Attribution Reporting

Draft Community Group Report,

This version:
https://wicg.github.io/attribution-reporting-api
Issue Tracking:
GitHub
Inline In Spec
Editors:
(Google Inc.)
(Google Inc.)
(Google Inc.)
Not Ready For Implementation

This spec is not yet ready for implementation. It exists in this repository to record the ideas and promote discussion.

Before attempting to implement this spec, please contact the editors.

Copyright © 2022 the Contributors to the Attribution Reporting Specification, published by the Web Platform Incubator Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.

Abstract

An API to report that an event may have been caused by another cross-site event. These reports are designed to transfer little enough data between sites that the sites can’t use them to track individual users.

Status of this document

This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.

1. Introduction

This section is non-normative

This specification describes how web browsers can provide a mechanism to the web that supports measuring and attributing conversions (e.g. purchases) to ads a user interacted with on another site. This mechanism should remove one need for cross-site identifiers like third-party cookies.

1.1. Overview

Pages/embedded sites are given the ability to register attribution sources and attribution triggers, which can be linked by the User Agent to generate and send attribution reports containing information from both of those events.

A reporter https://reporter.example embedded on https://source.example is able to measure whether an iteraction on the page lead to an action on https://destination.example by registering an attribution source with attribution destinations of « https://destination.example ». Reporters are able to register sources through a variety of surfaces, but ultimately the reporter is required to provide the User Agent with an HTTP-response header which allows the source to be eligible for attribution.

At a later point in time, the reporter, now embedded on https://destination.example, may register an attribution trigger. Reporters can register triggers by sending an HTTP-response header containing information about the action/event that occurred. Internally, the User Agent attempts to match the trigger to previously registered source events based on where the sources/triggers were registered and configurations provided by the reporter.

If the User Agent is able to attribute the trigger to a source, it will generate and send an attribution report to the reporter via an HTTP POST request at a later point in time.

2. HTML monkeypatches

2.1. API for elements

interface mixin HTMLAttributionSrcElementUtils {
    [CEReactions] attribute USVString attributionSrc;
};

HTMLAnchorElement includes HTMLAttributionSrcElementUtils;
HTMLImageElement includes HTMLAttributionSrcElementUtils;
HTMLScriptElement includes HTMLAttributionSrcElementUtils;

Add the following content attributes:

a

attributionsrc - URL for attribution registration

img

attributionsrc - URL for attribution registration

script

attributionsrc - URL for attribution registration

Add the following content attribute descriptions:

a

The attributionsrc attribute is a string representing the URL of the resource that will register an attribution source when the a is navigated.

img

The attributionsrc attribute is a string representing the URL of the resource that will register an attribution source or attribution trigger when set.

script

The attributionsrc attribute is a string representing the URL of the resource that will register an attribution source or attribution trigger when set.

The IDL attribute attributionSrc must reflect the respective content attribute of the same name.

2.2. Window open steps

Monkeypatch window.open().

3. Fetch monkeypatches

Specify monkeypatches for source/trigger registration.

4. Permissions Policy integration

This specification defines a policy-controlled feature identified by the string "attribution-reporting". Its default allowlist is 'self'.

Note: In the Chromium implementation the default allowlist is temporarily set to * to ease testing.

5. Structures

5.1. Trigger state

A trigger state is a struct with the following items:

trigger data

A non-negative 64-bit integer.

report window

A non-negative integer.

5.2. Randomized source response

A randomized source response is null or a set of trigger states.

5.3. Attribution filtering

A filter value is an ordered set of strings.

A filter map is an ordered map whose keys are strings and whose values are filter values.

5.4. Suitable origin

A suitable origin is an origin that is suitable.

5.5. Source type

A source type is one of the following:

"navigation"

The source was associated with a top-level navigation.

"event"

The source was not associated with a top-level navigation.

5.6. Attribution source

An attribution source is a struct with the following items:

source identifier

A string.

source origin

A suitable origin.

event ID

A non-negative 64-bit integer.

attribution destinations

An ordered set of sites.

reporting endpoint

A suitable origin.

source type

A source type.

expiry

A length of time.

event report window

A length of time.

aggregatable report window

A length of time.

priority

A 64-bit integer.

source time

A point in time.

number of event-level reports

Number of event-level reports created for this attribution source.

event-level attributable (default true)

A boolean.

dedup keys

ordered set of dedup keys associated with this attribution source.

randomized response

A randomized source response.

randomized trigger rate

A number between 0 and 1 (both inclusive).

filter data

A filter map.

debug key

Null or a non-negative 64-bit integer.

aggregation keys

An ordered map whose keys are strings and whose values are non-negative 128-bit integers.

aggregatable budget consumed

A non-negative integer, total value of all aggregatable contributions created with this attribution source.

aggregatable dedup keys

ordered set of aggregatable dedup keys associated with this attribution source.

debug reporting enabled

A boolean.

5.7. Aggregatable trigger data

An aggregatable trigger data is a struct with the following items:

key piece

A non-negative 128-bit integer.

source keys

An ordered set of strings.

filters

A filter map.

negated filters

A filter map.

5.8. Event-level trigger configuration

An event-level trigger configuration is a struct with the following items:

trigger data

A non-negative 64-bit integer.

dedup key

Null or a non-negative 64-bit integer.

priority

A 64-bit integer.

filters

A filter map.

negated filters

A filter map.

5.9. Attribution trigger

An attribution trigger is a struct with the following items:

attribution destination

A site.

trigger time

A point in time.

reporting endpoint

A suitable origin.

filters

A filter map.

negated filters

A filter map.

debug key

Null or a non-negative 64-bit integer.

event-level trigger configurations

A set of event-level trigger configuration.

aggregatable trigger data

A list of aggregatable trigger data.

aggregatable values

An ordered map whose keys are strings and whose values are non-negative 32-bit integers.

aggregatable dedup key

Null or a non-negative 64-bit integer.

serialized private state token

A byte sequence.

debug reporting enabled

A boolean.

5.10. Attribution report

An attribution report is a struct with the following items:

reporting endpoint

A suitable origin.

report time

A point in time.

delivered (default false)

A boolean.

report ID

A string.

source debug key

Null or a non-negative 64-bit integer.

trigger debug key

Null or a non-negative 64-bit integer.

5.11. Event-level report

An event-level report is an attribution report with the following additional items:

event ID

A non-negative 64-bit integer.

source type

A source type.

trigger data

A non-negative 64-bit integer.

randomized trigger rate

A number between 0 and 1 (both inclusive).

trigger priority

A 64-bit integer.

trigger time

A point in time.

source identifier

A string.

attribution destinations

An ordered set of sites.

5.12. Aggregatable contribution

An aggregatable contribution is a struct with the following items:

key

A non-negative 128-bit integer.

value

A non-negative 32-bit integer.

5.13. Aggregatable report

An aggregatable report is an attribution report with the following additional items:

source time

A point in time.

original report time

A point in time.

contributions

A list of aggregatable contributions.

effective attribution destination

A site.

serialized private state token

A byte sequence.

5.14. Attribution rate-limits

A rate-limit scope is one of the following:

An attribution rate-limit record is a struct with the following items:

scope

A rate-limit scope.

source site

A site.

attribution destination

A site.

reporting endpoint

A suitable origin.

time

A point in time.

expiry time

Null or a point in time.

5.15. Attribution debug data

A debug data type is a non-empty string that specifies the set of data that is contained in the body of an attribution debug data.

A source debug data type is a debug data type for source registrations. Possible values are:

A trigger debug data type is a debug data type for trigger registrations. Possible values are:

An attribution debug data is a struct with the following items:

data type

A debug data type.

body

A map whose fields are determined by the data type.

5.16. Attribution debug report

An attribution debug report is a struct with the following items:

data

A list of attribution debug data.

reporting endpoint

A suitable origin.

5.17. Triggering result

A triggering status is one of the following:

A triggering result is a tuple with the following items:

status

A triggering status.

debug data

Null or an attribution debug data.

6. Storage

A user agent holds an attribution source cache, which is an ordered set of attribution sources.

A user agent holds an event-level report cache, which is an ordered set of event-level reports.

