Seller trusted server and domain

[eysegal]

Hi, using the seller trusted server, we would like to verify the validity of the rendered items, for example to validate if the title meets certain publisher requirements. We see that the domain is not part of the url, unlike in the buyer trusted server, but we have to receive it since different constraints are applied for different publishers.
Can this be added?

[michaelkleber]

The request to the seller's trusted server begins with the trustedScoringSignalsURL, which is specified in the auction config. So you (the seller) can include in the request URL any information that you know at the time your are building the auction config.

[dmdabbs]

That would have to be placed in the path since Chrome builds the final URL from the "base" and the query it assembles from the parameter values, https://wicg.github.io/turtledove/#build-trusted-scoring-signals-url. Or Chrome merges params it builds with any present on the base URL.

FWIW, for fun I appended ?foo=bar to my "base url" value. Chrome didn't include the value, but it did cause the request to be CORS preflighted.

[MattMenke2]

I'm surprised we don't throw if there's a query string in the trusted scoring signals URL. But yes, we do overwrite the entire query param for trusted signals URLs.

[MattMenke2]

The reason for not merging URLs is that the auctionConfig comes from a third party, and we don't want the publisher to run an auction, and insert, say, ?publisher=foo, possibly with different capitalization, so the server would get two publisher fields, and may incorrectly use the wrong one. (edit: should be hostname=, rather than publisher=)

[dmdabbs]

I understand the safety/correctness concern. Just adding for OP that including any information one knows is currently constrained to the path.

[michaelkleber]

1. Yes, thanks all for pointing out that if you want to put more information in the call to the seller trusted server, you need to put it in the path and not the ?foo=bar part of the base URL.

2. Rereading this, I see that the original ask was "We see that the domain is not part of the url". I don't think that's right: I believe the call to the seller's trusted server, just like the call to the buyer's trusted server, includes hostname=publishersite.com as the first browser-added URL parameter.

[eysegal]

Thanks @michaelkleber, we were a bit confused since it's not mentioned here https://github.com/WICG/turtledove/blob/main/FLEDGE_Key_Value_Server_API.md
Thanks for clarifying.

[michaelkleber]

Oh good point! @peiwenhu is this just an accidental oversight, or is there any history here? It's step 2 of To build trusted scoring signals url in the spec.

[peiwenhu]

Ohh. It was an accidental oversight. When the API doc was being written, the spec didn't exist so there might have been some misunderstanding.

I'll correct it ASAP.