LGTM2 On Tuesday, January 23, 2024 at 11:17:35 AM UTC+1 Mike Taylor wrote:
> Thanks Liam. This seems fine to me given that both parties need to opt in. > > LGTM1 > On 1/22/24 6:10 PM, Liam Brady wrote: > > Hi Mike, > > "crossOrigin=true" is just a typo. "crossOrigin" was the original naming > convention for "crossOriginExposed". It was renamed during code review, but > I forgot to update the I2S wording to match that. > > We chose to not go with Permissions-Policy for a few reasons. First is > that for fenced frames created through something like Protected Audience, > they have a fixed list of permissions that must be enabled for the frame to > load, so refactoring that to support one permissions policy that can be > either enabled or enabled would be a lot of effort. Doing that would also > allow 1 bit of information to leak from the embedder to the fenced frame, > which is the whole reason we locked down permissions policies in the first > place. We also didn't want the embedder to have any control over how this > header is set (such as having an embedder opt in on the frame's behalf), > and since permissions policies are based on inheritance, that was something > we needed to avoid. > On Friday, January 19, 2024 at 3:43:44 PM UTC-5 mike...@chromium.org > wrote: > >> Hi Liam, >> On 1/16/24 3:49 PM, 'Liam Brady' via blink-dev wrote: >> >> Contact emails >> >> lbr...@google.com, shiva...@chromium.org, jka...@chromium.org >> >> Explainer(s) >> >> https://github.com/WICG/turtledove/pull/904 >> >> Spec(s) >> >> https://github.com/WICG/fenced-frame/pull/133 >> >> Summary >> >> As part of the Privacy Sandbox experiment, we introduced a way for >> beacons to be sent automatically if a top-level navigation is initiated >> from within an ad frame >> <https://github.com/WICG/turtledove/blob/main/Fenced_Frames_Ads_Reporting.md#registeradbeacon-1>. >> >> At the time, we restricted this feature to frames and subframes that were >> same-origin to the root ad frame. However, there is a use case that this is >> not able to handle. With third-party ad serving (3PAS), the actual contents >> of the ad (including links/click handlers) are loaded in a cross-origin >> subframe. Because it is cross-origin, the frame does not get access to the >> automatic beacon API, and therefore is not able to report a top-level >> navigation when a user clicks on the ad. >> >> A cross-origin subframe can now opt in to sending automatic beacons by >> setting a new response header: "Allow-Fenced-Frame-Automatic-Beacons". The >> cross-origin frame still cannot set automatic beacon data; instead, the >> main ad frame will set the automatic beacon data, but opt in to having the >> data be used for cross-origin automatic beacons using a new >> "crossOrigin=true" parameter. When these 2 criteria are met, the >> cross-origin subframe will send an automatic beacon when a top-level >> navigation happens. >> >> Is "crossOrigin=true" different than the "crossOriginExposed" boolean >> defined in the spec? Or just a typo? >> >> Another question: is there any reason you chose to create a new HTTP >> header, rather than use something like Permissions-Policy? (Maybe that's >> not supported for fenced frames?) >> >> >> This feature will also fix a separate issue >> <https://github.com/WICG/turtledove/pull/808#issuecomment-1721411495> >> brought up externally and allow for ad components to opt into sending >> automatic beacons without needing to invoke >> setReportEventDataForAutomaticBeacons(); they instead will just need to >> supply the "Allow-Fenced-Frame-Automatic-Beacons" response header. This >> will not remove the existing way for ad components to opt into sending >> beacons. >> >> Blink component >> >> Blink>FencedFrames >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EFencedFrames> >> >> TAG reviews and status >> >> Fenced frames existing TAG review appended with these spec changes >> https://github.com/w3ctag/design-reviews/issues/838# >> <https://github.com/w3ctag/design-reviews/issues/838#issuecomment-1792881253> >> >> Link to Origin Trial feedback summary >> >> No Origin Trial performed >> >> Is this feature supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)? >> >> Supported on all the above platforms except Android WebView. >> >> Debuggability >> >> Additional debugging capabilities are not necessary for these feature >> changes. >> >> Risks >> >> Compatibility >> >> This is an added functionality and is backward compatible. >> >> Interoperability >> >> There are no interoperability risks as no other browsers have decided to >> implement these features yet. >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>? >> >> Link to test suite results from wpt.fyi. >> >> Yes. New automatic beacon tests have been added to test cross-origin >> beacons. >> >> automatic-beacon-cross-origin-false.https.html (test >> <https://github.com/web-platform-tests/wpt/blob/master/fenced-frame/automatic-beacon-cross-origin-false.https.html>) >> >> (results >> <https://wpt.fyi/results/fenced-frame/automatic-beacon-cross-origin-false.https.html> >> ) >> >> automatic-beacon-cross-origin-navigation.https.html (test >> <https://github.com/web-platform-tests/wpt/blob/master/fenced-frame/automatic-beacon-cross-origin-navigation.https.html>) >> >> (results >> <https://wpt.fyi/results/fenced-frame/automatic-beacon-cross-origin-navigation.https.html> >> ) >> >> automatic-beacon-cross-origin-no-data.https.html (test >> <https://github.com/web-platform-tests/wpt/blob/master/fenced-frame/automatic-beacon-cross-origin-no-data.https.html>) >> >> (results >> <https://wpt.fyi/results/fenced-frame/automatic-beacon-cross-origin-no-data.https.html> >> ) >> >> automatic-beacon-cross-origin-no-opt-in.https.html (test >> <https://github.com/web-platform-tests/wpt/blob/master/fenced-frame/automatic-beacon-cross-origin-no-opt-in.https.html>) >> >> (results >> <https://wpt.fyi/results/fenced-frame/automatic-beacon-cross-origin-no-opt-in.https.html> >> ) >> >> automatic-beacon-use-ancestor-data.https.html (test >> <https://github.com/web-platform-tests/wpt/blob/master/fenced-frame/automatic-beacon-use-ancestor-data.https.html>) >> >> (results >> <https://wpt.fyi/results/fenced-frame/automatic-beacon-use-ancestor-data.https.html> >> ) >> >> WPT directory for Fenced Frames: >> https://github.com/web-platform-tests/wpt/tree/master/fenced-frame >> >> Anticipated spec changes >> >> None >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5179499557945344 >> >> Links to previous Intent discussions >> >> Intent to prototype: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/Ko9UXQYPgUE/m/URRsB-qvAAAJ >> >> >> Intent to experiment: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/y6G3cvKXjlg/m/Lcpmpi_LAgAJ >> >> >> Intent to ship: >> >> >> https://groups.google.com/a/chromium.org/g/blink-dev/c/tpw8wW0VenQ/m/mePLTiHlDQAJ >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d33531b6-bc29-4951-ab8b-3b58880568den%40chromium.org >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d33531b6-bc29-4951-ab8b-3b58880568den%40chromium.org?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6ca9eb71-fbf6-4e9d-a8b1-524306d0fbaen%40chromium.org.