A user agent holds an aggregatable report cache, which is an ordered set of aggregatable reports.

A user agent holds an attribution rate-limit cache, which is an ordered set of attribution rate-limit records.

The above caches are collectively known as the attribution caches. The attribution caches are shared among all environment settings objects.

Note: This would ideally use storage bottles to provide access to the attribution caches. However attribution data is inherently cross-site, and operations on storage would need to span across all storage bottle maps.

7. Vendor-Specific Values

Source event ID cardinality is a positive integer that controls the maximum value that can be used as an event id.

Max source expiry is a positive length of time that controls the maximum value that can be used as an expiry. It must be greater than or equal to 30 days.

Max entries per filter map is a positive integer that controls the maximum size of a filter map.

Max values per filter entry is a positive integer that controls the maximum size of a filter map entry.

Max aggregation keys per attribution is a positive integer that controls the maximum size of an attribution source's aggregation keys, the maximum size of an aggregatable trigger data's source keys, and the maximum size of an attribution trigger's aggregatable values.

Max aggregatable trigger data per trigger is a positive integer that controls the maximum size of an attribution trigger's aggregatable trigger data.

Max bytes per aggregation key identifier is a positive integer that controls the maximum length or code point length of an aggregation key identifier.

Max pending sources per source origin is a positive integer that controls how many attribution sources can be in the attribution source cache per source origin.

Navigation-source trigger data cardinality is a positive integer that controls the valid range of trigger data for triggers that are attributed to an attribution source whose source type is "navigation": 0 <= trigger data < navigation-source trigger data cardinality.

Event-source trigger data cardinality is a positive integer that controls the valid range of trigger data for triggers that are attributed to an attribution source whose source type is "event": 0 <= trigger data < event-source trigger data cardinality.

Randomized navigation-source trigger rate is a double between 0 and 1 (both inclusive) that controls the randomized response probability of an attribution source whose source type is "navigation".

Randomized event-source trigger rate is a double between 0 and 1 (both inclusive) that controls the randomized response probability of an attribution source whose source type is "event".

Max event-level reports per attribution destination is a positive integer that controls how many event-level reports can be in the event-level report cache per site in attribution destinations.

Max aggregatable reports per attribution destination is a positive integer that controls how many aggregatable reports can be in the aggregatable report cache per effective attribution destination.

Max attributions per navigation source is a positive integer that controls how many times a single attribution source whose source type is "navigation" can create an event-level report.

Max attributions per event source is a positive integer that controls how many times a single attribution source whose source type is "event" can create an event-level report.

Max destinations covered by unexpired sources is a positive integer that controls the maximum number of distinct sites across all attribution destinations for unexpired attribution sources with a given (source site, reporting endpoint).

Attribution rate-limit window is a positive length of time that controls the rate-limiting window for attribution.

Max source reporting endpoints per rate-limit window is a positive integer that controls the maximum number of distinct reporting endpoints for a (source site, attribution destination) that can create attribution sources per attribution rate-limit window.

Max attribution reporting endpoints per rate-limit window is a positive integer that controls the maximum number of distinct reporting endpoints for a (source site, attribution destination) that can create event-level reports per attribution rate-limit window.

Max attributions per rate-limit window is a positive integer that controls the maximum number of attributions for a (source site, attribution destination, reporting endpoint) per attribution rate-limit window.

Max source cache size is a positive integer that controls how many attribution sources can be in the attribution source cache.

Max event-level report cache size is a positive integer that controls how many event-level reports can be in the event-level report cache.

Max aggregatable report cache size is a positive integer that controls how many aggregatable reports can be in the aggregatable report cache.

Allowed aggregatable budget per source is a positive integer that controls the total required aggregatable budget of all aggregatable reports created for an attribution source.

Min aggregatable report delay is a non-negative length of time that controls the minimum delay to deliver an aggregatable report.

Randomized aggregatable report delay is a positive length of time that controls the random delay to deliver an aggregatable report.

8. General Algorithms

To check if an origin is suitable given an origin origin:

  1. If origin is not a potentially trustworthy origin, return false.

  2. If origin’s scheme is not "http" or "https", return false.

  3. Return true.

8.1. Parsing filter data

To parse filter data given a value:

  1. If value is not a map, return null.

  2. If value’s size is greater than the user agent’s max entries per filter map, return null.

  3. Let result be a new filter map.

  4. For each filterdata of value:

    1. If data is not a list, return null.

    2. Let set be a new ordered set.

    3. For each d of data:

      1. If d is not a string, return null.

      2. Append d to set.

    4. If set’s size is greater than the user agent’s max values per filter entry, return null.

    5. Set result[filter] to set.

  5. Return result.

Determine whether to limit length or code point length for filter and d above.

8.2. Cookie-based debugging

To check if cookie-based debugging is allowed given a suitable origin reportingOrigin:

  1. Return blocked.

Check for "ar_debug" cookie on reportingOrigin and return allowed if it exists, is Secure, is HttpOnly, and is SameSite=None.

8.3. Obtaining a randomized response

To obtain a randomized response given trueValue, a set possibleValues, and a double randomPickRate:

  1. Assert: randomPickRate is between 0 and 1 (both inclusive).

  2. Let r be a random double between 0 (inclusive) and 1 (exclusive) with uniform probability.

  3. If r is less than randomPickRate, return a random item from possibleValues with uniform probability.

  4. Otherwise, return trueValue.

8.4. Parsing aggregation key piece

To parse an aggregation key piece given a string input, perform the following steps. This algorithm will return either a non-negative 128-bit integer or an error.

  1. If input’s code point length is not between 3 and 34 (both inclusive), return an error.

  2. If the first character is not a U+0030 DIGIT ZERO (0), return an error.

  3. If the second character is not a U+0058 LATIN CAPITAL LETTER X character (X) and not a U+0078 LATIN SMALL LETTER X character (x), return an error.

  4. Let value be the code point substring from 2 to the end of input.

  5. If the characters within value are not all ASCII hex digits, return an error.

  6. Interpret value as a hexadecimal number and return as a non-negative 128-bit integer.

8.5. Can attribution rate-limit record be removed

Given an attribution rate-limit record record:

  1. If record’s time is after the current time, return false.

  2. If record’s scope is "attribution", return true.

  3. If record’s expiry time is after the current time, return false.

  4. Return true.

8.6. Obtaining and delivering an attribution debug report

To obtain and deliver a debug report given a list of attribution debug data data and a suitable origin reportingEndpoint:

  1. Let debugReport be an attribution debug report with the items:

    data

    data

    reporting endpoint

    reportingEndpoint

  2. Queue a task to attempt to deliver a verbose debug report with debugReport.

9. Source Algorithms

9.1. Obtaining an attribution source’s expiry time

An attribution source source’s expiry time is source’s source time + source’s expiry.

9.2. Obtaining an attribution source’s event report window time

An attribution source source’s event report window time is source’s source time + source’s event report window.

9.3. Obtaining an attribution source’s aggregatable report window time

An attribution source source’s aggregatable report window time is source’s source time + source’s aggregatable report window.

9.4. Obtaining an attribution source’s source site

An attribution source source’s source site is the result of obtaining a site from source’s source origin.

9.5. Parsing an attribution destination

To parse an attribution destination from a string str:

  1. Let url be the result of running the URL parser on the value of the str.

  2. If url is failure or null, return null.

  3. If url’s origin is not suitable, return null.

  4. Return the result of obtaining a site from url’s origin.

9.6. Parsing attribution destinations

To parse attribution destinations from a value val:

  1. Let result be an ordered set.

  2. If val is a string, append the result of parse an attribution destination to result, and return result.

  3. If val is not a list, return null.

  4. For each value of val

    1. If value is not a string, return null.

    2. Let destination be the result of parse an attribution destination with value.

    3. If destination is null, return null.

    4. append destination to result.

  5. If result’s size is greater than 3, return null.

  6. If result is empty, return null.

  7. return result.

confirm that the maximum destinations size is workable.

