-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the permissions policy need in cross-origin iFrames during the OT #41
Comments
Hi @alois-bissuel (apologies for the delay, I was ooo) IMU disabling the permissions policy isn't desirable even during the OT, given it's a security/trust feature. IMU your biggest issue at the moment is nested iframes, is this correct? E.g. what you're encountering in #38? For discussion on the blocks caused by Permissions Policy, I've filed WICG/attribution-reporting-api#519. Please do chime in on that issue with details! For your OT-related questions we should keep the conversation here in privacy-sandbox-dev-support, but since the issues you're encountering seem to be general limitations due to the permissions policy, we should also talk about it in the WICG, hence the new issue. |
Thanks Maud for the answer. My issue is more broad than the nested iframes problem described in #38. Some actors in the adtech industry are not aware that this OT is taking place, and don't bother passing on the permission. I am sure that if the attribution reporting API were to be put in production, these actors would (in the long run after some adaptation) allow this API, hence my desire to remove the permission policy system. This would enable a better understanding of the performance by the final users of this API. |
Thanks Alois, |
I am not sure to fully understand what you are trying to say by "my real issue for the OT", but yes, exclusion of the traffic based on the availability of the OT is detrimental for us. |
Thank you Alois, we're aligned. I completely understand this is an issue for experimentation. Summary of the issues with Permissions-Policy While Permissions-Policy is an important security/trust feature needed in the long run, it creates friction in some cases:
This affects measurement reliability. Because Permissions-Policy doesn't come into play in a 3PC measurement system, its presence in Attribution Reporting makes it difficult to compare Attribution based measurement with cookie-based measurement. EDIT: To clarify, by "real issue for the OT", I meant to explore with you the core reason why this limits your ability to experiment, so I can best communicate the limitations of the Permissions Policy to the wider Chrome team and propose a viable solution. I'm not questioning that this is an issue. I'll come back to this thread when I hear back! |
No concrete updates just yet, but just a heads-up that a proposal to mitigate this issue is currently being evaluated. |
Hi @alois-bissuel, one related question: (EDIT: I'm aware feature detection doesn't solve the fact that you're losing volume due to the policy; I'm asking if feature detection would at least help you reliably correct your numbers by offsetting sources/conversions where the API wasn't available due to a missing policy) |
Hello @maudnals Sorry for the very late answer, I was in vacations! We are using feature detection for a correct usage of the API (when using |
Noted, thank you. One follow-up question:
|
Update: the Permissions-Policy default allowlist has been changed during the testing phase, to mitigate both this issue (#41) and issue #52. No code changes are needed from your side. Find all the details on the change and its timeline in this post. Thank you for reporting this problem and working with us towards a solution! Let us know in case you have a question/need troubleshooting on this change, by filing an issue here in this repo as usual. |
Thanks a lot for the support! |
A quick comment to indeed acknowledge that we indeed see much more traffic on our endpoints. |
Hello,
I have a question regarding the need to allow the attribution reporting API in cross-origin iFrames during the . The adtech ecosystem relies a lot on cross-origin iFrames, and not all actors may be aware that this origin trial is going on and that other partners may test it. We see that some actors allow the API, but some don't do it. Thus we see that we cannot test the API on all the ads we serve.
Would it be possible to remove the requirement of permissions policy during the course of the OT?
On the long run, the ecosystem will adapt and I expect all actors to allow the API (as they will either need it themselves, or might be compelled by contractual obligations), but I think it is unreasonable to ask for every actor to adapt quickly only for the OT.
The text was updated successfully, but these errors were encountered: