On Mon, Jul 22, 2024 at 5:26 PM 'Maksim Orlovich' via blink-dev < blink-dev@chromium.org> wrote:
> Note: https://github.com/WICG/turtledove/pull/1230 is an updated link for > the second spec clarification pull requests, and the first one of the two > has landed. > > > On Fri, Jul 19, 2024 at 4:40 PM Paul Jensen <pauljen...@chromium.org> > wrote: > >> Contact emails >> >> pauljen...@chromium.org >> >> >> Explainer >> >> https://github.com/WICG/turtledove/pull/1156 >> > https://github.com/WICG/turtledove/blob/main/FLEDGE.md#311-cross-origin-trusted-server-signals is an easier way of reading the same explainer text. > >> Specification >> >> https://github.com/WICG/turtledove/pull/1197 >> >> Side note: there are two related clarification spec PRs (1 >> <https://github.com/WICG/turtledove/pull/1225>, 2 >> <https://github.com/morlovich/turtledove/pull/4>) that are soon to land >> but our spec mentor is fine with the spec in its current state, because the >> new PRs are queued up, even if they don't land right away. The serious meat >> in the main PR is in place, and any gaps in interoperability are right >> behind. >> >> >> Summary >> >> This feature allows the Protected Audience (PA) API to fetch real-time >> bidding and scoring signals from origins other than the origin of the buyer >> and seller's scripts. This is done by enabling CORS on these requests and >> some additional checks and requirements, and changes to prevent misuse. >> > Can you expand on the "changes to prevent misuse" part? What misuse are we concerned with? What have we done to avoid it? > We have heard that this is a critical feature request because dynamic >> server-generated responses for the real-time bidding and scoring signals >> are likely to not be served from the same servers as static resources like >> the bidding and scoring scripts. Furthermore, in the future when the >> real-time bidding and scoring signals requests will be required to be >> served from TEEs, they’re even more likely to be served from different >> servers. >> >> We’re also including some ergonomic improvements to our PA feature >> detection API that make it easier to query PA feature support without >> modifying on-page JavaScript. >> >> >> Blink component >> >> Blink>InterestGroups >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EInterestGroups> >> >> >> TAG review >> >> For Protected Audience: >> https://github.com/w3ctag/design-reviews/issues/723 >> >> >> TAG review status >> >> Completed for Protected Audience, resolved unsatisfied. >> >> >> RisksInteroperability and Compatibility >> >> Feature represents optional new behavior that shouldn’t break existing >> usage. >> >> >> Gecko & WebKit: No signal on parent proposal, Protected Audience. Asked >> in the Mozilla forum here >> <https://github.com/mozilla/standards-positions/issues/770>, and in the >> Webkit forum here >> <https://github.com/WebKit/standards-positions/issues/158>. >> >> >> Edge: Edge has announced plans to support the Ad Selection API >> <https://github.com/WICG/privacy-preserving-ads/blob/main/README.md> >> which shares much of its API surface with Protected Audience. >> >> >> Web developers: Requested by 5+ companies (including Microsoft Ads) in >> multiple GitHub issues: 1 <https://github.com/WICG/turtledove/issues/813>, >> 2 <https://github.com/WICG/turtledove/issues/934>, 3 >> <https://github.com/WICG/turtledove/issues/956>. >> >> >> Debuggability >> >> Protected Audience trusted signals requests show up in the DevTools >> Network pane. >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? >> >> It will be supported on all platforms that support Protected Audience, so >> all but WebView. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> Yes, in 1 >> <https://chromium-review.googlesource.com/c/chromium/src/+/5478569> and 2 >> <https://chromium-review.googlesource.com/c/chromium/src/+/5513149>. >> >> >> Flag name on chrome://flags >> >> None >> >> >> Finch feature name >> >> FledgePermitCrossOriginTrustedSignals >> >> >> Requires code in //chrome? >> >> False >> >> >> Estimated milestones >> >> Shipping on desktop and Android in M127. >> >> >> Anticipated spec changes >> >> None >> >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5861201518264320 >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrkWa-a9HmaqoSdkVhQ8YbMpY1Q-AvJtQLsyCcAfN8jBHQ%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrkWa-a9HmaqoSdkVhQ8YbMpY1Q-AvJtQLsyCcAfN8jBHQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHRWggT6TM2-RhO%3D5G6fZ2CdaiWLJkx-a1XFOSzwnOBR4XuV%2BA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHRWggT6TM2-RhO%3D5G6fZ2CdaiWLJkx-a1XFOSzwnOBR4XuV%2BA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2B43XOd-6cjW8uwD89O0n08C0NjuSdh%3D3vfm_v%3DcJHcVw%40mail.gmail.com.