You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We starting to think about Fledge integration with advertising websites, and we have a few concerns about the permission delegation mechanism of Feature-Policy
Some clients, which are running their shopping page, are not super-technical, and won't know how to set a new, specific, HTTP headers
Some clients, that are running their website through platforms (for instance Shopify, or other hosting services) won't even have the ability to set specific HTTP headers
The rationale for using HTTP headers for permission delegation, is to ensure that this is info can be trusted as coming from the same source as whoever is making the call to joinAdInterestGroup() . However it seems to me that this requirement already exist in other parts of Fledge, and doesn't require HTTP headers to be handled. Specifically, it's handled in other parts of Fledge by assuming that url/files hosted on the same domain can be trusted.
This is inconsistent with the .well-known url system that is based on files on server
An alternative mechanism for permission delegation could be the following:
in joinAdInterestGroup(), client can specify an url for a "permission delegation file"
this url is checked, and it must be from the same domain as current page domain (much like trustedBiddingSignalUrl, etc)
the file in this url contains the list of domains that are granted permission
The rationale for doing is, is that it's much simpler for an advertiser to add a specific file on its domain (can be done with almost all platforms for hosting shopping website) than to change its HTTP headers
What do you think?
The text was updated successfully, but these errors were encountered:
Hello!
We starting to think about Fledge integration with advertising websites, and we have a few concerns about the permission delegation mechanism of
Feature-Policy
.well-known
url system that is based on files on serverAn alternative mechanism for permission delegation could be the following:
The rationale for doing is, is that it's much simpler for an advertiser to add a specific file on its domain (can be done with almost all platforms for hosting shopping website) than to change its HTTP headers
What do you think?
The text was updated successfully, but these errors were encountered: