attribution-reporting-api icon indicating copy to clipboard operation
attribution-reporting-api copied to clipboard

Published 20 hours ago verified publisher icon WICG

Signal whether Attribution Reporting API is available or not

Open lbdvt opened this issue 2 years ago • 6 comments

This question refers to the end state, not the Origin Trial.

As target permissions mechanisms (see https://github.com/WICG/attribution-reporting-api/issues/558) are being discussed, I would like to highlight the buy-side need below.

Measuring an ad campaign's outcomes (e.g. sales) is essential for marketers. So buy-side participants would need:

a) to know whether Attribution Reporting is enabled for an opportunity at bid time This probably requires:

  • It should be possible for an Ad Manager to discover the permissions for each buyer (if permissions may vary on a per domain basis)
  • This set of permissions should be sent to the bid stream

b) to have some reporting on whether source registration has been successful. This would be done for control and does not need to be event-level. This probably requires:

  • A return status from the API in Chrome (probably also relates to https://github.com/WICG/attribution-reporting-api/issues/525)
  • That return status to be made available in a reporting API, if the ad is being displayed in a constrained environment (e.g. Fenced Frames)

lbdvt avatar Sep 26 '22 12:09 lbdvt

For (a), do you see this being something that the platform solves, or that would be done through coordination during bidding? It seems very difficult for the platform to solve this especially if the auction is not taking place in a tightly controlled browser environment like FLEDGE.

(b) seems totally doable. I don't believe it is any privacy violation to report that a registration failed due to permission policy. cc @linnan-github who is thinking through some of the additional debugging reports we could send. Right now we are thinking of a unified reporting scheme for failures, where we put as much data into the report as we can without violating any privacy boundary.

csharrison avatar Sep 26 '22 15:09 csharrison

Thanks for the reply,

For (a) the part that the platform may have to solve is the following one. If the permission policy includes an allowlist, it should be possible for the Ad Manager to discover the domains on this allowlist (it seems that methods such as https://developer.chrome.com/blog/privacy-sandbox-unified-origin-trial/#attribution-reporting allow only for discovery of the permissions related to the caller's domain).

Then funneling this information to the bid stream would indeed be the responsibility of the participants (SSP) in standard auction environments, or a question for FLEDGE.

lbdvt avatar Sep 27 '22 07:09 lbdvt

Hey @lbdvt , Permissions Policy also has an API getAllowlistForFeature you can use it like this:

document.featurePolicy.getAllowlistForFeature('attribution-reporting')

This will return a list of allowed origins (or * if the feature is default enabled everywhere). You can see the spec here (although unfortunately we're still using the name featurePolicy in Chrome): https://www.w3.org/TR/permissions-policy-1/#dom-permissionspolicy-getallowlistforfeature

Let me know if that's sufficient to satisfy (a).

csharrison avatar Sep 27 '22 14:09 csharrison

Yes! That should cover it for (a).

lbdvt avatar Sep 27 '22 16:09 lbdvt

I believe that verbose debug reports cover case (b). Are they planned to be a permanent feature of the reporting API?

alois-bissuel avatar Dec 15 '22 14:12 alois-bissuel

Thanks @alois-bissuel. Most of the verbose debug reports, as well as attribution-success debug reports are transitional and will be deprecated post third-party cookie deprecation due to privacy/security implications.

We will try to explore different debugging mechanisms post 3PCD and welcome any feedbacks.

linnan-github avatar Dec 15 '22 15:12 linnan-github