9.7. Obtaining a randomized source response

To obtain a randomized source response given a positive integer triggerDataCardinality, a positive integer maxAttributionsPerSource, a positive integer numReportWindows, and a double randomPickRate:

  1. Let possibleTriggerStates be a new empty set.

  2. For each integer triggerData between 0 (inclusive) and triggerDataCardinality (exclusive):

    1. For each integer reportWindow between 0 (inclusive) and numReportWindows (exclusive):

      1. Let state be a new trigger state with the items:

        trigger data

        triggerData

        report window

        reportWindow

      2. Append state to possibleTriggerStates.

  3. Let possibleValues be a new empty set.

  4. For each integer attributions between 0 (inclusive) and maxAttributionsPerSource (inclusive):

    1. Append to possibleValues all distinct attributions-length combinations of possibleTriggerStates.

  5. Return the result of obtaining a randomized response with null, possibleValues, and randomPickRate.

9.8. Obtaining an attribution source from an a element

To obtain an attribution source from an anchor given an a element anchor:

  1. If anchor does not have an attributionsrc attribute, return null.

  2. Return null.

Specify the steps for making attributionsrc request.

9.9. Obtaining an attribution source from window features

To obtain an attribution source from window features given an ordered map tokenizedFeatures:

  1. If tokenizedFeatures["attributionsrc"] does not exist, return null.

  2. Let decodedSrcBytes be the result of percent-decoding tokenizedFeatures["attributionsrc"].

  3. Let decodedSrc be the UTF-8 decode without BOM of decodedSrcBytes.

  4. Return null.

Check for transient activation. Issue: Specify the steps for making an attributionsrc request with decodedSrc.

9.10. Parsing source-registration JSON

To obtain a source expiry given a value:

  1. If value is not a string, return null.

  2. Let expirySeconds be the result of applying the rules for parsing integers to value.

  3. If expirySeconds is an error, return null.

  4. Let expiry be expirySeconds seconds.

  5. If expiry is less than 1 day, set expiry to 1 day.

  6. If expiry is greater than the user agent’s max source expiry, set expiry to that value.

  7. Return expiry.

To parse aggregation keys given an ordered map map:

  1. Let aggregationKeys be a new ordered map.

  2. If map["aggregation_keys"] does not exist, return aggregationKeys.

  3. Let values be map["aggregation_keys"].

  4. If values is not an ordered map, return null.

  5. If values’s size is greater than the user agent’s max aggregation keys per attribution, return null.

  6. For each keyvalue of values:

    1. If value is not a string, return null.

    2. Let keyPiece be the result of running parse an aggregation key piece with value.

    3. If keyPiece is an error, return null.

    4. Set aggregationKeys[key] to keyPiece.

  7. Return aggregationKeys.

Determine whether to limit length or code point length for key above using max bytes per aggregation key identifier.

To parse source-registration JSON given a string json, a suitable origin sourceOrigin, a suitable origin reportingOrigin, and a source type sourceType:

  1. Let value be the result of running parse a JSON string to an Infra value with json.

  2. If value is not an ordered map, return null.

  3. Let sourceEventId be 0.

  4. If value["source_event_id"] exists and is a string:

    1. Set sourceEventId to the result of applying the rules for parsing non-negative integers to value["source_event_id"] modulo the user agent’s source event ID cardinality.

    2. If sourceEventId is an error, set sourceEventId to 0.

  5. If value["destination"] does not exist, return null.

  6. Let attributionDestinations be the result of running parse attribution destinations with value["destination"].

  7. If attributionDestinations is null, return null.

  8. Let expiry be the result of running obtain a source expiry on value["expiry"].

  9. If expiry is null, set expiry to 30 days.

  10. Let eventReportWindow be the result of running obtain a source expiry on value["event_report_window"].

  11. If eventReportWindow is null or greater than expiry, set eventReportWindow to expiry.

  12. Let aggregatableReportWindow be the result of running obtain a source expiry on value["aggregatable_report_window"].

  13. If aggregatableReportWindow is null or greater than expiry, set aggregatableReportWindow to expiry.

  14. Let priority be 0.

  15. If value["priority"] exists and is a string:

    1. Set priority to the result of applying the rules for parsing integers to value["priority"].

    2. If priority is an error, set priority to 0.

  16. Let filterData be a new filter map.

  17. If value["filter_data"] exists:

    1. Set filterData to the result of running parse filter data with value["filter_data"].

    2. If filterData is null, return null.

    3. If filterData["source_type"] exists, return null.

  18. Set filterData["source_type"] to « sourceType ».

  19. Let debugKey be null.

  20. If value["debug_key"] exists and is a string:

    1. Set debugKey to the result of applying the rules for parsing non-negative integers to value["debug_key"].

    2. If debugKey is an error, set debugKey to null.

    3. If the result of running check if cookie-based debugging is allowed with reportingOrigin is blocked, set debugKey to null.

  21. Let aggregationKeys be the result of running parse aggregation keys with value.

  22. If aggregationKeys is null, return null.

  23. If aggregatableExpiry is null, set aggregatableExpiry to expiry.

  24. Let triggerDataCardinality be the user agent’s navigation-source trigger data cardinality.

  25. Let randomizedTriggerRate be the user agent’s randomized navigation-source trigger rate.

  26. Let maxAttributionsPerSource be the user agent’s max attributions per navigation source.

  27. If sourceType is "event":

    1. Round expiry away from zero to the nearest day (86400 seconds).

    2. Set triggerDataCardinality to the user agent’s event-source trigger data cardinality.

    3. Set randomizedTriggerRate’s to the user agent’s randomized event-source trigger rate.

    4. Set maxAttributionsPerSource to the user agent’s max attributions per event source.

  28. Let numReportWindows be the result of running obtain the number of report windows with sourceType.

  29. Let debugReportingEnabled be false.

  30. If value["debug_reporting"] exists and is a boolean, set debugReportingEnabled to value["debug_reporting"].

  31. Let source be a new attribution source struct whose items are:

    source identifier

    A new unique string

    source origin

    sourceOrigin

    event ID

    sourceEventId

    attribution destinations

    attributionDestinations

    reporting endpoint

    reportingOrigin

    expiry

    expiry

    event report window

    eventReportWindow

    aggregatable report window

    aggregatableReportWindow

    priority

    priority

    source time

    The current time

    source type

    sourceType

    randomized response

    The result of obtaining a randomized source response with triggerDataCardinality, maxAttributionsPerSource, numReportWindows, and randomizedTriggerRate.

    randomized trigger rate

    randomizedTriggerRate

    filter data

    filterData

    debug key

    debugKey

    aggregation keys

    aggregationKeys

    aggregatable budget consumed

    0

    debug reporting enabled

    debugReportingEnabled

  32. Return source.

Ensure that all sites in attributionDestinations have HTTP/HTTPS schemes.

9.11. Checking unexpired destination limit

To check if an attribution source exceeds the unexpired destination limit given an attribution source source, run the following steps:

  1. Let unexpiredSources be all attribution rate-limit records record in the attribution rate-limit cache where all of the following are true:

  2. Let unexpiredDestinations be an empty set.

  3. For each attribution rate-limit record unexpiredRecord of unexpiredSources:

    1. append unexpiredRecord’s attribution destination to unexpiredDestinations.

  4. Let newDestinations be the result of taking the union of unexpiredDestinations and source’s attribution destinations.

  5. Return whether newDestinations’s size is greater than or equal to the user agent’s max destinations covered by unexpired sources.

9.12. Processing an attribution source

To obtain a fake report given an attribution source source and a trigger state triggerState:

  1. Let fakeConfig be a new event-level trigger configuration with the items:

    trigger data

    triggerState’s trigger data

    dedup key

    null

    priority

    0

    filters

    «[ "source_type" → « source’s source type » ]»

  2. Let fakeTrigger be a new attribution trigger with the items:

    attribution destinations

    source’s attribution destinations

    trigger time

    source’s source time

    reporting endpoint

    source’s reporting endpoint

    filters

    «[]»

    debug key

    null

    event-level trigger configurations

    « fakeConfig »

    aggregatable trigger data

    «»

    aggregatable values

    «[]»

    aggregatable dedup key

    null

    debug reporting enabled

    false

  3. Let fakeReport be the result of running obtain an event-level report with source, fakeTrigger, and fakeConfig.

  4. Set fakeReport’s report time to the result of running obtain the report time at a window with source and triggerState’s report window.

