Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for automatic beacons in cross-origin subframes #904

Merged
merged 6 commits into from
Jan 12, 2024
Merged

Add support for automatic beacons in cross-origin subframes #904

Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6d02107
add explainer for cross origin subframe beacons
blu25 Nov 13, 2023
e271559
rename variable
blu25 Nov 22, 2023
69330c4
add sentence about ancestor behavior
blu25 Dec 7, 2023
e8a7b4b
Update Fenced_Frames_Ads_Reporting.md
blu25 Dec 18, 2023
0332d57
address review comments
blu25 Jan 3, 2024
8b98b23
clarify sentence
blu25 Jan 5, 2024
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion Fenced_Frames_Ads_Reporting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,8 @@ function addBeaconData(element) {

The beacon data will be in place by the time that the navigation starts. When the navigation commits, the automatic beacon will be sent out with event data set to "link1 was clicked.".

#### Send Automatic Beacons Once

The dictionary passed into `setReportEventDataForAutomaticBeacons` also takes an optional `once` boolean that defaults to false. If `once` is set to true, the automatic beacon will only be sent for the next event. Beacons will not be sent for subsequent events until `setReportEventDataForAutomaticBeacons` is invoked again. When used with a click handler, this can be used to send beacon data only for specific top-level navigations, rather than for every top-level navigation.

For example, if a frame has multiple links that can perform top-level navigations, but only one of the links is of interest for analytics purposes, `setReportEventDataForAutomaticBeacons()` can be called in that link's click handler with `once` set to true. This will ensure that, if another link is clicked after the link with the associated automatic beacon, that other link will not result in an automatic beacon being sent out.
Expand All @@ -262,6 +264,25 @@ window.fence.setReportEventDataForAutomaticBeacons({
});
```

#### Cross-Origin Support

Data for automatic beacons can only be set by documents that are same-origin to the mapped URL of the fenced frame config. However, cross-origin documents can still send automatic beacons, if the document and the data are **both** opted in.
blu25 marked this conversation as resolved.
Show resolved Hide resolved

A cross-origin document will be considered opted into sending automatic beacons if it is served with the response header `Allow-Fenced-Frame-Automatic-Beacons: true`.

To opt in the data, the dictionary passed into `setReportEventDataForAutomaticBeacons` takes an optional `crossOriginExposed` boolean that defaults to false. If set to true, the automatic beacon data can be used if a cross-origin document wants to send an automatic beacon and is opted in. A document will use the data of the first ancestor frame that has automatic beacon data registered for the event type being sent.

```
window.fence.setReportEventDataForAutomaticBeacons({
'eventType': 'reserved.top_navigation_start',
'eventData': 'an example string',
'destination': ['seller', 'buyer'],
'crossOriginExposed': true,
});
```

blu25 marked this conversation as resolved.
Show resolved Hide resolved
#### Credentials in Beacons

When 3rd party cookies are enabled, automatic beacon requests only (not beacons sent manually through `reportEvent`) allow credentials (cookies) to be set in headers. This was requested by https://github.com/WICG/turtledove/issues/866 in order to help with migration and ARA debugging. These requests are subject to CORS and only occur after opt-in by virtue of calling the `setReportEventDataForAutomaticBeacons` API.
blu25 marked this conversation as resolved.
Show resolved Hide resolved

#### Enrollment Requirement
Expand All @@ -282,7 +303,7 @@ For fenced frames rendering the ad components under the top-level ad fenced fram
* Invocation of the `reportEvent` API from an ad component fenced frame is disallowed.
* The only supported beacons to be sent from an ad component fenced frame are the `reserved.top_navigation_start` and `reserved.top_navigation_commit` automatic beacons. Note these beacons are gated on a user activation (e.g. click).
* To ensure that there is no arbitrary data that can be received at the server from the component ad, the `eventData` field via `window.fence.setReportEventDataForAutomaticBeacons`, if specified, will be ignored. This ensures that information from the component ad URL is not revealed in the event report, or else it could lead to the join of two independently k-anonymous URLs (parent and component ad) at the receiving server.
* Automatic beacons will be sent from a component fenced frame (with no event data) when there is a user activation (e.g. click) on the ad component fenced frame, which results in a top-level navigation. The ad component must still opt in using `setReportEventDataForAutomaticBeacons` before the beacon can send.
* Automatic beacons will be sent from a component fenced frame (with no event data) when there is a user activation (e.g. click) on the ad component fenced frame, which results in a top-level navigation. The ad component must still opt in using the `Allow-Fenced-Frame-Automatic-Beacons: true` response header before the beacon can send.
blu25 marked this conversation as resolved.
Show resolved Hide resolved

```
window.fence.setReportEventDataForAutomaticBeacons({
Expand Down