-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace k-anonymity requirement for selectURL()
input URLs with per per-page-load entropy bit budgets
#69
Conversation
…-page-load entropy bit budgets
README.md
Outdated
|
||
#### K-anonymity Details | ||
Like [FLEDGE](https://github.com/WICG/turtledove/blob/main/FLEDGE.md), there will be a k-anonymity service to ensure that the selected URL has met its k-anonymity threshold. If it has not, its count will be increased by 1 on the k-anonymity server, but the default URL will be returned. This makes it possible to bootstrap new URLs. | ||
This event-level reporting will allow for the embedding page's 1p data to be combined with the log2(num urls in selectURL) bits of third-party shared-storage data as soon as the report is sent. Since this can be used to build up a lot of information quite quickly, we're imposing some limits on event-level reporting while it's available. That is, event-level reporting via `reportEvent` can only consume up to 9 bits per top-level page navigation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's incompatible that the event-level reporting has a limit of 9 bits per page-level nav and we allow 6 bits of selectURL() total per page-level nav. Let's just drop the event-level budget (both from budget and not enforce in code).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed.
lgtm |
We update the default Finch parameter values for the `selectURL()` per pageload limits, as discussed in WICG/shared-storage#69. Bug: 1429680,1218540 Change-Id: I9853c8b8e866d4372938884416767330b64e1075 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816 Commit-Queue: Cammie Smith Barnes <[email protected]> Reviewed-by: Yoav Weiss <[email protected]> Reviewed-by: Yao Xiao <[email protected]> Cr-Commit-Position: refs/heads/main@{#1125513}
Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540 Change-Id: I3bababec29ce704db8fa7ccad20d0a6afd60bf71 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4387349 Reviewed-by: Dominic Farolino <[email protected]> Commit-Queue: Cammie Smith Barnes <[email protected]> Reviewed-by: Yao Xiao <[email protected]> Reviewed-by: Nasko Oskov <[email protected]> Cr-Commit-Position: refs/heads/main@{#1125813}
This reverts commit dd89aa7. Reason for revert: Consistent failures on mac11-arm64 https://ci.chromium.org/ui/p/chromium/builders/ci/mac11-arm64-rel-tests/16323/overview Original change's description: > Shared Storage: Change `selectURL` limits > > We update the default Finch parameter values for the `selectURL()` > per pageload limits, as discussed in > WICG/shared-storage#69. > > Bug: 1429680,1218540 > Change-Id: I9853c8b8e866d4372938884416767330b64e1075 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816 > Commit-Queue: Cammie Smith Barnes <[email protected]> > Reviewed-by: Yoav Weiss <[email protected]> > Reviewed-by: Yao Xiao <[email protected]> > Cr-Commit-Position: refs/heads/main@{#1125513} Bug: 1429680,1218540 Change-Id: I26e4d39233f027c98d76935a2dff809186c062b1 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4396269 Bot-Commit: Rubber Stamper <[email protected]> Auto-Submit: Rune Lillesveen <[email protected]> Commit-Queue: Rubber Stamper <[email protected]> Cr-Commit-Position: refs/heads/main@{#1125837}
This is a reland of commit dd89aa7 The consistent failures on mac11-arm64 (https://ci.chromium.org/ui/p/chromium/builders/ci/mac11-arm64-rel-tests/16323/overview) were due to a math error that was not caught on CQ bots because virtual/shared-storage-fenced-frame-mparch-selecturl-limit/third_party/blink/web_tests/wpt_internal/shared_storage_selecturl_limit/run-url-selection-operation-limit-multiple-origins.https.html had a test expectation of "Timeout" on those bots owing to how long the test took with the previously large limits. Moreover, on most bots the test with the math error continued to timeout rather than fail because it was awaiting a promise that was never fulfilled/rejected owing to the error being in one of its iframes, which prevented the message the main frame was waiting for from being written to the server. So we add try/catch logic to the iframe's script along with descriptions to `assert_equals()` calls in order to make any future debugging easier. We also speculatively re-enable virtual/shared-storage-fenced-frame-mparch-selecturl-limit/third_party/blink/web_tests/wpt_internal/shared_storage_selecturl_limit/run-url-selection-operation-limit-multiple-origins.https.html on all platforms, as we believe this should address the issues that previously caused it to flake/fail. If there are issues with this test again, we should have better debugging data. Original change's description: > Shared Storage: Change `selectURL` limits > > We update the default Finch parameter values for the `selectURL()` > per pageload limits, as discussed in > WICG/shared-storage#69. > > Bug: 1429680,1218540 > Change-Id: I9853c8b8e866d4372938884416767330b64e1075 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816 > Commit-Queue: Cammie Smith Barnes <[email protected]> > Reviewed-by: Yoav Weiss <[email protected]> > Reviewed-by: Yao Xiao <[email protected]> > Cr-Commit-Position: refs/heads/main@{#1125513} Bug: 1429680,1218540,626703,1430564 Change-Id: I357be397b86b9319c2f6e7997da2fdf7d08c0d4d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4400831 Reviewed-by: Dominic Farolino <[email protected]> Reviewed-by: Yao Xiao <[email protected]> Commit-Queue: Cammie Smith Barnes <[email protected]> Cr-Commit-Position: refs/heads/main@{#1126704}
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
Chromium change: https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222 commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222 Author: Camillia Smith Barnes <[email protected]> Date: Tue Apr 4 05:09:24 2023 +0000 Shared Storage: Remove `reportEvent` limit Due to the updated limits in https://crrev.com/c/4386816 (see also WICG/shared-storage#69), we no longer need to have a budget specifically for Shared Storage calls to `fence.reportEvent()`. We remove the code that is no longer needed. Bug: 1429680,1218540
We relax the requirement that the URLs used as inputs to
sharedStorage.selectURL()
be k-anonymous.We currently have event-level reporting, which allows callers to associate a first-party identifier with up to three bits of cross-site data, in spite of any k-anonymity constraints. Meanwhile, requiring the input URLs to be k-anonymous increases the latency and complexity of
selectURL()
calls. Thus, we believe a k-anonymity requirement is of limited benefit and not worth the associated financial, performance, and utility costs.Without k-anonymity, first-party information can be encoded in an input URL and thereby joined with cross-site data through the URL-selection process. We therefore add additional entropy limits to govern
selectURL()
's use and mitigate its privacy impact.In particular, we add two new types of entropy bit budgets whose lifetimes both coincide with that of a top-level navigation. The first budget will limit all calls from a given origin on that page during that page load to using up to 6 bits of entropy. The second will limit all calls across all origins on that page during that page load to consuming up to 12 bits of entropy. These limits will be refreshed for new top-level navigations.