Web-Facing Change PSA: Private Aggregation API: ignoring site exceptions for debug mode
Alex Turner
Contact emails
ale...@chromium.orgSpecification
https://patcg-individual-drafts.github.io/private-aggregation-api/#dom-privateaggregation-enabledebugmodeSummary
Currently, the availability of Private Aggregation’s debug mode is tied to a caller's eligibility to set a third-party cookie (see https://chromestatus.com/feature/5148973702840320). However, an edge case was missed in this logic: if the caller can only set a third-party cookie due to a top-level site exception (i.e. the user has generally disabled third-party cookies), this could allow access to information set from other sites that are not on the exception list. To avoid this issue, we plan to start ignoring these top-level site exceptions when determining the availability of Private Aggregation’s debug mode. (It is not possible in Chrome to generally enable third-party cookies but disable them on one site, so the inverse case doesn’t need to be considered.) This does not require a spec change. Note that this new behavior can reveal to the site that the user has generally disabled third-party cookies.
Blink component
Blink>PrivateAggregationTAG review
https://github.com/w3ctag/design-reviews/issues/846 (We have not requested a signal for these changes specifically.)TAG review status
DeclinedRisks
Interoperability and Compatibility
enableDebugMode() will be silently ignored for callers in this particular scenario (like other cases where debug mode is not available). Note that this will not affect the page directly. So, this only affects the report(s) later sent to a .well-known address.
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/805) We have not requested a signal for this change specifically. The Gecko position on Shared Storage (one of the ways Private Aggregation is exposed) is negative.
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/189) We have not requested a signal for this change specifically.
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
This slightly reduces the scope of the debug mode. However, other debugging pages, e.g. the internals page, will accurately reflect the debug mode state.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
All but WebView
Is this feature fully tested by web-platform-tests?
No; this change does not modify the spec, so no WPTs change.Flag name on about://flags
NoneFinch feature name
PrivateAggregationDebugReportingIgnoreSiteExceptionsRequires code in //chrome?
FalseTracking bug
https://crbug.com/364318217Launch bug
https://launch.corp.google.com/launch/4349008Estimated milestones
| Shipping on desktop | 132 |
| Shipping on Android | 132 |
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
None