Replace k-anonymity requirement for selectURL() input URLs with per per-page-load entropy bit budgets
#69
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…-page-load entropy bit budgets
jkarlin
reviewed
Mar 27, 2023
README.md
Outdated
|
|
||
| #### K-anonymity Details | ||
| Like [FLEDGE](https://github.com/WICG/turtledove/blob/main/FLEDGE.md), there will be a k-anonymity service to ensure that the selected URL has met its k-anonymity threshold. If it has not, its count will be increased by 1 on the k-anonymity server, but the default URL will be returned. This makes it possible to bootstrap new URLs. | ||
| This event-level reporting will allow for the embedding page's 1p data to be combined with the log2(num urls in selectURL) bits of third-party shared-storage data as soon as the report is sent. Since this can be used to build up a lot of information quite quickly, we're imposing some limits on event-level reporting while it's available. That is, event-level reporting via `reportEvent` can only consume up to 9 bits per top-level page navigation. |
There was a problem hiding this comment.
It's incompatible that the event-level reporting has a limit of 9 bits per page-level nav and we allow 6 bits of selectURL() total per page-level nav. Let's just drop the event-level budget (both from budget and not enforce in code).
|
lgtm |
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Apr 3, 2023
We update the default Finch parameter values for the `selectURL()` per pageload limits, as discussed in WICG/shared-storage#69. Bug: 1429680,1218540 Change-Id: I9853c8b8e866d4372938884416767330b64e1075 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816 Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Reviewed-by: Yao Xiao <yaoxia@chromium.org> Cr-Commit-Position: refs/heads/main@{#1125513}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Apr 4, 2023
Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540 Change-Id: I3bababec29ce704db8fa7ccad20d0a6afd60bf71 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4387349 Reviewed-by: Dominic Farolino <dom@chromium.org> Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Reviewed-by: Yao Xiao <yaoxia@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/main@{#1125813}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Apr 4, 2023
This reverts commit dd89aa7. Reason for revert: Consistent failures on mac11-arm64 https://ci.chromium.org/ui/p/chromium/builders/ci/mac11-arm64-rel-tests/16323/overview Original change's description: > Shared Storage: Change `selectURL` limits > > We update the default Finch parameter values for the `selectURL()` > per pageload limits, as discussed in > WICG/shared-storage#69. > > Bug: 1429680,1218540 > Change-Id: I9853c8b8e866d4372938884416767330b64e1075 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816 > Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> > Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> > Reviewed-by: Yao Xiao <yaoxia@chromium.org> > Cr-Commit-Position: refs/heads/main@{#1125513} Bug: 1429680,1218540 Change-Id: I26e4d39233f027c98d76935a2dff809186c062b1 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4396269 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/heads/main@{#1125837}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Apr 5, 2023
This is a reland of commit dd89aa7 The consistent failures on mac11-arm64 (https://ci.chromium.org/ui/p/chromium/builders/ci/mac11-arm64-rel-tests/16323/overview) were due to a math error that was not caught on CQ bots because virtual/shared-storage-fenced-frame-mparch-selecturl-limit/third_party/blink/web_tests/wpt_internal/shared_storage_selecturl_limit/run-url-selection-operation-limit-multiple-origins.https.html had a test expectation of "Timeout" on those bots owing to how long the test took with the previously large limits. Moreover, on most bots the test with the math error continued to timeout rather than fail because it was awaiting a promise that was never fulfilled/rejected owing to the error being in one of its iframes, which prevented the message the main frame was waiting for from being written to the server. So we add try/catch logic to the iframe's script along with descriptions to `assert_equals()` calls in order to make any future debugging easier. We also speculatively re-enable virtual/shared-storage-fenced-frame-mparch-selecturl-limit/third_party/blink/web_tests/wpt_internal/shared_storage_selecturl_limit/run-url-selection-operation-limit-multiple-origins.https.html on all platforms, as we believe this should address the issues that previously caused it to flake/fail. If there are issues with this test again, we should have better debugging data. Original change's description: > Shared Storage: Change `selectURL` limits > > We update the default Finch parameter values for the `selectURL()` > per pageload limits, as discussed in > WICG/shared-storage#69. > > Bug: 1429680,1218540 > Change-Id: I9853c8b8e866d4372938884416767330b64e1075 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816 > Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> > Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> > Reviewed-by: Yao Xiao <yaoxia@chromium.org> > Cr-Commit-Position: refs/heads/main@{#1125513} Bug: 1429680,1218540,626703,1430564 Change-Id: I357be397b86b9319c2f6e7997da2fdf7d08c0d4d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4400831 Reviewed-by: Dominic Farolino <dom@chromium.org> Reviewed-by: Yao Xiao <yaoxia@chromium.org> Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Cr-Commit-Position: refs/heads/main@{#1126704}
cdesouza-chromium
added a commit
to brave/brave-core
that referenced
this pull request
Apr 13, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
cdesouza-chromium
added a commit
to brave/brave-core
that referenced
this pull request
Apr 14, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
cdesouza-chromium
added a commit
to brave/brave-core
that referenced
this pull request
Apr 20, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
emerick
pushed a commit
to brave/brave-core
that referenced
this pull request
Apr 24, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
cdesouza-chromium
added a commit
to brave/brave-core
that referenced
this pull request
Apr 28, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
cdesouza-chromium
added a commit
to brave/brave-core
that referenced
this pull request
Apr 30, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
cdesouza-chromium
added a commit
to brave/brave-core
that referenced
this pull request
May 6, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
cdesouza-chromium
added a commit
to brave/brave-core
that referenced
this pull request
May 15, 2023
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <cammie@chromium.org> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We relax the requirement that the URLs used as inputs to
sharedStorage.selectURL()be k-anonymous.We currently have event-level reporting, which allows callers to associate a first-party identifier with up to three bits of cross-site data, in spite of any k-anonymity constraints. Meanwhile, requiring the input URLs to be k-anonymous increases the latency and complexity of
selectURL()calls. Thus, we believe a k-anonymity requirement is of limited benefit and not worth the associated financial, performance, and utility costs.Without k-anonymity, first-party information can be encoded in an input URL and thereby joined with cross-site data through the URL-selection process. We therefore add additional entropy limits to govern
selectURL()'s use and mitigate its privacy impact.In particular, we add two new types of entropy bit budgets whose lifetimes both coincide with that of a top-level navigation. The first budget will limit all calls from a given origin on that page during that page load to using up to 6 bits of entropy. The second will limit all calls across all origins on that page during that page load to consuming up to 12 bits of entropy. These limits will be refreshed for new top-level navigations.