible for callers using enableDebugMode() without third-party cookie eligibility.
Were callers already ready to have the enableDebugMode() call fail? Does it throw, or silently fails? 
Calling enableDebugMode() from an ineligible context will silently fail -- i.e. no error, but debug mode won't be enabled. 

Alex Turner

unread,
Sep 27, 2023, 6:35:48 PM9/27/23
to Chris Harrelson, Yoav Weiss, blink-dev
I set this feature up as a "Web developer facing change to existing code", but I'm seeing that "New feature incubation" may have been more appropriate (although the guidance is a bit uncertain). Unfortunately, that means chromestatus won't let me request any reviews other than API owners; would it make sense to create a new feature entry? (Note also that these changes have already gone through internal privacy and security reviews.)

Thanks!
Alex

Mike Taylor

unread,
Oct 2, 2023, 9:08:43 PM10/2/23
to Alex Turner, Chris Harrelson, Yoav Weiss, blink-dev

Hey Alex,

Apologies for the delay. It would probably be good to make a new entry and request all the relevant review approvals (sorry for the extra work).

Also, probably useful to drop a link in the TAG review to this Intent, so reviewers can eventually be aware of these changes.

Yoav Weiss

unread,
Oct 4, 2023, 10:50:10 AM10/4/23
to blink-dev, Mike Taylor, Yoav Weiss, blink-dev, Alex Turner, Chris Harrelson
Am I right to assume that the API is still only being used by a relatively small number of partners to which y'all can communicate the new constraints?

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Alex Turner

unread,
Oct 4, 2023, 5:17:24 PM10/4/23
to Yoav Weiss, blink-dev, Mike Taylor, Chris Harrelson
Mike: thanks for the clarification, I've added a comment to the TAG review and kicked off those reviews in a new entry: https://chromestatus.com/feature/5148973702840320. I'll ping this thread when those reviews are complete.

Yoav: yes, that's our understanding (although until enrollment is enforced there is a chance we don't have a complete view of the testers). We're in touch with a few partners who are using it that we will communicate to directly. We also have a mailing list to broadcast these kinds of updates more generally. Given that, we feel confident the impact will be minimal to those testing the API.

Alex

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Yoav Weiss

unread,
Oct 5, 2023, 5:46:35 AM10/5/23
to Alex Turner, blink-dev, Mike Taylor, Chris Harrelson
LGTM1

Chris Harrelson

unread,
Oct 5, 2023, 10:51:53 PM10/5/23
to Yoav Weiss, Alex Turner, blink-dev, Mike Taylor

Mike Taylor

unread,
Oct 6, 2023, 2:37:27 PM10/6/23
to Chris Harrelson, Yoav Weiss, Alex Turner, blink-dev

LGTM3

Alex Turner

unread,
Oct 17, 2023, 4:32:56 PM10/17/23
to Mike Taylor, Chris Harrelson, Yoav Weiss, blink-dev
Thanks all! A quick update -- the chromestatus reviews are now all complete.
Reply all
Reply to author
Forward
0 new messages