Comments (6)
I think third party redirects between the first and last leg of the redirect chain should be fine though.
Why is that? The super popular "cookie syncing" technique employed in the ad-tech industry works through third-party redirect chains.
For example, given the privacy problem in #9, the reporting domain can learn about the identity of the user, and then transfer that information through a third-party redirect with a colluding cross-site tracking domain to them, and have them redirect back to the reporting domain. Am I missing something?
from attribution-reporting-api.
@willgage there is some discussion of this use-case in #29, to allow multiple reporting domains to receive conversion reports.
from attribution-reporting-api.
The main restriction is that the GET request should start and end (at the .well-known address) on the same domain. That is, if the publisher drops tags to a.com, we shouldn't allow that tag to ever cause reports to be sent to b.com.
I think third party redirects between the first and last leg of the redirect chain should be fine though.
from attribution-reporting-api.
Hmm, let me try to see if I can understand your concern. Let’s say we have reporting domain D and third party redirector R.
If D acts alone, then it can recover a report with <64 bits impr, 3 bits conv>. If, in order to register a conversion, D redirects to R then back to D, D and R can cookie sync, which lets R also recover the information from the conversion report, as long as D and R both have third party cookies already, and D has already matched that cookie with the impression metadata. If D or R are not using third party cookies, then redirecting to R doesn’t reveal much extra with this API, since it is very hard to tie a conversion report to advertiser-side identity (which is all you have at conversion registration time without global identity).
However, if D and R are both using third party cookies, than this API doesn’t reveal anything that both parties wouldn't already know. From that perspective, this API doesn’t really make things worse in the status quo than an existing <img>
tag.
Let me know if that helps clarify.
from attribution-reporting-api.
As a counterpoint to @ehsan's concern, there are valid use cases where
- Party C acts as an agent of Party A to bid within an advertising platform operated by Party B
- when a conversion event happens on Party A's site, it is not only Party B that needs to know about it, but also Party C, so that they can measure and tune performance.
In the existing model of 302 redirects and cookies, such compositions are relatively straightforward. The click goes through Party B (ad platform), then Party C (bidding agent) and finally arrives at Party A (advertiser). Each party has a chance to record the click event, and when a conversion is registered, each can be notified by pixel. Neither Party A, B or C has to fully "trust" each other's numbers -- they can independently verify.
This proposal already changes the game a little bit to say that Party B is now the gatekeeper of any conversion events related to clicks for which Party C is a stakeholder. That in itself is not ideal. Further restricting that by saying Party C can get no client-relayed information goes beyond privacy restrictions and reshapes business relationships all over the Internet.
from attribution-reporting-api.
We ended up going with a model that matches the existing flows that take advantage of / supports multiple parties in redirect paths. Closing out this old issue for now
from attribution-reporting-api.
Related Issues (20)
- Flexible event phase 2 HOT 1
- Add an epsilon param to the event-level API
- Report delivery spec algorithm can send reports erroneously HOT 6
- High volume of source-storage-limit HOT 4
- Cross App and Web Attribution reporting - sdk HOT 5
- How to Enable Cross-Environment Advertising Measurement on Android Devices without Privacy Sandbox HOT 3
- Consider limiting the number of sources a reporting origin can register per initiated navigation
- measurementManager.registerSource Invalid scheme for app destination: https; dropping the source HOT 1
- debug_key is cleared when fetch HOT 2
- Issues
- Attribution reporting api and email marketing HOT 7
- Flex event explainer doesn't describe how attribution-success debug reports are affected
- [Raising on behalf of InMobi - for Android Privacy Sandbox testing] HOT 2
- Provide API measurement platform preference while registering sources and triggers HOT 1
- Hood
- Is it possible to do trigger registration in both Browser and OS. label:app-to-web HOT 1
- This pull request introduces the addition of the ClientCertificates property to the HttpRequestData class, enabling the exposure of certificate collection involved in authenticating the client against the server.
- Weekly conversion report with expanded trigger_data to satisfy CPA and affiliation attribution HOT 5
- The most important thing
- Epsilon param configuration
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from attribution-reporting-api.