Consider waiving attributionsrc for triggers
#347
Comments
maudnals
changed the title
attributionsrc for triggers?attributionsrc for triggers
maudnals
added
the
developer-input
|
Some of the implications here: This would dis-align the permissions model on the source and trigger side. With attributionsrc, we have a tag-level opt-in to the API. Processing headers without the attribute would be similar to the previous version, all subresources on the page would be able to register triggers. On the source side, this permissive model would make it easy to abuse limits on unattributed sources (such as the 100 reporting origin limit). On the trigger side, we don't have any rate-limits which operate on unattributed triggers, so there is less concern for DOS style attacks. We do have limits on attributed triggers, but this is already contingent on an action from a publisher site, and these limits include reporting origin in the scope. Based on this, I think it would be reasonable to remove the requirement to support pre-existing conversion tags. |
Removes the attributionsrc requirement for trigger registration, fixing #347
* Resolve todo on supporting legacy conversion pings Removes the attributionsrc requirement for trigger registration, fixing #347 * Update EVENT.md * Update EVENT.md Co-authored-by: Andrew Paseltiner <[email protected]> Co-authored-by: Andrew Paseltiner <[email protected]>
This CL adds processing for non-attributionsrc trigger registration as proposed in: WICG/attribution-reporting-api#347 WICG/attribution-reporting-api#360 This change parses and plumbs the data to the browser process. Browser process registration is implemented in crrev.com/c/3518045. Bug: 1294286 Change-Id: Id6c2c24ec936bcb47d6add6292f49b9aba13aa59 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3518053 Reviewed-by: John Delaney <[email protected]> Reviewed-by: Andrew Paseltiner <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Nan Lin <[email protected]> Cr-Commit-Position: refs/heads/main@{#981615}
This CL adds processing for non-attributionsrc trigger registration as proposed in: WICG/attribution-reporting-api#347 WICG/attribution-reporting-api#360 This change parses and plumbs the data to the browser process. Browser process registration is implemented in crrev.com/c/3518045. Bug: 1294286 Change-Id: Id6c2c24ec936bcb47d6add6292f49b9aba13aa59 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3518053 Reviewed-by: John Delaney <[email protected]> Reviewed-by: Andrew Paseltiner <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Nan Lin <[email protected]> Cr-Commit-Position: refs/heads/main@{#981615} NOKEYCHECK=True GitOrigin-RevId: 648503f0ee23669946ebcd7115c957ab05bc65ef
Question/Feedback from developer:
The text was updated successfully, but these errors were encountered: