From 67dfa5765b24069b4a1b81f0b7c679718045ba68 Mon Sep 17 00:00:00 2001 From: Isaac Foster Date: Sun, 17 Sep 2023 11:48:34 -0400 Subject: [PATCH] Remove Old Messaging Around Web Bundles and Temporary Nature of CDN Loading One of the things that came up during TPAC is that the web bundles idea is on hold and that there is no current timeline for them. Since there is not currently a plan to switch to web bundles or trusted CDNs, I wanted to remove the notes about them, as I think they are probably causing more confusion now for someone coming to this and not knowing that history. --- FLEDGE.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/FLEDGE.md b/FLEDGE.md index 00fb66b59..9b6e72bb8 100644 --- a/FLEDGE.md +++ b/FLEDGE.md @@ -697,11 +697,7 @@ The `FilterOnDataFromServer` interest group will result in fetching `https://buy The winning ad will be rendered in a [Fenced Frame](https://github.com/shivanigithub/fenced-frame): a mechanism under development for rendering a document in an embedded context which is unable to communicate with the surrounding page. This communication blockage is necessary to meet the privacy goal that sites cannot learn about their visitors' ad interests. (Note that the microtargeting prevention threshold alone is not enough to address this threat: the threshold prevents ads which could identify a single person, but it allows ads which identify a group of people that share a single interest.) -Fenced Frames are designed to be able to provide a second type of protection as well: they will not use the network to load any data from a server, instead only rendering content that was previously downloaded (e.g. as a Web Bundle). This restriction is focused on preventing information leakage based on server-side joins via timing attacks. - -_As a temporary mechanism, we will still allow network access,_ rendering the winning ad in a Fenced Frame that is able to load resources from servers. - -The TURTLEDOVE privacy goals mean that this cannot be the long-term solution. Rendering ads from previously-downloaded Web Bundles, as originally proposed, is one way to mitigate this leakage. Another possibility is ad rendering in which all network-loaded resources come from a trusted CDN that does not keep logs of the resources it serves. As with servers involved in providing the trusted bidding signals, the privacy model and browser trust mechanism for such a CDN would require further work. +The TURTLEDOVE privacy goals require a solution for preventing timing attacks via server-side joins. Rendering ads from previously-downloaded Web Bundles, as originally proposed, is one possibility. Another is ad rendering in which all network-loaded resources come from a trusted CDN that does not keep logs of the resources it serves. The privacy model, browser trust mechanism, and tech to accomplish this requires further work. Reports are only sent and most interest group state changes (e.g. updating `prevWins` and `bidCount`, updating k-anonymity information) are only applied if and when the winning `renderURL` is loaded in a fenced frame, in the case there is a winner, or when there is no winner. Priorities and `priorityOverrides` are updated immediately upon completion of the `generateBid()` call that invoked their respective update functions, since how the information from those are used is not expected to depend on whether the current auction was completed or not.