Intent to Ship: Protected Audience: cross-origin trusted signals fetches

16 views
Skip to first unread message

Paul Jensen

unread,
4:40 PM (3 hours ago) 4:40 PM
to blink-dev

Contact emails

paulj...@chromium.org


Explainer

https://github.com/WICG/turtledove/pull/1156


Specification

https://github.com/WICG/turtledove/pull/1197

Side note: there are two related clarification spec PRs (1, 2) that are soon to land but our spec mentor is fine with the spec in its current state, because the new PRs are queued up, even if they don't land right away. The serious meat in the main PR is in place, and any gaps in interoperability are right behind.


Summary

This feature allows the Protected Audience (PA) API to fetch real-time bidding and scoring signals from origins other than the origin of the buyer and seller's scripts. This is done by enabling CORS on these requests and some additional checks and requirements, and changes to prevent misuse. We have heard that this is a critical feature request because dynamic server-generated responses for the real-time bidding and scoring signals are likely to not be served from the same servers as static resources like the bidding and scoring scripts. Furthermore, in the future when the real-time bidding and scoring signals requests will be required to be served from TEEs, they’re even more likely to be served from different servers.


We’re also including some ergonomic improvements to our PA feature detection API that make it easier to query PA feature support without modifying on-page JavaScript.


Blink component

Blink>InterestGroups


TAG review

For Protected Audience: https://github.com/w3ctag/design-reviews/issues/723


TAG review status

Completed for Protected Audience, resolved unsatisfied.


Risks

Interoperability and Compatibility

Feature represents optional new behavior that shouldn’t break existing usage.


Gecko & WebKit: No signal on parent proposal, Protected Audience.  Asked in the Mozilla forum here, and in the Webkit forum here.


Edge: Edge has announced plans to support the Ad Selection API which shares much of its API surface with Protected Audience.


Web developers: Requested by 5+ companies (including Microsoft Ads) in multiple GitHub issues: 1, 2, 3.


Debuggability

Protected Audience trusted signals requests show up in the DevTools Network pane.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

It will be supported on all platforms that support Protected Audience, so all but WebView.


Is this feature fully tested by web-platform-tests?

Yes, in 1 and 2.


Flag name on chrome://flags

None


Finch feature name

FledgePermitCrossOriginTrustedSignals


Requires code in //chrome?

False


Estimated milestones

Shipping on desktop and Android in M127.


Anticipated spec changes

None


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5861201518264320


This intent message was generated by Chrome Platform Status.

Reply all
Reply to author
Forward
0 new messages