-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add trusted key-value server options #1264
base: main
Are you sure you want to change the base?
Conversation
|
||
Either trusted server may optionally include a numeric `Data-Version` header on the response to indicate the state of the data that generated this response, which will then be available in bid generation/scoring and reporting. This version number should not depend on any properties of the request, only the state of the server. Ideally, the number would only increment and at any time would be identical across all servers in a fleet. In practice a small amount of skew is permitted for operational reasons, including propagation delays, staged rollouts, and emergency rollbacks. The version number should be formatted with only the digits `[0-9]` with no leading `0`s and fit in a 32-bit unsigned integer. | ||
If `trustedBiddingSignalsCoordinator` or `trustedScoringSignalsCoordinator` is presented, the request will be sent to a trusted key-value-type server. Because the server is trusted, there is no k-anonymity constraint on this request. The browser needs to trust that the server's return value for each key will be based only on that key and the hostname, and that the server does no event-level logging and has no other side effects based on these requests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because the server is trusted, there is no k-anonymity constraint on this request.
Does opting into the TEE model enable more granular trusted bidding fetch info (e.g. full page url versus simply the top-level domain as mentioned here), or is this remnant wording? Reviewing the KV Server API the schema references hostname (versus page url or similar):
"properties": {
"hostname": {
"description": "The hostname of the top-level frame calling runAdAuction().",
"type": "string"
},
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is remnant wording here, but I suspect the answer to your question is in #1105.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I linked to @itaysharfi's comment in #1105.
FLEDGE.md
Outdated
@@ -26,9 +26,11 @@ See [the Protected Audience API specification](https://wicg.github.io/turtledove | |||
- [2.5 Additional Trusted Signals (directFromSellerSignals)](#25-additional-trusted-signals-directfromsellersignals) | |||
- [2.5.1 Using Subresource Bundles](#251-using-subresource-bundles) | |||
- [2.5.2 Using Response Headers](#252-using-response-headers) | |||
- [3. Buyers Provide Ads and Bidding Functions (BYOS for now)](#3-buyers-provide-ads-and-bidding-functions-byos-for-now) | |||
- [3. Buyers Provide Ads and Bidding Functions](#3-buyers-provide-ads-and-bidding-functions-byos-for-now) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This link looks broken by the change in section name below.
|
||
Either trusted server may optionally include a numeric `Data-Version` header on the response to indicate the state of the data that generated this response, which will then be available in bid generation/scoring and reporting. This version number should not depend on any properties of the request, only the state of the server. Ideally, the number would only increment and at any time would be identical across all servers in a fleet. In practice a small amount of skew is permitted for operational reasons, including propagation delays, staged rollouts, and emergency rollbacks. The version number should be formatted with only the digits `[0-9]` with no leading `0`s and fit in a 32-bit unsigned integer. | ||
If `trustedBiddingSignalsCoordinator` or `trustedScoringSignalsCoordinator` is presented, the request will be sent to a trusted key-value-type server. Because the server is trusted, there is no k-anonymity constraint on this request. The browser needs to trust that the server's return value for each key will be based only on that key and the hostname, and that the server does no event-level logging and has no other side effects based on these requests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is remnant wording here, but I suspect the answer to your question is in #1105.
FLEDGE.md
Outdated
@@ -736,7 +744,7 @@ The `perInterestGroupData` dictionary contains optional data for interest groups | |||
|
|||
The `updateIfOlderThanMs` optional field specifies that the interest group should be updated via the `updateURL` mechanism (see the [interest group attributes](#12-interest-group-attributes) section) if the interest group hasn't been joined or updated in a duration of time exceeding `updateIfOlderThanMs` milliseconds. Updates that ended in failure, either parse or network failure, are not considered to increment the last update or join time. An `updateIfOlderThanMs` that's less than 10 minutes will be clamped to 10 minutes. | |||
|
|||
Similarly, sellers may want to fetch information about a specific creative, e.g. the results of some out-of-band ad scanning system. This works in much the same way as [`trustedBiddingSignalsURL`](#31-fetching-real-time-data-from-a-trusted-server), with the base URL coming from the `trustedScoringSignalsURL` property of the seller's auction configuration object. The parameter `experimentGroupId` comes from `sellerExperimentGroupId` in the auction configuration if provided. However, the URL has two sets of keys: "renderUrls=url1,url2,..." and "adComponentRenderUrls=url1,url2,..." for the main and adComponent renderURLs bids offered in the auction. Note that the query params use "Urls" instead of "URLs". It is up to the client how and whether to aggregate the fetches with the URLs of multiple bidders. | |||
Similarly, sellers may want to fetch information about a specific creative, e.g. the results of some out-of-band ad scanning system. This works in much the same way as [`trustedBiddingSignalsURL`](#311-trusted-signals-server-with-byos-model). If `trustedScoringSignalsCoordinator` is not presented, it will send the trusted scoring signals fetch request to BYOS server, with the base URL coming from the `trustedScoringSignalsURL` property of the seller's auction configuration object. The parameter `experimentGroupId` comes from `sellerExperimentGroupId` in the auction configuration if provided. However, the URL has two sets of keys: "renderUrls=url1,url2,..." and "adComponentRenderUrls=url1,url2,..." for the main and adComponent renderURLs bids offered in the auction. Note that the query params use "Urls" instead of "URLs". It is up to the client how and whether to aggregate the fetches with the URLs of multiple bidders. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be reworded so it doesn't sound like the base URL only comes from trustedScoringSignalsURL
when trustedScoringSignalsCoordinator
is not presented, as the base URL only comes from trustedScoringSignalsURL
always.
