Spec cross-origin reportEvent() support (#152)

WICG · May 1, 2024 · dbb22ca · dbb22ca
1 parent 90c42a1
commit dbb22ca
Showing 1 changed file with 60 additions and 15 deletions.
diff --git a/spec.bs b/spec.bs
@@ -1145,7 +1145,10 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
   :: null, or a [=string=]
 
   : <dfn>is ad component</dfn>
-  :: A [=boolean=]. Defaulting to false.
+  :: A [=boolean=], initially false.
+
+  : <dfn>cross-origin reporting allowed</dfn>
+  :: A [=boolean=], initially false.
 </dl>
 
   Note: When true, this [=fenced frame config=] reprsents an ad component. An ad component can be
@@ -1199,6 +1202,9 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
   : <dfn>is ad component</dfn>
   :: A [=boolean=], initially false.
+
+  : <dfn>cross-origin reporting allowed</dfn>
+  :: A [=boolean=], initially false.
 </dl>
 
 <div algorithm>
@@ -1283,6 +1289,9 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
     : [=fenced frame config instance/is ad component=]
     :: |config|'s [=fenced frame config/is ad component=]
+
+    : [=fenced frame config instance/cross-origin reporting allowed=]
+    :: |config|'s [=fenced frame config/cross-origin reporting allowed=]
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
@@ -1498,11 +1507,18 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
     DOMString eventType;
     DOMString eventData;
     sequence&lt;FenceReportingDestination&gt; destination;
-
+
+    // Determines if this data can be sent in a reportEvent() beacon or automatic
+    // beacon that originates from a document that is cross-origin to the mapped
+    // URL of the fenced frame config that loaded this frame tree.
+    // Note that automatic beacon data can only be set from documents that are
+    // same-origin to the fenced frame config's mapped URL, so this effectively
+    // opts in the data to being used in a cross-origin subframe.
+    boolean crossOriginExposed = false;
+
     // When setting event data to be used later in an automatic beacon, the
     // following properties are used:
     boolean once = false;
-    boolean crossOriginExposed = false;
 
     // When reporting to a custom destination URL (with substitution of macros defined by
     // the Protected Audience buyer), the following property is used:
@@ -1529,19 +1545,31 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance|'s [=fenced frame config instance/is ad component=] is true, then return.
 
-  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
-     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
-     return.
-
   1. If |instance|'s [=fenced frame config instance/fenced frame reporter=] is null, then return.
 
-  1. If |event| is a {{DOMString}}, run [=report a private aggregation event=] using |instance|'s
-     [=fenced frame config instance/fenced frame reporter=] with |event|.
+  1. If |event| is a {{DOMString}}:
+
+     1. If [=this=]'s [=relevant settings object=]'s [=environment settings object/origin=] and
+        |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
+        origin=], then return.
+
+     1. Run [=report a private aggregation event=] using |instance|'s [=fenced frame config
+        instance/fenced frame reporter=] with |event|.
 
   1. If |event| is a {{FenceEvent}}:
 
      1. If |event|'s {{FenceEvent/eventType}} [=string/starts with=] "`reserved.`", then return.
 
+     1. If all of the following conditions are true:
+
+        * [=this=]'s [=relevant settings object=]'s [=environment settings object/origin=] and
+          |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
+          origin=];
+        * either |event|'s {{FenceEvent/crossOriginExposed}} is false or |instance|'s
+          [=fenced frame config instance/cross-origin reporting allowed=] is false;   
+
+        then return.
+
      1. If |event| has a {{FenceEvent/destinationURL}}:
         1. If |event| has a {{FenceEvent/destination}} or a {{FenceEvent/eventType}} or a
            {{FenceEvent/eventData}}:
@@ -1595,6 +1623,17 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   <wpt>
     /fenced-frame/fence-report-event.https.html
     /fenced-frame/fence-report-event-destination-url.https.html
+    /fenced-frame/fence-report-event-cross-origin-content-initiated.https.html 
+    /fenced-frame/fence-report-event-cross-origin-nested-urn-iframe.https.html 
+    /fenced-frame/fence-report-event-cross-origin-nested.https.html 
+    /fenced-frame/fence-report-event-cross-origin-no-embedder-opt-in.https.html 
+    /fenced-frame/fence-report-event-cross-origin-no-subframe-opt-in.https.html 
+    /fenced-frame/fence-report-event-cross-origin-urn-iframe-content-initiated.https.html 
+    /fenced-frame/fence-report-event-cross-origin-urn-iframe-no-embedder-opt-in.https.html 
+    /fenced-frame/fence-report-event-cross-origin-urn-iframe-no-subframe-opt-in.https.html 
+    /fenced-frame/fence-report-event-cross-origin-urn-iframe.https.html 
+    /fenced-frame/fence-report-event-cross-origin.https.html 
+    /fenced-frame/fence-report-event-sub-fencedframe.https.html 
   </wpt>
 </div>
 
@@ -1613,9 +1652,9 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance| is null, then return.
 
-  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
-     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
-     return.
+  1. If [=this=]'s [=relevant settings object=]'s [=environment settings object/origin=] and
+     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
+     origin=], then return.
 
   1. If |instance|'s [=fenced frame config instance/fenced frame reporter=] is null, then return.
 
@@ -1649,9 +1688,9 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance| is null, then return.
 
-  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
-     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
-     return.
+  1. If [=this=]'s [=relevant settings object=]'s [=environment settings object/origin=] and
+     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
+     origin=], then return.
 
   1. If |instance|'s [=fenced frame config instance/nested configs=] is null, then return.
 
@@ -2740,6 +2779,12 @@ content in the <{fencedframe}> or its embedder, exactly one of two things will h
        [=navigation params/fenced frame config instance=] being non-null) always cause a
        [[#bcg-swap]].
 
+    1. Set |navigationParams|'s [=navigation params/fenced frame config instance=]'s [=fenced frame
+       config/cross-origin reporting allowed=] to the result of running [=header list/get a
+       structured field value=] on |navigationParams|'s [=navigation params/response=]'s
+       [=response/header list=] given "<code>Allow-Cross-Origin-Event-Reporting</code>" and
+       "`item`".
+
     1. Set |browsingContext|'s [=browsing context/fenced frame config instance=] to
        |navigationParams|'s [=navigation params/fenced frame config instance=].