  5. Return fakeReport.

To check if debug reporting is allowed given a source debug data type dataType and a suitable origin reportingOrigin:

  1. If dataType is:

    "source-destination-limit"

    Return allowed.

    "source-noised"
    "source-storage-limit"
    "source-unknown-error"

    Return the result of running check if cookie-based debugging is allowed with reportingOrigin.

To obtain and deliver a debug report on source registration given a source debug data type dataType and an attribution source source:

  1. If source’s debug reporting enabled is false, return.

  2. If the result of running check if debug reporting is allowed with dataType and source’s reporting endpoint is blocked, return.

  3. Let body be a new map with the following key/value pairs:

    "attribution_destination"

    source’s attribution destinations, serialized.

    "source_event_id"

    source’s event ID, serialized.

    "source_site"

    source’s source site, serialized.

  4. If source’s debug key is not null, set body["source_debug_key"] to source’s debug key, serialized.

  5. If dataType is:

    "source-destination-limit"

    Set body["limit"] to the user agent’s max destinations covered by unexpired sources, serialized.

    "source-storage-limit"

    Set body["limit"] to the user agent’s max pending sources per source origin, serialized.

  6. Let data be a new attribution debug data with the items:

    data type

    dataType

    body

    body

  7. Run obtain and deliver a debug report with « data » and source’s reporting endpoint.

To process an attribution source given an attribution source source:

  1. Let cache be the user agent’s attribution source cache.

  2. Remove all entries in cache where the entry’s expiry time is less than the current time.

  3. If the size of cache is greater than or equal to the user agent’s max source cache size, return.

  4. Let pendingSourcesForSourceOrigin be the set of all attribution sources pendingSource of cache where pendingSource’s source origin and source’s source origin are same origin.

  5. If pendingSourcesForSourceOrigin’s size is greater than or equal to the user agent’s max pending sources per source origin:

    1. Run obtain and deliver a debug report on source registration with "source-storage-limit" and source.

    2. Return.

  6. If the result of running check if an attribution source exceeds the unexpired destination limit with source is true:

    1. Run obtain and deliver a debug report on source registration with "source-destination-limit" and source.

    2. Return.

  7. For each destination in source’s attribution destinations

    1. Let rateLimitRecord be a new attribution rate-limit record with the items:

      scope

      "source"

      source site

      source’s source site

      attribution destination

      destination

      reporting endpoint

      source’s reporting endpoint

      time

      source’s source time

      expiry time

      source’s expiry time

    2. If the result of running should processing be blocked by reporting-endpoint limit with rateLimitRecord is blocked, return.

    3. Append rateLimitRecord to the attribution rate-limit cache.

  8. Remove all entries from the attribution rate-limit cache if the result of running can attribution rate-limit record be removed with the entry is true.

  9. If source’s randomized response is not null and is a set:

    1. For each trigger state triggerState of source’s randomized response:

      1. Let fakeReport be the result of running obtain a fake report with source and triggerState.

      2. Append fakeReport to the event-level report cache.

    2. If source’s randomized response is not empty, then set source’s event-level attributable value to false.

    3. Run obtain and deliver a debug report on source registration with "source-noised" and source.

  10. Append source to cache.

Should fake reports respect the user agent’s max event-level reports per attribution destination?

10. Triggering Algorithms

10.1. Creating an attribution trigger

To parse event triggers given an ordered map map:

  1. Let eventTriggers be a new set.

  2. If map["event_trigger_data"] does not exist, return eventTriggers.

  3. Let values be map["event_trigger_data"].

  4. If values is not a list, return null.

  5. For each value of values:

    1. If value is not an ordered map, return null.

    2. Let triggerData be 0.

    3. If value["trigger_data"] exists and is a string:

      1. Set triggerData to the result of applying the rules for parsing non-negative integers to value["trigger_data"].

      2. If triggerData is an error, set triggerData to 0.

    4. Let dedupKey be null.

    5. If value["deduplication_key"] exists and is a string:

      1. Set dedupKey to the result of applying the rules for parsing non-negative integers to value["deduplication_key"].

      2. If dedupKey is an error, set dedupKey to null.

    6. Let priority be 0.

    7. If value["priority"] exists and is a string:

      1. Set priority to the result of applying the rules for parsing integers to value["priority"].

      2. If priority is an error, set priority to 0.

    8. Let filters be a new filter map.

    9. If value["filters"] exists:

      1. Set filters to the result of running parse filter data with value["filters"].

      2. If filters is null, return null.

    10. Let negatedFilters be a new filter map.

    11. If value["not_filters"] exists:

      1. Set negatedFilters to the result of running parse filter data with value["not_filters"].

      2. If negatedFilters is null, return null.

    12. Let eventTrigger be a new event-level trigger configuration with the items:

      trigger data

      triggerData

      dedup key

      dedupKey

      priority

      priority

      filters

      filters

      negated filters

      negatedFilters

    13. Append eventTrigger to eventTriggers.

  6. Return eventTriggers.

Allow the user agent to return null if values’s size is greater than some constant.

To parse aggregatable trigger data given an ordered map map:

  1. Let aggregatableTriggerData be a new list.

  2. If map["aggregatable_trigger_data"] does not exist, return aggregatableTriggerData.

  3. Let values be map["aggregatable_trigger_data"].

  4. If values is not a list, return null.

  5. If values’s size is greater than the user agent’s max aggregatable trigger data per trigger, return null.

  6. For each value of values:

    1. If value is not an ordered map, return null.

    2. If value["key_piece"] does not exist or is not a string, return null.

    3. Let keyPiece be the result of running parse an aggregation key piece with value["key_piece"].

    4. If keyPiece is an error, return null.

    5. Let sourceKeys be a new ordered set.

    6. If value["source_keys"] exists:

      1. If value["source_keys"] is not a list, return null.

      2. If value["source_keys"]'s size is greater than the user agent’s max aggregation keys per attribution, return null.

      3. For each sourceKey of value["source_keys"]:

        1. If sourceKey is not a string, return null.

        2. Append sourceKey to sourceKeys.

    7. Let filters be a new filter map.

    8. If value["filters"] exists:

      1. Set filters to the result of running parse filter data with value["filters"].

      2. If filters is null, return null.

    9. Let negatedFilters be a new filter map.

    10. If value["not_filters"] exists:

      1. Set negatedFilters to the result of running parse filter data with value["not_filters"].

      2. If negatedFilters is null, return null.

    11. Let aggregatableTrigger be a new aggregatable trigger data with the items:

      key piece

      keyPiece

      source keys

      sourceKeys

      filters

      filters

      negated filters

      negatedFilters

    12. Append aggregatableTrigger to aggregatableTriggerData.

  7. Return aggregatableTriggerData.

Determine whether to limit length or code point length for sourceKey above using max bytes per aggregation key identifier.

To parse aggregatable values given an ordered map map:

  1. If map["aggregatable_values"] does not exist, return «[]».

  2. Let values be map["aggregatable_values"].

  3. If values is not an ordered map, return null.

  4. If values’s size is great than the user agent’s max aggregation keys per attribution, return null.

  5. For each keyvalue of values:

    1. If value is not an integer, return null.

    2. If value is less than or equal to 0, return null.

  6. Return values.

Determine whether to limit length or code point length for key above using max bytes per aggregation key identifier.

To serialize a private state token given a string encodedBlindedPrivateStateToken:

  1. If encodedBlindedPrivateStateToken is null, return null.

  2. Let decoded be the result of forgiving-base64 decoding encodedBlindedPrivateStateToken.

  3. If decoded is failure, return null.

  4. Let tokens be the result of finishing issuance of decoded.

properly define the "finishing issuance" operation.

  1. If tokens is null, or has size not equal to 1, return null.

  2. Let token be tokens[0].

  3. Let redeemedBytes be the result of "beginning redemption" with token, the empty byte sequence (data), and 0 (the null timestamp).

properly define "begin redemption" operation. Consider running the algorithm at report sending time.

