Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace k-anonymity requirement for selectURL() input URLs with per per-page-load entropy bit budgets #69

Merged
merged 2 commits into from
Mar 31, 2023

Conversation

pythagoraskitty
Copy link
Collaborator

We relax the requirement that the URLs used as inputs to sharedStorage.selectURL() be k-anonymous.

We currently have event-level reporting, which allows callers to associate a first-party identifier with up to three bits of cross-site data, in spite of any k-anonymity constraints. Meanwhile, requiring the input URLs to be k-anonymous increases the latency and complexity of selectURL() calls. Thus, we believe a k-anonymity requirement is of limited benefit and not worth the associated financial, performance, and utility costs.

Without k-anonymity, first-party information can be encoded in an input URL and thereby joined with cross-site data through the URL-selection process. We therefore add additional entropy limits to govern selectURL()'s use and mitigate its privacy impact.

In particular, we add two new types of entropy bit budgets whose lifetimes both coincide with that of a top-level navigation. The first budget will limit all calls from a given origin on that page during that page load to using up to 6 bits of entropy. The second will limit all calls across all origins on that page during that page load to consuming up to 12 bits of entropy. These limits will be refreshed for new top-level navigations.

@pythagoraskitty pythagoraskitty requested a review from jkarlin March 27, 2023 17:09
README.md Outdated

#### K-anonymity Details
Like [FLEDGE](https://github.com/WICG/turtledove/blob/main/FLEDGE.md), there will be a k-anonymity service to ensure that the selected URL has met its k-anonymity threshold. If it has not, its count will be increased by 1 on the k-anonymity server, but the default URL will be returned. This makes it possible to bootstrap new URLs.
This event-level reporting will allow for the embedding page's 1p data to be combined with the log2(num urls in selectURL) bits of third-party shared-storage data as soon as the report is sent. Since this can be used to build up a lot of information quite quickly, we're imposing some limits on event-level reporting while it's available. That is, event-level reporting via `reportEvent` can only consume up to 9 bits per top-level page navigation.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's incompatible that the event-level reporting has a limit of 9 bits per page-level nav and we allow 6 bits of selectURL() total per page-level nav. Let's just drop the event-level budget (both from budget and not enforce in code).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed.

@jkarlin
Copy link
Collaborator

jkarlin commented Mar 31, 2023

lgtm

@pythagoraskitty pythagoraskitty merged commit dc36236 into main Mar 31, 2023
@pythagoraskitty pythagoraskitty deleted the cammie-branch1 branch March 31, 2023 19:05
aarongable pushed a commit to chromium/chromium that referenced this pull request Apr 3, 2023
We update the default Finch parameter values for the `selectURL()`
per pageload limits, as discussed in
WICG/shared-storage#69.

Bug: 1429680,1218540
Change-Id: I9853c8b8e866d4372938884416767330b64e1075
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816
Commit-Queue: Cammie Smith Barnes <[email protected]>
Reviewed-by: Yoav Weiss <[email protected]>
Reviewed-by: Yao Xiao <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1125513}
aarongable pushed a commit to chromium/chromium that referenced this pull request Apr 4, 2023
Due to the updated limits in https://crrev.com/c/4386816
(see also WICG/shared-storage#69), we no
longer need to have a budget specifically for Shared Storage calls
to `fence.reportEvent()`. We remove the code that is no longer needed.

Bug: 1429680,1218540
Change-Id: I3bababec29ce704db8fa7ccad20d0a6afd60bf71
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4387349
Reviewed-by: Dominic Farolino <[email protected]>
Commit-Queue: Cammie Smith Barnes <[email protected]>
Reviewed-by: Yao Xiao <[email protected]>
Reviewed-by: Nasko Oskov <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1125813}
aarongable pushed a commit to chromium/chromium that referenced this pull request Apr 4, 2023
This reverts commit dd89aa7.

