Source event limits should be time bounded

[csharrison]

In https://github.com/WICG/attribution-reporting-api/blob/main/EVENT.md#limiting-the-number-of-unique-destinations-covered-by-pending-sources, we propose a limit on the number of sources that can be registered as "pending" at one time;

Strawman: 100 distinct destination sites per-{source site, reporting origin}, applied to all pending sources regardless of type.

We should consider changing this to:

Strawman: 100 distinct destination sites per-{source site, reporting origin, time window}, applied to all sources regardless of type

Benefits:

• Enforcement is only applied via information from a single site, so things like error reporting based on this limit no longer becomes privacy sensitive
• The limit is no longer susceptible to a "fast converting" attack pattern where an attacker who can convert very fast can bypass this limit.

[johnivdel]

Another idea for discussion would be adjusting the limit while keeping the concept of limiting "simultaneous" sources:

100 distinct destination sites per-{source site, reporting origin}, applied at source time by checking whether there were 100 source registrations whose [source time, source time expiry] intersects with the new source.

This would require the browser to have knowledge of all source registations (including that those that have been attributed already).

This allows reporting origins to tradeoff between expiry window, and the number of destinations they may register in some larger time frame.

I believe this still upholds the benefits above, at the expense of a more complicated enforcement system.