[Webkit-unassigned] [Bug 225783] PCM: How can I check if PCM feature is enabled in a given Safari instance?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 13 16:25:44 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=225783

--- Comment #4 from John Wilander <wilander at apple.com> ---
(In reply to Maojie from comment #3)
> Hi John, I would like to add another reason why we think this signal is
> useful from the point of social.example's side. :) 
> 
> To integrate with PCM, the social.example server needs to make the decision
> about if a HTTP 302 redirect request needs to be sent in order to tell the
> browser to trigger the attribution. Before making that realtime decision,
> social.example needs to know if there is already an unattributed click
> already stored locally within the browser. Otherwise, social.example needs
> to request 302 HTTP redirect for every tag firing it received. However, if
> only small percentage of Safari upgraded to the version which supports PCM,
> then most of HTTP 302 redirect requests would be unnecessary. Hope this make
> senses to you.

I think this indicates a misunderstanding. No site should ever know if there is a stored click that would match a redirect. No webpage should ever know anything about the inner state of PCM since that would allow for covert cross-site data leakage that can be tied to a user. Concretely, anyone, including social.example, could learn that a specific user has previously clicked a PCM link to land on this website. No one should learn such info about the user. That is a core requirement of PCM.

It is the clear intention to have all the pixels redirect in a speculative manner so that *if* there is a stored click that matches the redirect, an attribution report is scheduled.

The model is:
* The click source learns nothing about what the user does on the click destination site.
* The click destination site does not know that the user came from the click source site – not that they came from there now or earlier.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210513/32e0091e/attachment.htm>

More information about the webkit-unassigned mailing list