Closed mnot closed 1 year ago
Hi, the main issue is that even the count of reports is potentially sensitive. We have some designs to hide this number (e.g. see https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATE.md#hide-the-true-number-of-attribution-reports). Allowing arbitrary URLs would unfortunately amplify the risk of this attack e.g. someone could measure the count for a single user. It would also make certain mitigations (e.g. adding noise) more difficult. Hope this helps!
Is it that you're concerned about a server giving users different reporting URLs to track them, or that the URL would contain the number itself, or...?
BTW, I see you're using JSON in headers -- talk to your Chromium networking colleagues, best practice is now to use Structured Fields where possible.
Exactly, different reporting URLs to different users or groups of users (or even different URLs for the same user) would increase the risk. We could consider some mechanisms to prevent this, but a deterministic URL path seems the simplest solution.
I don't think the Private Aggregation API uses JSON in headers. For the Attribution Reporting API, please see this comment: https://github.com/WICG/attribution-reporting-api/issues/194#issuecomment-1132964270.
Fair enough, thanks!
It seems odd to use these, when you could easily convey the complete URL. What am I missing?