Minor: Should Delegation File Need Access-Control-Allow-Origin for Given Site to Load?

[thegreatfatzby]

Just upfront, you've got way bigger fish to fry, this isn't blocking anything, and I'm guessing this is just a basic web thing that can't or shouldn't be bypassed...but do want to ask.

It seems that the IG delegation file won't load if Access-Control-Allow-Origin isn't set to allow the calling origin, as a CORS denial shows up in issues (you can see the example here (working on getting the instance a bit more stable :) ) ).

Since the delegation file is there for the browser to learn about what the application wants to allow, and if a result is returned presumably the application returned that intentionally, why not auto-accept the file's results regardless of that header?

[MattMenke2]

Sorry for the slow response.

The reason for this is that we currently expose whether the fetch blocked a cross-origin IG join or not by having joinAdInterestGroup throw on failure (If the .well-known fetch fails or blocks the operation). While this doesn't expose the entire contents of the fetched resource, it does expose information about them. As a result, we enable CORS and set the initiator of the request to the origin of the calling frame, just as if the frame had made the fetch itself.

We could change behavior not to expose the result (I don't think we want to introduce a behavior of "only expose result if Access-Control-Allow-Origin is present" - that's a novel behavior. The code would then have to fit effectively in the middle of the fetch call, as opposed to above the call to fetch).

In general, we want to avoid introducing new no-CORS requests to the web platform. admittedly, we're doing it for other fledge fetches currently, but we have plans to change that, at least for requests that are not to a trusted server.