Fail to report click data from cross-origin subframe using ARA

[shaojieg]

This is a Protected Audience project. We want to collect click time signals in a click handler. This is in a cross-origin subframe.

When we use reportEvent API to send back the click data, it works fine.

However, it doesn't work when we use setReportEventDataForAutomaticBeacons. The data of setReportEventDataForAutomaticBeacons() called in the cross-origin subframe doesn't overwrite the data set in the top frame.

The code structure is below. Main document that embeds an ad CompanyA-owned ad top frame (calls setReportEventDataForAutomaticBeacons() with crossOriginExposed:true) CompanyA-owned subframe (calls setReportEventDataForAutomaticBeacons() in the click handler and performs navigation)

[shaojieg]

Possible solutions. Option 1. Let the sub frame send a message to top frame using postMessage. And the top frame calls setReportEventDataForAutomaticBeacons() after it receives the message. Concerns: A. More complex code structure; B. We would like to have the navigation ping sent after the top frame receives the message and updates the data. This might not be straightforward to support. Option 2. The cross-origin restriction is relaxed for such cases. Concerns: Should be very careful of the privacy issues.

[blu25]

Thanks for the report and the summary!

I'm going to look deeper into how feasible option 2 is. There will most likely be some sort of opt-in system in place, but if I can get the relevant privacy experts on board it might be possible. I'll keep you updated.

[weiziliu]

option 2 is similar to https://github.com/WICG/fenced-frame/pull/152 , in which case, the document created with the FencedFrameConfig opts in with a new response header(probably with the ability to set which cross origin domains are allowed). The cross-origin document opts in by calling reportEvent() with the crossOriginExposed=true parameter.