Conversion reporting from embedded iframes

[jinghao]

Hi @hober and @johnwilander !

Modern digital advertising is fairly complex and not every advertiser has the sophistication to manage it all entirely themselves, which is why some will hire third parties to manage the pixels on their websites. Often times, those pixels are embedded in an iframe on the ad click destination page.

According to the spec, the top frame context of an ad click destination page needs to send the ad click attribution request. I understand why we don't want inline frames by default, but this is a pretty important use case that I think we can solve without sacrificing privacy.

I'm open to any way we could solve this but perhaps we can start by looking at the explainer for Conversion Measurement API:

Conversion registration requires the conversion-measurement Feature Policy to be enabled in the context the request is made. As described in Publisher Controls for Impression Declaration, this Feature Policy will be enabled default in the top-level context and in same-origin children, but disabled in cross-origin children.

Put another way, these iframes can be explicitly annotated to delegate conversion measurement privileges to it. I think this is a great idea that solves this problem and can also help better align the different browsers' proposals.

What do you think? Thanks!

[johnwilander]

Hi! Thanks for filing. Often in these discussions we perceive it as two different perspectives.

One is that the advertiser should be in control of conversion signals. This is important and explicit delegation would maintain this.

However, an important part of our thinking is customers or end users. They don’t know about third parties and shouldn’t have to. The browser is the user agent and should do what’s in the user’s best interest. From that perspective, we tend to focus on the first parties involved. The ad click is captured for the click source first party, the conversion happens on the click destination first party website, and reports are sent to first parties.

The change we have agreed on exploring is allowing a third party to host the ad on the click source. Whether that will work with our intended fraud prevention scheme remains to be seen.

With the above in mind, are you envisioning a third party triggering the conversion on behalf of the click destination site but the rest stays the same or are you also envisioning a third party receiving any kind of report data for the conversion?

[jinghao]

Thanks for the response! I completely understand that model of actors in the ecosystem.

I think both are valid advertising use cases, but I'm focused more on the former use case because I am much more confident in the soundness of potential solutions with respect to the privacy model you have articulated.

I would be happy with making progress on allowing the ad click destination website to delegate triggering privileges to the iframe, and punt the question of third party reporting to a separate thread to discuss the merits of that in general, so other stakeholders can weigh in as well.

What do you think?