Re: [private-measurement] Cross-channel measurement risks (#14)

> In the case where events are generated by script, there is generally only one relevant origin, which is the document origin. Even if the script originated on a different origin - using HTTPS, of course - it's the origin of the page (or frame) that matters.

I agree if script is the thing generating the event (e.g. in IPA). In Attribution Reporting API, the HTTP response itself is the "event", where the event is configured in HTTP headers. This is precisely because the existing web bundles so many third parties together in one "security context" aka frame.

-- 
GitHub Notification of comment by csharrison
Please view or discuss this issue at https://github.com/patcg/private-measurement/issues/14#issuecomment-1130887918 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 19 May 2022 00:59:52 UTC