some concerns about Feature-Policy HTTP headers

[vincent-grosbois]

Hello!

We starting to think about Fledge integration with advertising websites, and we have a few concerns about the permission delegation mechanism of Feature-Policy

• Some clients, which are running their shopping page, are not super-technical, and won't know how to set a new, specific, HTTP headers
• Some clients, that are running their website through platforms (for instance Shopify, or other hosting services) won't even have the ability to set specific HTTP headers
• The rationale for using HTTP headers for permission delegation, is to ensure that this is info can be trusted as coming from the same source as whoever is making the call to joinAdInterestGroup() . However it seems to me that this requirement already exist in other parts of Fledge, and doesn't require HTTP headers to be handled. Specifically, it's handled in other parts of Fledge by assuming that url/files hosted on the same domain can be trusted.
• This is inconsistent with the .well-known url system that is based on files on server

An alternative mechanism for permission delegation could be the following:

• in joinAdInterestGroup(), client can specify an url for a "permission delegation file"
• this url is checked, and it must be from the same domain as current page domain (much like trustedBiddingSignalUrl, etc)
• the file in this url contains the list of domains that are granted permission

The rationale for doing is, is that it's much simpler for an advertiser to add a specific file on its domain (can be done with almost all platforms for hosting shopping website) than to change its HTTP headers

What do you think?