  1. Return the result of forgiving-base64 encoding redeemedBytes.

To create an attribution trigger given a string json, a site destination, a suitable origin reportingOrigin, and a string privateStateToken:

  1. Let value be the result of running parse a JSON string to an Infra value with json.

  2. If value is not an ordered map, return null.

  3. Let eventTriggers be the result of running parse event triggers with value.

  4. If eventTriggers is null, return null.

  5. Let aggregatableTriggerData be the result of running parse aggregatable trigger data with value.

  6. If aggregatableTriggerData is null, return null.

  7. Let aggregatableValues be the result of running parse aggregatable values with value.

  8. If aggregatableValues is null, return null.

  9. Let aggregatableDedupKey be null.

  10. If value["aggregatable_deduplication_key"] exists and is a string:

    1. Set aggregatableDedupKey to the result of applying the rules for parsing non-negative integers to value["aggregatable_deduplication_key"].

    2. If aggregatableDedupKey is an error, set aggregatableDedupKey to null.

  11. Let debugKey be null.

  12. If value["debug_key"] exists and is a string:

    1. Set debugKey to the result of applying the rules for parsing non-negative integers to value["debug_key"].

    2. If debugKey is an error, set debugKey to null.

    3. If the result of running check if cookie-based debugging is allowed with reportingOrigin is blocked, set debugKey to null.

  13. Let filters be a new filter map.

  14. If value["filters"] exists:

    1. Set filters to the result of running parse filter data with value["filters"].

    2. If filters is null, return null.

  15. Let negatedFilters be a new filter map.

  16. If value["not_filters"] exists:

    1. Set negatedFilters to the result of running parse filter data with value["not_filters"].

    2. If negatedFilters is null, return null.

  17. Let debugReportingEnabled be false.

  18. If value["debug_reporting"] exists and is a boolean, set debugReportingEnabled to value["debug_reporting"].

  19. Let trigger be a new attribution trigger with the items:

    attribution destination

    destination

    trigger time

    The current time.

    reporting endpoint

    reportingOrigin

    filters

    filters

    negated filters

    negatedFilters

    debug key

    debugKey

    event-level trigger configurations

    eventTriggers

    aggregatable trigger data

    aggregatableTriggerData

    aggregatable values

    aggregatableValues

    aggregatable dedup key

    aggregatableDedupKey

    serialized private state token

    The result of serializing a private state token with privateStateToken

    debug reporting enabled

    debugReportingEnabled

  20. Return trigger.

10.2. Does filter data match

To match filter values given a filter value a and a filter value b:

  1. If b is empty, then:

    1. If a is empty, then return true.

    2. Otherwise, return false.

  2. Let i be the intersection of a and b.

  3. If i is empty, then return false.

  4. Return true.

To match filter values with negation given a filter value a and a filter value b:

  1. If b is empty, then:

    1. If a is not empty, then return true.

    2. Otherwise, return false.

  2. Let i be the intersection of a and b.

  3. If i is not empty, then return false.

  4. Return true.

To match an attribution source’s filter data against filters given an attribution source source, a filter map filters, and a boolean isNegated:

  1. Let sourceData be source’s filter data.

  2. For each keyfilterValues of filters:

    1. If sourceData[key] does not exist, continue.

    2. Let sourceValues be sourceData[key].

    3. If isNegated is:

      false
      If the result of running match filter values with sourceValues and filterValues is false, return false.
      true
      If the result of running match filter values with negation with sourceValues and filterValues is false, return false.

  3. Return true.

10.3. Should attribution be blocked by rate limit

Given an attribution trigger trigger and attribution source sourceToAttribute:

  1. Let matchingRateLimitRecords be all attribution rate-limit records record of attribution rate-limit cache where all of the following are true:

  2. If matchingRateLimitRecords’s size is greater than or equal to max attributions per rate-limit window, return blocked.

  3. Return allowed.

10.4. Should processing be blocked by reporting-endpoint limit

Given an attribution rate-limit record newRecord:

  1. Let max be max source reporting endpoints per rate-limit window.

  2. If newRecord’s scope is "attribution", set max to max attribution reporting endpoints per rate-limit window.

  3. Let matchingRateLimitRecords be all attribution rate-limit records record in the attribution rate-limit cache where all of the following are true:

  4. Let distinctReportingEndpoints be a new empty ordered set.

  5. For each record of matchingRateLimitRecords, append record’s reporting endpoint to distinctReportingEndpoints.

  6. If distinctReportingEndpoints contains newRecord’s reporting endpoint, return allowed.

  7. If distinctReportingEndpoints’s size is greater than or equal to max, return blocked.

  8. Return allowed.

10.5. Creating aggregatable contributions

To create aggregatable contributions given an attribution source source and an attribution trigger trigger, run the following steps:

  1. Let aggregationKeys be the result of cloning source’s aggregation keys.

  2. For each triggerData of trigger’s aggregatable trigger data:

    1. If the result of running match an attribution source’s filter data against filters with source, triggerData’s filters, and isNegated set to false is false, continue.

    2. If the result of running match an attribution source’s filter data against filters with source, triggerData’s negated filters, and isNegated set to true is false, continue.

    3. For each sourceKey of triggerData’s source keys:

      1. If aggregationKeys[sourceKey] does not exist, continue.

      2. Set aggregationKeys[sourceKey] to aggregationKeys[sourceKey] OR triggerData’s key piece.

  3. Let aggregatableValues be trigger’s aggregatable values.

  4. Let contributions be a new empty list.

  5. For each idkey of aggregationKeys:

    1. If aggregatableValues[id] does not exist, continue.

    2. Let contribution be a new aggregatable contribution with the items:

      key

      key

      value

      aggregatableValues[id]

    3. Append contribution to contributions.

  6. Return contributions.

10.6. Can source create aggregatable contributions

To check if an attribution source can create aggregatable contributions given an aggregatable report report and an attribution source sourceToAttribute, run the following steps:

  1. Let remainingAggregatableBudget be allowed aggregatable budget per source minus sourceToAttribute’s aggregatable budget consumed.

  2. Assert: remainingAggregatableBudget is greater than or equal to 0.

  3. If report’s required aggregatable budget is greater than remainingAggregatableBudget, return false.

  4. Return true.

10.7. Obtaining debug data on trigger registration

To obtain debug data body on trigger registration given a trigger debug data type dataType, an attribution trigger trigger, an optional attribution source sourceToAttribute, and an optional attribution report report:

  1. Let body be a new empty map.

  2. If dataType is:

    "trigger-attributions-per-source-destination-limit"

    Set body["limit"] to the user agent’s max attributions per rate-limit window, serialized.

    "trigger-reporting-origin-limit"

    Set body["limit"] to the user agent’s max attribution reporting endpoints per rate-limit window, serialized.

    "trigger-event-storage-limit"

    Set body["limit"] to max event-level reports per attribution destination, serialized.

    "trigger-aggregate-storage-limit"

    Set body["limit"] to max aggregatable reports per attribution destination, serialized.

    "trigger-aggregate-insufficient-budget"

    Set body["limit"] to allowed aggregatable budget per source, serialized.

    "trigger-event-low-priority"
    "trigger-event-excessive-reports"

    1. Assert: report is not null and is an event-level report.

    2. Return the result of running obtain an event-level report body with report.

  3. Set body["attribution_destination"] to trigger’s attribution destination, serialized.

  4. If trigger’s debug key is not null, set body["trigger_debug_key"] to trigger’s debug key, serialized.

  5. If sourceToAttribute is not null:

    1. Set body["source_event_id"] to source’s event ID, serialized.

    2. Set body["source_site"] to source’s source site, serialized.

    3. If sourceToAttribute’s debug key is not null, set body["source_debug_key"] to sourceToAttribute’s debug key, serialized.

  6. Return body.

To obtain debug data on trigger registration given a trigger debug data type dataType, an attribution trigger trigger, an optional attribution source sourceToAttribute, and an optional attribution report report:

  1. If trigger’s debug reporting enabled is false, return null.

  2. If the result of running check if cookie-based debugging is allowed with trigger’s reporting endpoint is blocked, return null.

