On Wed, Aug 7, 2024 at 11:25 AM Yoav Weiss (@Shopify) < [email protected]> wrote:
> On Wednesday, July 31, 2024 at 6:38:43 PM UTC+2 Paul Jensen wrote: > > Previous to this proposal, the trusted signals were required to come from > the same origin as the bidding or scoring script that processed them, and > the script could safely assume that the signals it received were from its > same origin. With this new ability to fetch them from another origin we > wanted to avoid a couple forms of misuse: > > 1. > > unintentional/accidental misconfiguration where the trusted signals > origin (specified in the interest group or auction configuration) could now > be a different origin but the script processing these signals might not be > updated to understand this or process signals from another origin, or > 2. > > intentional/malicious misconfiguration where someone might have > changed the origin of the trusted signals unbeknownst to the script > processing them. This isn’t possible for trusted bidding signals as the > interest group (where the trusted bidding signals URL is specified) is only > settable from same-origin contexts. > > > That last part is using AsyncTask > <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/probe/core_probes.h;l=83?q=AsyncTask%20f:blink&ss=chromium>? > Is that well-defined in the PR? I'm not sure we have a strict concept of > "context" in the platform today. > TaskAttribution > <https://wicg.github.io/soft-navigations/#sec-task-attribution-algorithms> > took > a stab at that and AsyncContext > <https://github.com/tc39/proposal-async-context> is another, but I guess > that making that implementation-defined > <https://infra.spec.whatwg.org/#implementation-defined> would work as > well for now. > When I said "the interest group is only settable from same-origin contexts", I was referring to the check that the origin of the frame (this is what what I meant by "context") calling the navigator.joinAdInterestGroup() API matched the origin of the owner of the interest group. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrm9Mhw4jBXkxZkNkZff5Smdstw1XvE1u3cpVMh6sSAn5w%40mail.gmail.com.
