On Friday, July 26, 2024 at 5:28:22 AM UTC-4 Yoav Weiss wrote:
On Mon, Jul 22, 2024 at 5:26 PM 'Maksim Orlovich' via blink-dev < blink-dev@chromium.org> wrote: Note: https://github.com/WICG/turtledove/pull/1230 is an updated link for the second spec clarification pull requests, and the first one of the two has landed. On Fri, Jul 19, 2024 at 4:40 PM Paul Jensen <pauljen...@chromium.org> wrote: Summary This feature allows the Protected Audience (PA) API to fetch real-time bidding and scoring signals from origins other than the origin of the buyer and seller's scripts. This is done by enabling CORS on these requests and some additional checks and requirements, and changes to prevent misuse. Can you expand on the "changes to prevent misuse" part? What misuse are we concerned with? What have we done to avoid it? Previous to this proposal, the trusted signals were required to come from the same origin as the bidding or scoring script that processed them, and the script could safely assume that the signals it received were from its same origin. With this new ability to fetch them from another origin we wanted to avoid a couple forms of misuse: 1. unintentional/accidental misconfiguration where the trusted signals origin (specified in the interest group or auction configuration) could now be a different origin but the script processing these signals might not be updated to understand this or process signals from another origin, or 2. intentional/malicious misconfiguration where someone might have changed the origin of the trusted signals unbeknownst to the script processing them. This isn’t possible for trusted bidding signals as the interest group (where the trusted bidding signals URL is specified) is only settable from same-origin contexts. Auction configurations (where the trusted scoring signals URL is specified) don’t have the same same-origin setting requirements, but this is why this proposal requires the scoring script to include the Ad-Auction-Allow-Trusted-Scoring-Signals-From response header which lists allowed origins for the trusted scoring signals. Misconfiguration here could look like a scoring script allowing two trusted scoring signals origins, and someone switching between these allowed origins unexpectedly. To prevent these misconfigurations, we changed how the trusted signals are passed to the scripts: they are passed in a new parameter so as not to be confused with the previously always-same-origin signals parameter, and this new parameter is a map from the origin of the signals to the signals themselves. This was discussed as risk #2 in my GitHub post <https://github.com/WICG/turtledove/issues/813#issuecomment-2003946175>. The Ad-Auction-Allow-Trusted-Scoring-Signals-From header also prevents the trusted scoring signals request from being sent to unexpected origins. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fbf72cc6-fcc1-448b-9e7c-9e1e0786cc9fn%40chromium.org.
