Seller scripts expose IG render URLs to IGs they have no agreement with.

[MattMenke2]

While FLEDGE does require trusted servers actually be trusted, it seems to me a bad idea to let sellers arbitrarily request (and receive) 3P data in the form of what a user's IG render URLs for a particular IG owner.

e.g., evil.com has a trusted seller service. It can run an auction and claim www.IHaveNoIdeaWhoEvil.com.Is.com, and receive the render URLs of its IGs that a user is in, by using a trustedScoringSignalsUrl. While if evil.com's trusted server really adheres to the trust model, it can't actually do anything with those URLs, it still seems like sending IG information to it in this case would not be desirable.

I don't currently have a proposed solution to this, but am uncomfortable with how trustedScoringSignalsUrl currently works.

[MattMenke2]

Actually, simplest solution would be to just have IGs list all seller origins they're willing to interact with, and don't list them in auctions run by other sellers.

[michaelkleber]

Definitely agree that IGs should have a way to pick the sellers they will work with, in the same way that sellers pick the buyers they will work with. A buyer might not want to work with a particular seller for lots of reasons, revealing the renderUrl among them.

In the current model, this would work by the IG's generate_bid() looking at the auction's seller, and perhaps choosing not to place a bid. Certainly we could add a static list that would let IGs have that same result without needing to implement it in their own JS.

(It seems like wildcards in this list might still be OK, though, no?)

[MattMenke2]

I think that wildcards meaning "let anyone (with a trusted server) who asks know the user is in this IG" as opposed to merely "I want to be able to participate in any auction with servers who let me" is sufficiently non-obvious and concerning in terms of privacy that we should not support it, at least for URLs that we pass to trustedScoringSignalsUrl.

[MattMenke2]

Another potential option would be collect all bids before we request trustedScoringSignalsUrl, and only pass in the URLs there were bids for - arguably, that would be exposing much the same information for scripts that bid unconditionally, of course, but it would require the bidder script to explicitly bid, at which point the seller would learn the URL if it wins the auction, anyways.

If all reporting were declarative (i.e., we could remove reportWin, in favor of information received in generateBid()), we also wouldn't have to keep bidder worklets around in memory after they've bid, though we would have to request trustedScoringSignalsUrl only after loading all bidding scripts, which would necessarily slow auctions. We could load the seller worklet scripts in advance, though.

[michaelkleber]

Oh! Good point. I agree that we can only fetch trusted scoring signals from rendering URLs that were actually submitted as bids in the auction.