search

patcg-individual-drafts / private-aggregation-api

Explainer for proposed web platform API
https://patcg-individual-drafts.github.io/private-aggregation-api/
43 stars 19 forks source link

Why are you using well-known URIs here? #18

Closed mnot closed 1 year ago

mnot commented 1 year ago

It seems odd to use these, when you could easily convey the complete URL. What am I missing?

alexmturner commented 1 year ago

Hi, the main issue is that even the count of reports is potentially sensitive. We have some designs to hide this number (e.g. see https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATE.md#hide-the-true-number-of-attribution-reports). Allowing arbitrary URLs would unfortunately amplify the risk of this attack e.g. someone could measure the count for a single user. It would also make certain mitigations (e.g. adding noise) more difficult. Hope this helps!

mnot commented 1 year ago

Is it that you're concerned about a server giving users different reporting URLs to track them, or that the URL would contain the number itself, or...?

BTW, I see you're using JSON in headers -- talk to your Chromium networking colleagues, best practice is now to use Structured Fields where possible.

alexmturner commented 1 year ago

Exactly, different reporting URLs to different users or groups of users (or even different URLs for the same user) would increase the risk. We could consider some mechanisms to prevent this, but a deterministic URL path seems the simplest solution.

I don't think the Private Aggregation API uses JSON in headers. For the Attribution Reporting API, please see this comment: https://github.com/WICG/attribution-reporting-api/issues/194#issuecomment-1132964270.

mnot commented 1 year ago

Fair enough, thanks!