As per https://github.com/WICG/turtledove/blob/main/FLEDGE.md#21-initiating-an-on-device-auction :

All fields that specify URLs for loading scripts or JSON (decisionLogicURL and trustedScoringSignalsURL) must be same-origin with seller...

And, as expected, you get the following error from the API if you violate this requirement:

TypeError: Failed to execute 'runAdAuction' on 'Navigator': decisionLogicURL 'https://subdomain.example.com/seller.js' for AuctionAdConfig with seller 'https://example.com' must match seller origin.

Similar to what was noted in #421, there are similar considerations for SSPs (aka sellers); the decisionLogicURL is CDN-friendly, effectively a static asset, while the trustedScoringSignalsURL needs to generate a dynamic response from the seller, and is not CDN-friendly.

https://github.com/privacysandbox/attestation/blob/main/how-to-enroll.md allows ad techs to register their TLD+1 domains -- is there a possibility that the same-origin requirement can be similarly relaxed? In other words, so that an auctionConfig could contain:

  'seller': 'https://www.example-ssp.com',
  'decisionLogicURL': 'https://cdn.example-ssp.com/.....',
  'trustedScoringSignalsURL': 'https://tss.example-ssp.com/....',