Reason for revert: Consistent failures on mac11-arm64

https://ci.chromium.org/ui/p/chromium/builders/ci/mac11-arm64-rel-tests/16323/overview


Original change's description:
> Shared Storage: Change `selectURL` limits
>
> We update the default Finch parameter values for the `selectURL()`
> per pageload limits, as discussed in
> WICG/shared-storage#69.
>
> Bug: 1429680,1218540
> Change-Id: I9853c8b8e866d4372938884416767330b64e1075
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816
> Commit-Queue: Cammie Smith Barnes <[email protected]>
> Reviewed-by: Yoav Weiss <[email protected]>
> Reviewed-by: Yao Xiao <[email protected]>
> Cr-Commit-Position: refs/heads/main@{#1125513}

Bug: 1429680,1218540
Change-Id: I26e4d39233f027c98d76935a2dff809186c062b1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4396269
Bot-Commit: Rubber Stamper <[email protected]>
Auto-Submit: Rune Lillesveen <[email protected]>
Commit-Queue: Rubber Stamper <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1125837}
aarongable pushed a commit to chromium/chromium that referenced this pull request Apr 5, 2023
This is a reland of commit dd89aa7

The consistent failures on mac11-arm64

(https://ci.chromium.org/ui/p/chromium/builders/ci/mac11-arm64-rel-tests/16323/overview)

were due to a math error that was not caught on CQ bots because

virtual/shared-storage-fenced-frame-mparch-selecturl-limit/third_party/blink/web_tests/wpt_internal/shared_storage_selecturl_limit/run-url-selection-operation-limit-multiple-origins.https.html

had a test expectation of "Timeout" on those bots owing to how long
the test took with the previously large limits.

Moreover, on most bots the test with the math error continued to timeout rather than fail because it was awaiting a promise that was never fulfilled/rejected owing to the error being in one of its iframes, which prevented the message the main frame was waiting for from being written to the server. So we add try/catch logic to the iframe's script along with descriptions to `assert_equals()` calls in order to make any future debugging easier.

We also speculatively re-enable

virtual/shared-storage-fenced-frame-mparch-selecturl-limit/third_party/blink/web_tests/wpt_internal/shared_storage_selecturl_limit/run-url-selection-operation-limit-multiple-origins.https.html

on all platforms,
as we believe this should address the issues that previously caused it to flake/fail.

If there are issues with this test again, we should have better debugging data.

Original change's description:
> Shared Storage: Change `selectURL` limits
>
> We update the default Finch parameter values for the `selectURL()`
> per pageload limits, as discussed in
> WICG/shared-storage#69.
>
> Bug: 1429680,1218540
> Change-Id: I9853c8b8e866d4372938884416767330b64e1075
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4386816
> Commit-Queue: Cammie Smith Barnes <[email protected]>
> Reviewed-by: Yoav Weiss <[email protected]>
> Reviewed-by: Yao Xiao <[email protected]>
> Cr-Commit-Position: refs/heads/main@{#1125513}

Bug: 1429680,1218540,626703,1430564
Change-Id: I357be397b86b9319c2f6e7997da2fdf7d08c0d4d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4400831
Reviewed-by: Dominic Farolino <[email protected]>
Reviewed-by: Yao Xiao <[email protected]>
Commit-Queue: Cammie Smith Barnes <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1126704}
cdesouza-chromium added a commit to brave/brave-core that referenced this pull request Apr 13, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
cdesouza-chromium added a commit to brave/brave-core that referenced this pull request Apr 14, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
cdesouza-chromium added a commit to brave/brave-core that referenced this pull request Apr 20, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
emerick pushed a commit to brave/brave-core that referenced this pull request Apr 24, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
cdesouza-chromium added a commit to brave/brave-core that referenced this pull request Apr 28, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
cdesouza-chromium added a commit to brave/brave-core that referenced this pull request Apr 30, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
cdesouza-chromium added a commit to brave/brave-core that referenced this pull request May 6, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
cdesouza-chromium added a commit to brave/brave-core that referenced this pull request May 15, 2023
Chromium change:
https://chromium.googlesource.com/chromium/src/+/cc4801b01dcb6a583e54ea2ca533bb78bcdca222

commit cc4801b01dcb6a583e54ea2ca533bb78bcdca222
Author: Camillia Smith Barnes <[email protected]>
Date:   Tue Apr 4 05:09:24 2023 +0000

    Shared Storage: Remove `reportEvent` limit

    Due to the updated limits in https://crrev.com/c/4386816
    (see also WICG/shared-storage#69), we no
    longer need to have a budget specifically for Shared Storage calls
    to `fence.reportEvent()`. We remove the code that is no longer needed.

    Bug: 1429680,1218540
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants