Move "join-ad-interest-group" & "run-ad-auction" default allowlists to self

[miketaylr]

Currently they're *.

[JensenPaul]

Relevant: https://github.com/WICG/turtledove/blob/main/Proposed_First_FLEDGE_OT_Details.md#permissions-policy

[JensenPaul]

Changing to default the allowlists to self has been our long term plan but we've heard feedback that it blocks adoption and usability at this stage, especially in the long-tail of advertisers. Providing a solution to audience stealing is an important goal of Protected Audience. Our current implementation offers opt-in protection via our Permission-Policy, and we're going to continue to look for an ergonomic solution that facilitates adoption sufficiently to offer the protection by default.

[thegreatfatzby]

Hey @JensenPaul ended up circling back to this and have a couple of questions:

• Is there any timeline on when the default allowlists will be changed? I don't think I'm seeing one here.
• Is the correct way to explicitly specify the allow-list of *, so that your code can be "explicitly correct", like so: "join-ad-interest-group *; run-ad-interest-group: "? When I do that I'm still getting the warning below, although it seems to join fine (I did try '', all, and 'all', but got an invalid origin error that borked everything).

In the future, Permissions Policy feature run-ad-auction will not be enabled by default in cross-origin iframes or same-origin iframes nested in cross-origin iframes. Calling runAdAuction will be rejected with NotAllowedError if it is not explicitly enabled