Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should we use sites (i.e. registrable domains) or origins? #51

Open
richajaindce opened this issue Mar 15, 2023 · 1 comment
Open

Should we use sites (i.e. registrable domains) or origins? #51

richajaindce opened this issue Mar 15, 2023 · 1 comment

Comments

@richajaindce
Copy link
Contributor

richajaindce commented Mar 15, 2023
edited
Loading

Based on our understanding, the web platform features have moved towards scoping on origin as compared to the site. This has been called out as a Warning in the HTML standard doc under “Site section”

For the reasons explained in URL, the same site and schemelessly same site concepts should be avoided when possible, in favor of same origin checks

For IPA, there are two places where we need to make this choice:

  1. Match Key Providers
    When a match key is set, we propose using the origin. Correspondingly, when calling getEncryptedMatchKey(), the first argument to that method is the “match key provider”. This should also be an origin.

  2. Storage of encrypted match key values
    The return value of getEncryptedMatchKey() should be consistent for a given site (for a given epoch). The User-Agent should compute the value once and store it to be returned on subsequent calls. Unfortunately, here we cannot use origin and must use site. There are a few reasons for this:

    • Privacy Budgeting is to be implemented at the “site” level. Doing so requires the helpers to check the site to which encrypted match keys are bound. We cannot give a separate privacy budget per origin as cookies enable linkage across origins belonging to the same site. Thus, scoping privacy budget to “origin” could allow sites to obtain an unlimited privacy budget.
    • The helper nodes need to know which “site” an encrypted match key was bound to in order to decrypt it. This is information helpers see in the clear. Helpers should not see data about origins, just the top level site.
    • Our current ideas about “DP Sharding” involve sensitivity capping that requires all records from a given user on a given site (in a given browser, in a given epoch) are consistent. Generating different values per origin would violate this constraint. (See: IPA Sharding with Sensitivity Bound #35)
@csharrison
Copy link
Contributor

The linked advice is specifically for security decisions, whereas I haven't seen such authoritative advice for privacy decisions, so your analysis makes sense to me @richajaindce.

This was referenced Mar 16, 2023
Open
Open
@richajaindce richajaindce changed the title Should we use sites (i.e. registrable domains) or secure origins? Should we use sites (i.e. registrable domains) or origins? Mar 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@csharrison @richajaindce