WICG / attribution-reporting-api

Attribution Reporting API
https://wicg.github.io/attribution-reporting-api/
Other
361 stars 172 forks source link

Fail to report click data from cross-origin subframe using ARA #1399

Closed shaojieg closed 2 months ago

shaojieg commented 2 months ago

This is a Protected Audience project. We want to collect click time signals in a click handler. This is in a cross-origin subframe.

When we use reportEvent API to send back the click data, it works fine.

However, it doesn't work when we use setReportEventDataForAutomaticBeacons. The data of setReportEventDataForAutomaticBeacons() called in the cross-origin subframe doesn't overwrite the data set in the top frame.

The code structure is below. Main document that embeds an ad CompanyA-owned ad top frame (calls setReportEventDataForAutomaticBeacons() with crossOriginExposed:true) CompanyA-owned cross-origin subframe (calls setReportEventDataForAutomaticBeacons() in the click handler and performs navigation)

shaojieg commented 2 months ago

Possible solutions. Option 1. Let the cross-origin sub frame send a message to top frame using postMessage. And the top frame calls setReportEventDataForAutomaticBeacons() after it receives the message. Concerns: A. More complex code structure; Multi-level iframes might involve. B. We would like to have the navigation ping sent after the top frame receives the message and updates the data. This might not be straightforward to support. Option 2. The cross-origin restriction is relaxed for such cases. Concerns: Should be very careful of the privacy issues.

johnivdel commented 2 months ago

This looks to be a duplicate of https://github.com/WICG/fenced-frame/issues/185. It seems like the problem here is more relevant to fenced frames / PA behavior than ARA. Closing this for now, but feel free to re-open if there are any ARA specific issues with this integration.