Request for feedback: Removing support for redirects for attribution reports

[Charles Harrison]

Hello everyone,

In PR 547 we are discussing whether we want to allow attribution reports (both aggregatable and event-level) to redirect across origins (i.e. whether they should be cors requests). For a few reasons, I think it makes sense to make these requests same-origin:

1. It simplifies our API, and allows us to avoid supporting / maintaining CORS flows on these requests

2. It discourages wasting client bandwidth sending reports to multiple endpoints

I'm posting to this list to see if anyone is relying on this behavior or if they think it is important for us to keep the cors functionality here. Please comment either here or in the PR if you have thoughts.

Best,

Charlie