  3. Let data be a new attribution debug data with the items:

    data type

    dataType.

    body

    The result of running obtain debug data body on trigger registration with dataType, trigger, sourceToAttribute and report.

  4. Return data.

10.8. Triggering event-level attribution

To trigger event-level attribution given an attribution trigger trigger, an attribution source sourceToAttribute, an attribution rate-limit record rateLimitRecord and a boolean topLevelFiltersMatch, run the following steps:

  1. If sourceToAttribute’s randomized response is not null and is not empty:

    1. Assert: sourceToAttribute’s event-level attributable is false.

    2. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-noise", trigger, sourceToAttribute and report set to null.

    3. Return the triggering result ("dropped", debugData).

  2. If topLevelFiltersMatch is false:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-no-matching-filter-data", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  3. If sourceToAttribute’s event report window time is less than the current time:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-report-window-passed", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  4. Let matchedConfig be null.

  5. For each event-level trigger configuration config of trigger’s event-level trigger configurations:

    1. If the result of running match an attribution source’s filter data against filters with sourceToAttribute, config’s filters, and isNegated set to false is false, continue.

    2. If the result of running match an attribution source’s filter data against filters with sourceToAttribute, config’s negated filters, and isNegated set to true is false, continue.

    3. Set matchedConfig to config.

    4. Break.

  6. If matchedConfig is null:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-no-matching-configurations", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  7. If matchedConfig’s dedup key is not null and sourceToAttribute’s dedup keys contains it:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-deduplicated", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  8. Let numMatchingReports be the number of entries in the event-level report cache whose attribution destinations contains trigger’s attribution destination.

  9. If numMatchingReports is greater than or equal to the user agent’s max event-level reports per attribution destination:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-storage-limit", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  10. If the result of running should attribution be blocked by rate limit with trigger and sourceToAttribute is blocked:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-attributions-per-source-destination-limit", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  11. If the result of running should processing be blocked by reporting-endpoint limit with rateLimitRecord is blocked:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-reporting-origin-limit", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  12. Let report be the result of running obtain an event-level report with sourceToAttribute, trigger, and matchedConfig.

  13. If sourceToAttribute’s event-level attributable value is false:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-excessive-reports", trigger, sourceToAttribute and report.

    2. Return the triggering result ("dropped", debugData).

  14. Let maxAttributionsPerSource be the user agent’s max attributions per navigation source.

  15. If sourceToAttribute’s source type is "event", set maxAttributionsPerSource to the user agent’s max attributions per event source.

  16. If sourceToAttribute’s number of event-level reports value is equal to maxAttributionsPerSource, then:

    1. Let matchingReports be all entries in the event-level report cache where all of the following are true:

    2. If matchingReports is empty:

      1. Set sourceToAttribute’s event-level attributable value to false.

      2. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-excessive-reports", trigger, sourceToAttribute and report.

      3. Return the triggering result ("dropped", debugData).

    3. Set matchingReports to the result of sorting matchingReports in ascending order, with a being less than b if any of the following are true:

    4. Let lowestPriorityReport be the first item in matchingReports.

    5. If report’s trigger priority is less than or equal to lowestPriorityReport’s trigger priority:

      1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-event-low-priority", trigger, sourceToAttribute and report.

      2. Return the triggering result ("dropped", debugData).

    6. Remove lowestPriorityReport from the event-level report cache.

    7. Decrement sourceToAttribute’s number of event-level reports value by 1.

  17. If the size of the event-level report cache is greater than or equal to the user agent’s max event-level report cache size, return the triggering result ("cache full", null).

  18. Let debugData be null.

  19. If sourceToAttribute’s randomized response is:

    null

    Append report to the event-level report cache.

    not null

    Set debugData to the result of running obtain debug data on trigger registration with "trigger-event-noise", trigger, sourceToAttribute and report set to null.

  20. Increment sourceToAttribute’s number of event-level reports value by 1.

  21. If matchedConfig’s dedup key is not null, append it to sourceToAttribute’s dedup keys.

  22. If report’s source debug key is not null and report’s trigger debug key is not null, queue a task to attempt to deliver a debug report with report.

  23. Return the triggering result ("attributed", debugData).

10.9. Triggering aggregatable attribution

To trigger aggregatable attribution given an attribution trigger trigger, an attribution source sourceToAttribute, an attribution rate-limit record rateLimitRecord and a boolean topLevelFiltersMatch, run the following steps:

  1. If sourceToAttribute’s aggregation keys is empty, return the triggering result ("dropped", null).

  2. If trigger’s aggregatable trigger data is empty and trigger’s aggregatable values is empty, return the triggering result ("dropped", null).

  3. If topLevelFiltersMatch is false:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-no-matching-filter-data", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  4. If sourceToAttribute’s aggregatable report window time is less than the current time:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-aggregate-report-window-passed", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  5. Let report be the result of running obtain an aggregatable report with sourceToAttribute and trigger.

  6. If report’s contributions is empty:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-aggregate-no-contributions", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  7. If trigger’s aggregatable dedup key is not null and sourceToAttribute’s aggregatable dedup keys contains it:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-aggregate-deduplicated", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  8. Let numMatchingReports be the number of entries in the aggregatable report cache whose effective attribution destination equals trigger’s attribution destination.

  9. If numMatchingReports is greater than or equal to the user agent’s max aggregatable reports per attribution destination:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-aggregate-storage-limit", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  10. If the result of running should attribution be blocked by rate limit with trigger and sourceToAttribute is blocked:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-attributions-per-source-destination-limit", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  11. If the result of running should processing be blocked by reporting-endpoint limit with rateLimitRecord is blocked:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-reporting-origin-limit", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  12. If the result of running check if an attribution source can create aggregatable contributions with report and sourceToAttribute is false:

    1. Let debugData be the result of running obtain debug data on trigger registration with "trigger-aggregate-insufficient-budget", trigger, sourceToAttribute and report set to null.

    2. Return the triggering result ("dropped", debugData).

  13. If the size of the aggregatable report cache is greater than or equal to the user agent’s max aggregatable report cache size, return the triggering result ("cache full", null).

  14. Add report to the aggregatable report cache.

  15. Increment sourceToAttribute’s aggregatable budget consumed value by report’s required aggregatable budget.

  16. If trigger’s aggregatable dedup key is not null, append it to sourceToAttribute’s aggregatable dedup keys.

  17. If report’s source debug key is not null and report’s trigger debug key is not null, queue a task to attempt to deliver a debug report with report.

  18. Return the triggering result ("attributed", null).

10.10. Triggering attribution

To obtain and deliver a debug report on trigger registration given a trigger debug data type dataType, an attribution trigger trigger and an optional attribution source sourceToAttribute:

  1. Let debugData be the result of running obtain debug data on trigger registration with dataType, trigger, sourceToAttribute and report set to null.

  2. If debugData is null, return.

  3. Run obtain and deliver a debug report with « debugData » and trigger’s reporting endpoint.

To trigger attribution given an attribution trigger trigger, run the following steps:

  1. Let attributionDestination be trigger’s attribution destination.

  2. Let matchingSources be all entries in the attribution source cache where all of the following are true:

  3. If matchingSources is empty:

    1. Run obtain and deliver a debug report on trigger registration with "trigger-no-matching-source", trigger and sourceToAttribute set to null.

    2. Return.

  4. Set matchingSources to the result of sorting matchingSources in descending order, with a being less than b if any of the following are true:

  5. Let sourceToAttribute be the first item in matchingSources.

  6. Let topLevelFiltersMatch be the result of running match an attribution source’s filter data against filters with sourceToAttribute, trigger’s filters, and isNegated set to false.

  7. If topLevelFiltersMatch is true, set topLevelFiltersMatch to the result of running match an attribution source’s filter data against filters with sourceToAttribute, trigger’s negated filters, and isNegated set to true.

  8. Let rateLimitRecord be a new attribution rate-limit record with the items:

    scope

    "attribution"

    source site

    sourceToAttribute’s source site

    attribution destination

    attributionDestination

    reporting endpoint

    sourceToAttribute’s reporting endpoint

    time

    trigger’s trigger time

    expiry time

    null

  9. Let eventLevelResult be the result of running trigger event-level attribution with trigger, sourceToAttribute, rateLimitRecord and topLevelFiltersMatch.

