Update spec to current explainer #131
Conversation
|
@jyasskin could you take a look at this? Thanks! cc @csharrison |
| Title: Conversion Measurement | ||
| Shortname: conversion-measurement | ||
| Title: Attribution Reporting | ||
| Shortname: attribution-reporting |
There was a problem hiding this comment.
I'm curious if this causes any problems for the various spec-scraping tools. Probably not, since I think this spec isn't referenced from anywhere, and I doubt there's anything you could do in this spec to mitigate any problems.
There was a problem hiding this comment.
Hopefully one change is enough :)
index.bs
Outdated
| Level: 1 | ||
| Status: CG-DRAFT | ||
| Group: wicg | ||
| Repository: WICG/conversion-measurement-api | ||
| URL: https://wicg.github.io/conversion-measurement-api | ||
| Editor: Charlie Harrison, Google Inc. https://google.com, [email protected] | ||
| Abstract: A new API to measure and attribute cross-site conversions. | ||
| Abstract: A new API to measure and attribute cross-site events. |
There was a problem hiding this comment.
I expect "attribute" to be used with "to something" at the end. Is there something you could say about where these events are being attributed to?
There was a problem hiding this comment.
Clarified, this is about associating them to each other. Does this still seem vague to you?
|
|
||
| : [=conversion/conversion source=] | ||
| : [=attribution trigger/trigger origin=] | ||
| :: |environment|'s [=environment/top-level origin=]. |
There was a problem hiding this comment.
Why is this the top-level origin instead of just the origin? Can attribution triggers happen in cross-origin iframes? Have you discussed somewhere the security implications of writing a different origin into the attribution trigger, and what it means for specs that need to trust or distrust that value?
There was a problem hiding this comment.
Attribution triggers can happen in cross-origin iframes. The API scopes all events to the top-level site, and then performs attribution in the top-level site namespace. One example would be, an ad was shown for shoes.example, and then shoes.example loads an iframe to ad-tech.example which handles triggering attribution on that site.
We have not discussed the security implications to my knowledge.
Speaking from Chrome's implementation, the browser uses a trusted origin for this struct member. Essentially, the browser knows the top-level browsing context and it's origin, and can look that up from the browsing context which created the attribution trigger in a trusted way. So this value isn't something inherently controlled from within the browsing context in practice.
There was a problem hiding this comment.
I was worried about a hostile iframe being able to create somehow-hostile attributions to the surrounding page, but I'm not sure what attacks that would actually be useful for. It helps that the user has to click in order to make the attribution source happen. Maybe hostile triggers are more worrying, since they might cause payment from the trigger to the source? In any case, this sort of attribution (no pun intended) of one origin's actions to a different origin is worth talking about in the security considerations.
There was a problem hiding this comment.
Yes that would cause issues. Sources are also problematic: a hostile frame logging additional sources could cause credits to be assigned incorrectly, or cause the browser to delete already existing sources in some cases.
The main mitigation we have is requiring a permissions policy to invoke the API inside of iframes, which is disabled by default for cross-origin iframes.
I will make a note to address this in Security Considerations when the Permissions Policy is added to this draft spec.
Co-authored-by: Jeffrey Yasskin <[email protected]>
|
|
||
| : [=conversion/conversion source=] | ||
| : [=attribution trigger/trigger origin=] | ||
| :: |environment|'s [=environment/top-level origin=]. |
There was a problem hiding this comment.
Attribution triggers can happen in cross-origin iframes. The API scopes all events to the top-level site, and then performs attribution in the top-level site namespace. One example would be, an ad was shown for shoes.example, and then shoes.example loads an iframe to ad-tech.example which handles triggering attribution on that site.
We have not discussed the security implications to my knowledge.
Speaking from Chrome's implementation, the browser uses a trusted origin for this struct member. Essentially, the browser knows the top-level browsing context and it's origin, and can look that up from the browsing context which created the attribution trigger in a trusted way. So this value isn't something inherently controlled from within the browsing context in practice.
index.bs
Outdated
| Level: 1 | ||
| Status: CG-DRAFT | ||
| Group: wicg | ||
| Repository: WICG/conversion-measurement-api | ||
| URL: https://wicg.github.io/conversion-measurement-api | ||
| Editor: Charlie Harrison, Google Inc. https://google.com, [email protected] | ||
| Abstract: A new API to measure and attribute cross-site conversions. | ||
| Abstract: A new API to measure and attribute cross-site events. |
There was a problem hiding this comment.
Clarified, this is about associating them to each other. Does this still seem vague to you?
index.bs
Outdated
| :: An [=url/origin=]. | ||
| : <dfn>impression data</dfn> | ||
| : <dfn>event id</dfn> | ||
| :: A [=string=]. |
There was a problem hiding this comment.
Fixed. I noted this is a 64-bit integer, but I couldn't find any precedence in the html spec for this.
| [CEReactions, Reflect] attribute DOMString attributiondestination; | ||
| [CEReactions, Reflect] attribute DOMString attributionsourceeventid; | ||
| [CEReactions, Reflect] attribute DOMString attributionreportto; | ||
| [CEReactions, Reflect] attribute unsigned long long attributionexpiry; |
There was a problem hiding this comment.
unsigned long long is not a type defined in https://html.spec.whatwg.org/#reflecting-content-attributes-in-idl-attributes
This either needs to be an unsigned long or a string. I can address this in a separate PR.
| Title: Conversion Measurement | ||
| Shortname: conversion-measurement | ||
| Title: Attribution Reporting | ||
| Shortname: attribution-reporting |
There was a problem hiding this comment.
Hopefully one change is enough :)
index.bs
Outdated
| To <dfn>parse attribution data</dfn> given a [=string=] |input| modulo an unsigned long long | ||
| |maxData| perform the following steps. They return an unsigned long long: |
There was a problem hiding this comment.
It's uncommon to use the WebIDL types inside of specs, but we don't have a uniform policy in Infra for what to do instead: whatwg/infra#87. Here I would probably use "integer" (which matches https://html.spec.whatwg.org/multipage/common-microsyntaxes.html#non-negative-integers) for input and maybe "non-negative integer less than 264" for return values instead of "unsigned long long", and then explicitly say what to do when input is out of range, or use Assert: input is between X and Y inclusive. when some other part of the spec was responsible for ensuring it.
index.bs
Outdated
| 1. If |reportingUrl| is failure or null, return null. | ||
| 1. Set |reportingOrigin| to |reportingUrl|'s [=url/origin=]. | ||
| 1. If |anchor| has an <{a/attributionexpiry}> attribute, let |expiry| be that | ||
| attribute's value in milliseconds. |
There was a problem hiding this comment.
Use HTML's integer parsing rules here too.
|
|
||
| : [=conversion/conversion source=] | ||
| : [=attribution trigger/trigger origin=] | ||
| :: |environment|'s [=environment/top-level origin=]. |
There was a problem hiding this comment.
I was worried about a hostile iframe being able to create somehow-hostile attributions to the surrounding page, but I'm not sure what attacks that would actually be useful for. It helps that the user has to click in order to make the attribution source happen. Maybe hostile triggers are more worrying, since they might cause payment from the trigger to the source? In any case, this sort of attribution (no pun intended) of one origin's actions to a different origin is worth talking about in the security considerations.
Co-authored-by: Jeffrey Yasskin <[email protected]>
This updates the draft spec to include all changes which were landed to the explainer since it was last updated.
This includes:
Algorithm definitions and variables are updated to reflect the new naming.
Preview | Diff