Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail to report click data from cross-origin subframe using ARA #185

Open
shaojieg opened this issue Aug 26, 2024 · 3 comments
Open

Fail to report click data from cross-origin subframe using ARA #185

shaojieg opened this issue Aug 26, 2024 · 3 comments

Comments

@shaojieg
Copy link

This is a Protected Audience project. We want to collect click time signals in a click handler. This is in a cross-origin subframe.

When we use reportEvent API to send back the click data, it works fine.

However, it doesn't work when we use setReportEventDataForAutomaticBeacons. The data of setReportEventDataForAutomaticBeacons() called in the cross-origin subframe doesn't overwrite the data set in the top frame.

The code structure is below.
Main document that embeds an ad
CompanyA-owned ad top frame (calls setReportEventDataForAutomaticBeacons() with crossOriginExposed:true)
CompanyA-owned subframe (calls setReportEventDataForAutomaticBeacons() in the click handler and performs navigation)

@shaojieg
Copy link
Author

shaojieg commented Aug 26, 2024

Possible solutions.
Option 1. Let the sub frame send a message to top frame using postMessage. And the top frame calls setReportEventDataForAutomaticBeacons() after it receives the message.
Concerns:
A. More complex code structure;
B. We would like to have the navigation ping sent after the top frame receives the message and updates the data. This might not be straightforward to support.
Option 2. The cross-origin restriction is relaxed for such cases.
Concerns: Should be very careful of the privacy issues.

@blu25
Copy link
Collaborator

blu25 commented Aug 26, 2024

Thanks for the report and the summary!

I'm going to look deeper into how feasible option 2 is. There will most likely be some sort of opt-in system in place, but if I can get the relevant privacy experts on board it might be possible. I'll keep you updated.

@weiziliu
Copy link

option 2 is similar to #152 , in which case, the document created with the FencedFrameConfig opts in with a new response header(probably with the ability to set which cross origin domains are allowed). The cross-origin document opts in by calling reportEvent() with the crossOriginExposed=true parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants
@blu25 @shaojieg @weiziliu and others