Possibility to execute document.browsingTopics() for a script HTML tag

[AurelienMozoo]

It is not possible to get topic API datas using document.browsingTopics() without using a non-friendly iframe context. It means a Javascript file https://example.com/getTopicAPIDatas.js even if the URL where the file is hosted was whitelisted after an enrollment, won't be able to execute document.browsingTopics(). Adding a non-friendly iframe that would target "https://example.com/getTopicAPIDatas.js" could have impacts on loading time of the web page or current script executions and therefore won't be the best solution.

Would it be possible to whitelist host/files that would allow javascript tags integrated directly on web pages to get topic API datas ?

Example: Considering a website "website.com" writing a javascript tag (<script src="https://example.com/getTopicAPIDatas.js">) and https://example.com is whitelisted/enrolled, https://example.com/getTopicAPIDatas.js would be able to execute document.browsingTopics().

[jkarlin]

Thanks for the feedback. From a security perspective, this isn't possible. Each document and its execution environment are associated with a single origin, that of the document. Third-party subresources loaded and executed within that same environment are considered to be owned by the origin of the document. This is to prevent unconsented data leakage from one origin to another.

[patmmccann]

could have impacts on loading time of the web page or current script executions and therefore won't be the best solution.

We've found it is fine, just delay the insertion until the main thread isn't busy.

[jkarlin]

An alternative is to provide a browsingTopics attribute on <script> tags. This should be clean from a security perspective, and not add additional latency.

Edit: To make it clear what I'm talking about, the browsingTopics attribute would imply that the network request for the js resource would include the topics in the request header. A con of this approach is this would discourage caching of your js.