We are landing the following changes to the Attribution Reporting API focused on: * Improving privacy for debug keys This change helps to mitigate a potential privacy gap with debug keys. Currently the API allows a source debug key or a trigger debug key to be specified if third party cookies are available and can be set by API callers. If either a source or trigger debug key is specified then it will be included in the attribution report. This may lead to a privacy leak if third party cookies are only allowed on either the publisher or the advertiser site but not both. This change mitigates this issue by enforcing that source debug keys and trigger debug keys are only included in the attribution report if they’re present on both the source and trigger, which would mean that third party cookies were available on both the publisher and advertiser site. This change will apply to both event-level reports and aggregatable reports.
This change helps to mitigate a potential privacy gap with debug keys. Currently the API allows a source debug key or a trigger debug key to be specified if third party cookies are available and can be set by API callers. If either a source or trigger debug key is specified then it will be included in the attribution report. This may lead to a privacy leak if third party cookies are only allowed on either the publisher or the advertiser site but not both. This change mitigates this issue by enforcing that source debug keys and trigger debug keys are only included in the attribution report if they’re present on both the source and trigger, which would mean that third party cookies were available on both the publisher and advertiser site. This change will apply to both event-level reports and aggregatable reports.
Explainers: https://github.com/WICG/attribution-reporting-api/pull/1403