  10. Let aggregatableResult be the result of running trigger aggregatable attribution with trigger, sourceToAttribute, rateLimitRecord and topLevelFiltersMatch.

  11. Let eventLevelDebugData be eventLevelResult’s debug data.

  12. Let aggregatableDebugData be aggregatableResult’s debug data.

  13. Let debugDataList be an empty list.

  14. If eventLevelDebugData is not null, then append eventLevelDebugData to debugDataList.

  15. If aggregatableDebugData is not null:

    1. If debugDataList is empty or aggregatableDebugData’s data type does not equal eventLevelDebugData’s data type, then append aggregatableDebugData to debugDataList.

  16. If debugDataList is not empty, then run obtain and deliver a debug report with debugDataList and trigger’s reporting endpoint.

  17. If both eventLevelResult’s status and aggregatableResult’s status are "dropped", return.

  18. Remove sourceToAttribute from matchingSources.

  19. For each item of matchingSources:

    1. Remove item from the attribution source cache.

  20. If neither eventLevelResult’s status nor aggregatableResult’s status is "attributed", return.

  21. Append rateLimitRecord to the attribution rate-limit cache.

  22. Remove all entries from the attribution rate-limit cache if the result of running can attribution rate-limit record be removed with the entry is true.

10.11. Establishing report delivery time

To obtain early deadlines given a source type sourceType:

  1. If sourceType is "event", return «».

  2. Return « 2 days, 7 days ».

To obtain the number of report windows given a source type sourceType:

  1. Let earlyDeadlines be the result of running obtain early deadlines with sourceType.

  2. Return the size of earlyDeadlines + 1.

To obtain a report time from deadline given a time sourceTime and a length of time deadline:

  1. Return sourceTime + deadline + 1 hour.

To obtain the report time at a window given an attribution source source and a non-negative integer window:

  1. Let earlyDeadlines be the result of running obtain early deadlines with source’s source type.

  2. Let deadline be source’s event report window.

  3. If earlyDeadlines[window] exists, set deadline to it.

  4. Return the result of running obtain a report time from deadline with source’s source time and deadline.

To obtain an event-level report delivery time given an attribution source source and a time triggerTime:

  1. Let deadlineToUse be source’s event report window.

  2. Let earlyDeadlines be the result of running obtain early deadlines with source’s source type.

  3. For each earlyDeadline of earlyDeadlines:

    1. Let time be source’s source time + earlyDeadline.

    2. If time is less than triggerTime, continue.

    3. If earlyDeadline is greater than or equal to deadlineToUse, continue.

    4. Set deadlineToUse to earlyDeadline.

    5. Break.

  4. Return the result of running obtain a report time from deadline with source’s source time and deadlineToUse.

To obtain an aggregatable report delivery time given a point in time triggerTime, perform the following steps. They return a point in time.

  1. Let r be a random double between 0 (inclusive) and 1 (exclusive) with uniform probability.

  2. Return triggerTime + min aggregatable report delay + r * randomized aggregatable report delay.

10.12. Obtaining an event-level report

To obtain an event-level report given an attribution source source, an attribution trigger trigger, and an event-level trigger configuration config:

  1. Let triggerDataCardinality be the user agent’s navigation-source trigger data cardinality.

  2. If source’s source type is "event", set triggerDataCardinality to the user agent’s event-source trigger data cardinality.

  3. Let report be a new event-level report struct whose items are:

    event ID

    source’s event ID.

    trigger data

    The remainder when dividing config’s trigger data by triggerDataCardinality.

    randomized trigger rate

    source’s randomized trigger rate.

    reporting endpoint

    source’s reporting endpoint.

    attribution destinations

    source’s attribution destinations.

    reporting time

    The result of running obtain an event-level report delivery time with source and trigger’s trigger time.

    trigger priority

    config’s priority.

    trigger time

    trigger’s trigger time.

    source identifier

    source’s source identifier.

    report id

    The result of generating a random UUID.

    source debug key

    source’s debug key.

    trigger debug key

    trigger’s debug key.

  4. Return report.

10.13. Obtaining an aggregatable report’s required budget

An aggregatable report report’s required aggregatable budget is the total value of report’s contributions.

10.14. Obtaining an aggregatable report

To obtain an aggregatable report given an attribution source source and an attribution trigger trigger:

  1. Let reportTime be the result of running obtain an aggregatable report delivery time with trigger’s trigger time.

  2. Let report be a new aggregatable report struct whose items are:

    reporting endpoint

    source’s reporting endpoint.

    effective attribution destination

    trigger’s attribution destination.

    source time

    source’s source time.

    original report time

    reportTime.

    report time

    reportTime.

    report id

    The result of generating a random UUID.

    source debug key

    source’s debug key.

    trigger debug key

    trigger’s debug key.

    contributions

    The result of running create aggregatable contributions with source and trigger.

    serialized private state token

    trigger’s serialized private state token

  3. Return report.

11. Report delivery

The user agent MUST periodically iterate over its event-level report cache and aggregatable report cache and run queue a report for delivery on each item.

To queue a report for delivery given an attribution report report, run the following steps in parallel:

  1. If report’s delivered value is true, return.

  2. Set report’s delivered value to true.

  3. If report’s report time is less than the current time, add an implementation-defined random amount to report time.

    Note: On startup, it is possible the user agent will need to send many reports whose report times passed while the browser was closed. Adding random delay prevents temporal joining of reports from different source origins.

  4. Wait until report’s report time is the current time.

  5. Optionally, wait a further implementation-defined length of time.

    Note: This is intended to allow user agents to optimize device resource usage.

  6. Run attempt to deliver a report with report.

11.1. Serialize an integer

To serialize an integer, represent it as a string of the shortest possible decimal number.

This would ideally be replaced by a more descriptive algorithm in Infra. See infra/201

11.2. Serialize attribution destinations

To serialize attribution destinations destinations, run the following steps:

  1. Assert: destinations is not empty.

  2. Let destinationStrings be a list

  3. For each destination in destinations:

    1. Assert: destination is not the opaque origin.

    2. append destination serialized to destinationStrings

  4. If destinationStrings’s size is equal to 1, return destinationStrings[0].

  5. Return destinationStrings.

11.3. Encode an unsigned k-bit integer

To encode an unsigned k-bit integer, represent it as a big-endian byte sequence of length k / 8, left padding with zero as necessary.

11.4. Obtaining an aggregatable report’s debug mode

An aggregatable report report’s debug mode is the result of running the following steps:

  1. If report’s source debug key is null, return disabled.

  2. If report’s trigger debug key is null, return disabled.

  3. Return enabled.

11.5. Obtaining an aggregatable report’s shared info

An aggregatable report report’s shared info is the result of running the following steps:

  1. Let reportingOrigin be report’s reporting endpoint.

  2. Let sharedInfo be an ordered map of the following key/value pairs:

    "api"

    "attribution-reporting"

    "attribution destination"

    report’s effective attribution destination, serialized

    "report_id"

    report’s report ID

    "reporting_origin"

    reportingOrigin, serialized

    "scheduled_report_time"

    report’s original report time in seconds since the UNIX epoch, serialized

    "source_registration_time"

    report’s source time in seconds since the UNIX epoch, rounded down to a multiple of a whole day (86400 seconds), serialized

    "version"

    A string, API version.

  3. If report’s debug mode is enabled, set sharedInfo["debug_mode"] to "enabled".

  4. Return the string resulting from executing serialize an infra value to a json string on sharedInfo.

11.6. Obtaining an aggregatable report’s aggregation service payloads

To obtain the public key for encryption, asynchronously return a user-agent-determined public key or an error in the event that the user agent failed to obtain the public key.

Note: The user agent might enforce weekly key rotation. If there are multiple keys, the user agent might independently pick a key uniformly at random for every encryption operation. The key should be uniquely identifiable.

