Clarify Validations on Sellers trustedScoringSignalsUrl, Path of Bidding/Scoring Signals URL

[thegreatfatzby]

I'm wondering if the technical explainer is missing some things or if I am.

Bidding Signals URL - More Strict
In the sections involving biddingSignalsUrl the spec (see 2.12 here) calls out detailed validations that include:

1. Valid URL
2. HTTPS
3. Same origin
4. Credentialless
5. No Query Params
6. No fragment

If any of those fail a TypeError is thrown.

Based on how the full request to the Trusted Bidding Signals server happens, where QS params are thrown out, this validation makes sense as the query params and fragment would be silently thrown out, which would be hard to debug, etc.
(You can see that algorithm by searching for "build trusted bidding signals url " in the spec).

Trusted Scoring Signals
In the sections involving trustedScoringSignalsUrl for validations I see:

• Valid URL
• HTTPS
• Same origin
• (Search "Let trustedScoringSignalsURL be the result of running the URL parser on" in the spec).

If any of those fail a TypeError is thrown.

So at first glance it seems that 4, 5, and 6 from the bidding URL validations are skipped here. However, looking at the stated algorithm for building the trusted scoring signals, query params and fragment would be overwritten, and so I think the credentialless applies as well.

Questions
I'm assuming that the tech spec portion for trusted scorign should add 4, 5, 6. Is that right?

Also, I suppose for any of the URLs, is there any limitation on the path?