MattMenke2
commented
1 year ago These are needed because we're exposing the results from one site to another - we could, of course, just use CORS, though there are questions of what site is the initiator, since there are multiple parties involved (publisher page initiated the auction, the "owner" is the source of all URLs. The results of the requests are being exposed to the bidding logic URL).
I don't think anyone has invested time in figuring out just want sort of "this cross-site request is OK to expose to this third party" signal we need to allow this.
michaelkleber
In the current implementation of FLEDGE,
biddingLogicUrl,biddingWasmHelperUrl,dailyUpdateUrlandtrustedBiddingSignalsUrlmust have the same origin as the interest group owner.The Fledge Explainer states that this may not be a long term constraint but does not provide a timeline for when this constraint may be lifted.
Ask Clarify if and when this requirement will be lifted
Why is this needed Requiring these Urls to have the same origin as the interest group owner causes some architectural constraints on ad-tech implementations for Fledge. Below are some example use-cases that this requirement is blocking
biddingLogicandbiddingWasmHelperurls. The assets served by these endpoints are fairly static and could be served by a CDN to optimize for request latency, but this is not possible with the same-origin requirement.trustedBiddingSignalsUrlIn the trusted server model, a request is made from the client directly to the Trusted Execution Environment. This suggests that the trusted server needs its own origin, separate from the interest group owner’s origin.