Consider making source-side attributionsrc pings easier to associate with existing pings #378
Comments
Making the separate request optional allows a future state in which a single URL is used to handle attribution registration and existing_ping functions. Wonder if it should be defined as: attributionsrc="src" so the definition is explicit. |
|
I am supportive of the idea of adding a new request header, and I am interested to see if it mitigates the risk of double-counting with the parallel path design. I want to add this to a future meeting agenda to discuss.
I think |
|
Another idea for discussion specifically on the view registration side: On the topic of (#347) and (2) it may make sense for the browser to allow "upgrading" of existing JS based pings (using xhr, and fetch). If a reporting origin is currently issuing attribution pings through those APIs there is no straightforward way to avoid a duplicate ping outside of moving to a different API. One solution here would be for us to extend (2) with (1) such that: Any request which contains an "Attribution-Reporting-Eligible: true" request header will be allowed to register attribution response headers. This achieves a similar "element level opt-in", and covers any JS request APIs/libraries which allow setting request headers. Example: xmlhttp.open("GET", impression_ping_url);
// Reporting origin just needs to add this line.
xmlhttp.setRequestHeader("Attribution-Reporting-Eligible", true);
xmlhttp.send(attributionData);This also makes it relatively straightforward to coalesce the various surfaces. The |
|
+1 to @johnivdel. This really just makes existing JS API simple syntactic sugar around the raw underlying APIs, so I think it makes sense to deprecate |
|
I propose that the header instead contain a set of tokens
The reporting origin can use this header to ensure that it is sending the correct registration response, if any, and the browser will use the header to determine which registrations to actually permit when processing the response. |
The window.attributionReporting.registerSource JS API is being replaced with a more general mechanism. WICG/attribution-reporting-api#378 (comment)
* Make the attributionsrc ping optional Resolves #378 * Update EVENT.md * Update EVENT.md * Update EVENT.md * Update EVENT.md Co-authored-by: Andrew Paseltiner <apaseltiner@google.com> * Update EVENT.md Co-authored-by: Andrew Paseltiner <apaseltiner@google.com> * Update EVENT.md * Update EVENT.md Co-authored-by: Charlie Harrison <csharrison@chromium.org> * Allow script elements to use attribution (#447) Resolves #446 Co-authored-by: Andrew Paseltiner <apaseltiner@google.com> Co-authored-by: Andrew Paseltiner <apaseltiner@google.com> Co-authored-by: Charlie Harrison <csharrison@chromium.org>
Currently to declare a source in the API you must provide a separate url which can register attribution response headers:
For the ad-tech, it may difficult to associate the new ping and existing ping unless certain query parameters are added. If there are multiple reporters within the attributionsrc redirect chain, this can become more complicated as there is a reliance on other parties setting these params.
This is related to #347 where it was difficult to introduce a separate ping on the trigger side.
It's possible we can improve the developer experience here by having the browser make these pings strongly associated. A few (non-exhaustive) options:
https://adtech.example/existing_pingreceivers a header:Attribution-Reporting-Eligible: false, <uuid>https://adtech.example/new_pingreceivers a header:Attribution-Reporting-Eligible: true, <uuid><uuid>would be a random id generated by the browser to associate these two requests. The adtech is then able to associate these pings with each other server-side. Redirects for each of the requests would also have this ability.Here,
https://adtech.example/existing_pingis able to register the Attribution-Reporting headers. We still retain an element level permissions model for whether a request is allowed to use the API.In theory, a similar behavior could be applied to anchor tags, where the
hrefitself could respond with headers. However, because these are potentially top-level navigations, these requests will behave very differently than attributionsrc requests. Namely, they would be in a different first party context.It is possible (1) could be used in conjunction with (2) to provide additional flexibility. Sending a header itself on attributionsrcs may also make it easier for the browser to signal whether a request can actually register (e.g. permissions policy checks, browser support without UA sniffing).
(2) has the benefit that it uses less network bandwidth + avoids making two requests in some cases.
Because (2) re-uses existing pings, the browser would have less flexibility in regards to performing+processing these pings. This may not be a problem in practice, but worth pointing out.
The text was updated successfully, but these errors were encountered: