这是indexloc提供的服务,不要输入任何密码
Skip to content

Spec cross-origin reportEvent() support #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 1, 2024
Merged

Spec cross-origin reportEvent() support #152

merged 3 commits into from
May 1, 2024

Conversation

@blu25
Copy link
Collaborator

@blu25 blu25 commented Apr 12, 2024
edited by pr-preview bot
Loading

Reporting beacons can now be sent with window.fence.reportEvent() from documents that are cross origin to a fenced frame config's mapped URL. To do this, there must be opt-in from both the document created with the FencedFrameConfig as well as the cross-origin document that wants to send the beacon. The document created with the FencedFrameConfig opts in with a new "Allow-Cross-Origin-Event-Reporting=true" response header. The cross-origin document opts in by calling reportEvent() with the crossOriginExposed=true parameter.

This PR updates the spec to match that behavior. More specifically:

  • Updates the FenceEvent IDL to match the current .idl file on the codebase.
  • Adds a way to store a new "Allow-Cross-Origin-Event-Reporting" opt-in header in the fenced frame config. This header is set in the document whose browsing context houses the fenced frame config. It makes most sense to store this in the fenced frame config directly, since it will be consulting that when calling reportEvent() anyway, and cross-origin iframes still have access to the fenced frame config instance object.
  • Modifies reportEvent() to support being called from a document that is cross-origin to the fenced frame config's mapped URL.
    • The private aggregation path has no changes, as it still doesn't have cross-origin support.
    • The destination enum/URL path adds a carve-out that allows it to continue if it's cross-origin but also has both header opt-in for the document that owns the fenced frame config + crossOriginExposed=true opt-in from the document that's sending the beacon.

Preview | Diff

@blu25 blu25 requested a review from domfarolino April 12, 2024 16:00
@domfarolino
Copy link
Collaborator

domfarolino commented Apr 24, 2024

window.fence.reportEvent() will now support being sent from documents

Methods cannot be sent. Do you mean exposed? Or am I missing something?

@domfarolino
Copy link
Collaborator

domfarolino commented Apr 24, 2024
edited
Loading

The same-origin document opts in with a new "Allow-Cross-Origin-Event-Reporting=true" response header. The cross-origin document opts in by calling reportEvent() with the crossOriginExposed=true parameter.

Can you link to the rationale for why these are different?

Edit: I think I misunderstood. Is "the same-origin document" just the fenced frame document? That is, the document created by the FencedFrameConfig, i.e., the top-level document in a <fencedframe> element?

domfarolino
domfarolino reviewed Apr 24, 2024
View reviewed changes
@blu25
Copy link
Collaborator Author

blu25 commented Apr 29, 2024

window.fence.reportEvent() will now support being sent from documents

Methods cannot be sent. Do you mean exposed? Or am I missing something?

I mean exposed. The wording should be "Beacons can be sent with window.fence.reportEvent() from documents that are cross-origin..."

The same-origin document opts in with a new "Allow-Cross-Origin-Event-Reporting=true" response header. The cross-origin document opts in by calling reportEvent() with the crossOriginExposed=true parameter.

Can you link to the rationale for why these are different?

Edit: I think I misunderstood. Is "the same-origin document" just the fenced frame document? That is, the document created by the FencedFrameConfig, i.e., the top-level document in a <fencedframe> element?

Yes. Same-origin iframes embedded in fenced frames have no control over the opt-in process. I'll update the wording to match that.

@domfarolino domfarolino merged commit dbb22ca into master May 1, 2024
@domfarolino domfarolino deleted the liam-cross-origin-reportevent branch May 1, 2024 21:38
github-actions bot added a commit that referenced this pull request May 1, 2024
@blu25 @github-actions
Spec cross-origin reportEvent() support (#152)
979626a 
SHA: dbb22ca
Reason: push, by domfarolino

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@miketaylr miketaylr mentioned this pull request May 8, 2024
Closed
@weiziliu weiziliu mentioned this pull request Aug 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@domfarolino domfarolino domfarolino approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@blu25 @domfarolino