FLEDGE.md
Outdated
|
||
For detailed specification and explainers of the trusted key-value server, see also the following: | ||
As [noted in the key value trust model](https://github.com/privacysandbox/fledge-docs/blob/main/key_value_service_trust_model.md), the key value service is publicly queryable, so to prevent potentially leaking user information, keys should be either: not individually identifying (e.g. applying to many people, perhaps to all people who visited an advertiser page and that an ad campaign might show to) or unguessable (e.g. using random identifiers that are assigned at interest group join time and known only to the caller of joinAdInterestGroup). They should not be uniquely identifying and use guessable keys (e.g. hashed email address, name, or phone number). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This paragraph does not belong in the TEE-only section as it applies to both BYOS and TEE KV servers. Perhaps we could move it up to section 3.1
Add trustedBiddingSignalsCoordinator and trustedScoringSignalsCoordinator description.
Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08
Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5805217 Commit-Queue: Tianyang Xu <[email protected]> Reviewed-by: Caleb Raitto <[email protected]> Reviewed-by: Ken Buchanan <[email protected]> Cr-Commit-Position: refs/heads/main@{#1348785}
Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5805217 Commit-Queue: Tianyang Xu <[email protected]> Reviewed-by: Caleb Raitto <[email protected]> Reviewed-by: Ken Buchanan <[email protected]> Cr-Commit-Position: refs/heads/main@{#1348785}
…auction config, a=testonly Automatic update from web-platform-tests Add trustedScoringSignalsCoordinator to auction config Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5805217 Commit-Queue: Tianyang Xu <[email protected]> Reviewed-by: Caleb Raitto <[email protected]> Reviewed-by: Ken Buchanan <[email protected]> Cr-Commit-Position: refs/heads/main@{#1348785} -- wpt-commits: c215b3a6ed4c09185d8d60e0e0d16a11463b5f9b wpt-pr: 47865
…auction config, a=testonly Automatic update from web-platform-tests Add trustedScoringSignalsCoordinator to auction config Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5805217 Commit-Queue: Tianyang Xu <[email protected]> Reviewed-by: Caleb Raitto <[email protected]> Reviewed-by: Ken Buchanan <[email protected]> Cr-Commit-Position: refs/heads/main@{#1348785} -- wpt-commits: c215b3a6ed4c09185d8d60e0e0d16a11463b5f9b wpt-pr: 47865
…auction config, a=testonly Automatic update from web-platform-tests Add trustedScoringSignalsCoordinator to auction config Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5805217 Commit-Queue: Tianyang Xu <xtlsheepgoogle.com> Reviewed-by: Caleb Raitto <caraittochromium.org> Reviewed-by: Ken Buchanan <kenrbchromium.org> Cr-Commit-Position: refs/heads/main{#1348785} -- wpt-commits: c215b3a6ed4c09185d8d60e0e0d16a11463b5f9b wpt-pr: 47865 UltraBlame original commit: bf0b117d97126ec3d851e73edbe525cd3242bbc8
…auction config, a=testonly Automatic update from web-platform-tests Add trustedScoringSignalsCoordinator to auction config Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5805217 Commit-Queue: Tianyang Xu <xtlsheepgoogle.com> Reviewed-by: Caleb Raitto <caraittochromium.org> Reviewed-by: Ken Buchanan <kenrbchromium.org> Cr-Commit-Position: refs/heads/main{#1348785} -- wpt-commits: c215b3a6ed4c09185d8d60e0e0d16a11463b5f9b wpt-pr: 47865 UltraBlame original commit: bf0b117d97126ec3d851e73edbe525cd3242bbc8
…auction config, a=testonly Automatic update from web-platform-tests Add trustedScoringSignalsCoordinator to auction config Add trustedScoringSignalsCoordinator to auction config for trusted scoring signals KVv2 fetching. Also add `maxTrustedBiddingSignalsURLLength` case for interest groups in `devtools_serialization.cc`. Explainer update: WICG/turtledove#1264 Bug: 337917489 Change-Id: I0061c914862513069658921a245b91c6e7958b08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5805217 Commit-Queue: Tianyang Xu <[email protected]> Reviewed-by: Caleb Raitto <[email protected]> Reviewed-by: Ken Buchanan <[email protected]> Cr-Commit-Position: refs/heads/main@{#1348785} -- wpt-commits: c215b3a6ed4c09185d8d60e0e0d16a11463b5f9b wpt-pr: 47865
Add trustedBiddingSignalsCoordinator and trustedScoringSignalsCoordinator description.