[Webkit-unassigned] [Bug 222838] New: PCM: Align fraud prevention token naming with issue 73 in the Privacy CG repo
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 5 15:31:04 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=222838
Bug ID: 222838
Summary: PCM: Align fraud prevention token naming with issue 73
in the Privacy CG repo
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: wilander at apple.com
The below names for fraud prevention token link attribute, well-known locations, and report fields were suggested in https://github.com/privacycg/private-click-measurement/issues/73 and we should update WebKit’s implementation accordingly.
# Link Attribute
attributionsourcenonce/attributionSourceNonce: This is the random nonce the click source provides so that subsequent requests for signing an unlinkable token can be done with knowledge of the context of the click even though the user has left the click source webpage.
Example: <a href="https://shop.example" attributionsourceid="55" attributeon="https://shop.example" attributionsourcenonce="ABCDEFabcdef0123456789">Link to be measured</a>
# Well-Known Locations
/.well-known/private-click-measurement/sign-unlinkable-token/: This is the well-known location where the browser sends an unlinkable token together with the attribution source nonce to get a token signature.
/.well-known/private-click-measurement/get-token-public-key/: This is the well-known location where the browser fetches the public key associated with the private key used for signing tokens. Note that this key is associated with signatures that validate both unlinkable and secret tokens.
# Attribution Report Fields
source_secret_token: This field in the JSON report will contain the secret token associated with the unlinkable token signed by the click source. Note that the source prefix is needed here to allow for a similar token from the attribute-on website.
source_secret_token_signature: This field in the JSON report will contain the secret token signature associated with the unlinkable token signature from the click source. Note that the source prefix is needed here to allow for a similar signature from the attribute-on website.
Example:
{
"source_engagement_type": "click",
"source_site": "https://news.example",
"source_id": 55,
"attributed_on_site": "https://shop.example",
"trigger_data": 10,
"source_secret_token": <encoded token>,
"source_secret_token_signature": <encoded signature>,
"version": 2
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210305/ca99a21d/attachment-0001.htm>
More information about the webkit-unassigned
mailing list