We relax the requirement that the URLs used as inputs to sharedStorage.selectURL() be k-anonymous.
We currently have event-level reporting, which allows callers to associate a first-party identifier with up to three bits of cross-site data, in spite of any k-anonymity constraints. Meanwhile, requiring the input URLs to be k-anonymous increases the latency and complexity of selectURL() calls. Thus, we believe a k-anonymity requirement is of limited benefit and not worth the associated financial, performance, and utility costs.
Without k-anonymity, first-party information can be encoded in an input URL and thereby joined with cross-site data through the URL-selection process. We therefore add additional entropy limits to govern selectURL()'s use and mitigate its privacy impact.
In particular, we add two new types of entropy bit budgets whose lifetimes both coincide with that of a top-level navigation. The first budget will limit all calls from a given origin on that page during that page load to using up to 6 bits of entropy. The second will limit all calls across all origins on that page during that page load to consuming up to 12 bits of entropy. These limits will be refreshed for new top-level navigations.
We relax the requirement that the URLs used as inputs to
sharedStorage.selectURL()
be k-anonymous.We currently have event-level reporting, which allows callers to associate a first-party identifier with up to three bits of cross-site data, in spite of any k-anonymity constraints. Meanwhile, requiring the input URLs to be k-anonymous increases the latency and complexity of
selectURL()
calls. Thus, we believe a k-anonymity requirement is of limited benefit and not worth the associated financial, performance, and utility costs.Without k-anonymity, first-party information can be encoded in an input URL and thereby joined with cross-site data through the URL-selection process. We therefore add additional entropy limits to govern
selectURL()
's use and mitigate its privacy impact.In particular, we add two new types of entropy bit budgets whose lifetimes both coincide with that of a top-level navigation. The first budget will limit all calls from a given origin on that page during that page load to using up to 6 bits of entropy. The second will limit all calls across all origins on that page during that page load to consuming up to 12 bits of entropy. These limits will be refreshed for new top-level navigations.