Integrate with Permissions Policy #40
Description
This probably needs discussion, but I suggest the following:
- We define two policy-controlled features that correspond to saveImpression and measureConversion.
- We allow those features by default in all contexts.
There is no real risk to enabling saveImpression everywhere, because it does basically nothing. At some point, browsers will probably need to drop impressions if the API is called too often, but those limits are unlikely to be hit without some pretty serious abuse. A site that abuses the API can be the first to lose impressions. That all seems manageable.
Calls to measureConversion will burn privacy budget, so there might be a reasonable case to disable it by default. However, that would mean that an intermediary would not be able to access the capability without explicit action on the part of the advertiser. Only those intermediaries that run script in the top-level context (a common practice, even if it is generally inadvisable) would be able to access the API from frames if that was the case.
Note that permissions policy manifests as a simple allowlist. That means that it would not be possible to provide precise apportionment of privacy budgets to different intermediaries. Tracking that capability is going to be a separate issue; one that we might choose to defer.