An aggregatable report report’s plaintext payload is the result of running the following steps:

  1. Let payloadData be a new empty list.

  2. For each contribution of report’s contributions:

    1. Let contributionData be a map of the following key/value pairs:

      "bucket"

      contribution’s key, encoded

      "value"

      contribution’s value, encoded

    2. Append contributionData to payloadData.

  3. Let payload be a map of the following key/value pairs:

    "data"

    payloadData

    "operation"

    "histogram"

  4. Return the byte sequence resulting from CBOR encoding payload.

To obtain the encrypted payload given an aggregatable report report and a public key pkR, run the following steps:

  1. Let plaintext be report’s plaintext payload.

  2. Let encodedSharedInfo be report’s shared info, encoded.

  3. Let info be the concatenation of «"aggregation_service", encodedSharedInfo».

  4. Set up HPKE sender’s context with pkR and info.

  5. Return the byte sequence or an error resulting from encrypting plaintext with the sender’s context.

To obtain the aggregation service payloads given an aggregatable report report, run the following steps:

  1. Let pkR be the result of running obtain the public key for encryption.

  2. If pkR is an error, return pkR.

  3. Let encryptedPayload be the result of running obtain the encrypted payload with report and pkR.

  4. If encryptedPayload is an error, return encryptedPayload.

  5. Let aggregationServicePayloads be a new empty list.

  6. Let aggregationServicePayload be a map of the following key/value pairs:

    "payload"

    encryptedPayload, base64 encoded

    "key_id"

    A string identifying pkR

  7. If report’s debug mode is enabled, set aggregationServicePayload["debug_cleartext_payload"] to report’s plaintext payload, base64 encoded.

  8. Append aggregationServicePayload to aggregationServicePayloads.

  9. Return aggregationServicePayloads.

11.7. Serialize attribution report body

To obtain an event-level report body given an attribution report report, run the following steps:

  1. Let data be a map of the following key/value pairs:

    "attribution_destination"

    report’s attribution destinations, serialized.

    "randomized_trigger_rate"

    report’s randomized trigger rate

    "source_type"

    report’s source type

    "source_event_id"

    report’s event ID, serialized

    "trigger_data"

    report’s trigger data, serialized

    "report_id"

    report’s report ID

  2. If report’s source debug key is not null, set data["source_debug_key"] to report’s source debug key, serialized.

  3. If report’s trigger debug key is not null, set data["trigger_debug_key"] to report’s trigger debug key, serialized.

  4. Return data.

To serialize an event-level report report, run the following steps:

  1. Let data be the result of running obtain an event-level report body with report.

  2. Return the byte sequence resulting from executing serialize an infra value to JSON bytes on data.

To serialize an aggregatable report report, run the following steps:

  1. Assert: report’s effective attribution destination is not the opaque origin.

  2. Let aggregationServicePayloads be the result of running obtain the aggregation service payloads.

  3. If aggregationServicePayloads is an error, return aggregationServicePayloads.

  4. Let data be a map of the following key/value pairs:

    "shared_info"

    report’s shared info.

    "aggregation_service_payloads"

    aggregationServicePayloads

  5. If report’s source debug key is not null, set data["source_debug_key"] to report’s source debug key, serialized.

  6. If report’s trigger debug key is not null, set data["trigger_debug_key"] to report’s trigger debug key, serialized.

  7. Return the byte sequence resulting from executing serialize an infra value to JSON bytes on data.

To serialize an attribution report report, run the following steps:

  1. If report is an:

    event-level report
    Return the result of running serialize an event-level report with report.
    aggregatable report
    Return the result of running serialize an aggregatable report with report.

Note: The inclusion of "report_id" in the report body is intended to allow the report recipient to perform deduplication and prevent double counting, in the event that the user agent retries reports on failure. To prevent the report recipient from learning additional information about whether a user is online, retries might be limited in number and subject to random delays.

11.8. Serialize attribution debug report body

To serialize an attribution debug report report, run the following steps:

  1. Let collection be an empty list.

  2. For each debugData of report’s data:

    1. Let data be a map of the following key/value pairs:

      "type"

      debugData’s data type

      "body"

      debugData’s body

    2. Append data to collection.

  3. Return the byte sequence resulting from executing serialize an Infra value to JSON bytes on collection.

11.9. Get report request URL

To generate a report URL given a suitable origin reportingOrigin and a list of strings path:

  1. Let reportUrl be a new URL record.

  2. Set reportUrl’s scheme to reportingOrigin’s scheme.

  3. Set reportUrl’s host to reportingOrigin’s host.

  4. Set reportUrl’s port to reportingOrigin’s port.

  5. Let fullPath be «".well-known", "attribution-reporting"».

  6. Append path to fullPath.

  7. Set reportUrl’s path to path.

  8. Return reportUrl.

To generate an attribution report URL given an attribution report report and an optional boolean isDebugReport (default false):

  1. Let path be an empty list.

  2. If isDebugReport is true, append "debug" to path.

  3. If report is an:

    event-level report
    Append "report-event-attribution" to path.
    aggregatable report
    Append "report-aggregate-attribution" to path.

  4. Return the result of running generate a report URL with report’s reporting endpoint and path.

To generate an attribution debug report URL given an attribution debug report report:

  1. Let path be «"debug", "verbose"».

  2. Return the result of running generate a report URL with report’s reporting endpoint and path.

11.10. Creating a report request

To create a report request given a URL url, a byte sequence body, and a header list newHeaders (defaults to an empty list):

  1. Let headers be a new header list containing a header named "Content-Type" whose value is "application/json".

  2. For each header in newHeaders:

    1. append header to headers.

  3. Let request be a new request with the following properties:

    method

    "POST"

    URL

    url

    header list

    headers

    body

    A body whose source is body.

    referrer

    "no-referrer"

    client

    null

    window

    "no-window"

    service-workers mode

    "none"

    initiator

    ""

    mode

    "cors"

    unsafe-request flag

    set

    credentials mode

    "omit"

    cache mode

    "no-store"

  4. Return request.

11.11. Issuing a report request

This algorithm constructs a request and attempts to deliver it to a suitable origin.

To remove a report from the cache given an attribution report report:

  1. If report is an:

    event-level report
    Queue a task to remove report from the event-level report cache.
    aggregatable report
    Queue a task to remove report from the aggregatable report cache.

To attempt to deliver a report given an attribution report report, run the following steps:

  1. Let url be the result of executing generate an attribution report URL on report.

  2. Let data be the result of executing serialize an attribution report on report.

  3. If data is an error, run remove a report from the cache with report and return.

  4. Let newHeaders be a new header list.

  5. If report is an aggregatable report

    1. If report’s serialized private state token is not null, append a new header named "Sec-Attribution-Reporting-Private-State-Token" to newHeaders whose value is report’s serialized private state token.

  6. Let request be the result of executing create a report request on url, data, and newHeaders.

  7. Queue a task to fetch request with processResponse being remove a report from the cache with report.

This fetch should use a network partition key for an opaque origin. [Issue #220]

A user agent MAY retry this algorithm in the event that there was an error.

11.12. Issuing a debug report request

To attempt to deliver a debug report given an attribution report report:

  1. Let url be the result of executing generate an attribution report URL on report with isDebugReport set to true.

  2. Let data be the result of executing serialize an attribution report on report.

  3. If data is an error, return.

  4. Let request be the result of executing create a report request on url and data.

  5. Fetch request.

11.13. Issuing a verbose debug request

To attempt to deliver a verbose debug report given an attribution debug report report:

  1. Let url be the result of executing generate an attribution debug report URL on report.

  2. Let data be the result of executing serialize an attribution debug report on report.

  3. Let request be the result of executing create a report request on url and data.

  4. Fetch request.

This fetch should use a network partition key for an opaque origin. [Issue #220]

A user agent MAY retry this algorithm in the event that there was an error.

12. Security considerations

TODO

13. Privacy consideration

TODO

13.1. Clearing attribution storage

A user agent’s attribution caches contain data about a user’s web activity. When a user agent clears an origin’s storage, it MUST also remove entries in the attribution caches whose source origin, attribution destinations, reporting endpoint, attribution destinations, or reporting endpoint is the same as the cleared origin.

A user agent MAY clear attribution cache entries at other times. For example, when a user agent clears an origin from a user’s browsing history.

Conformance

Document conventions

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

Examples in this specification are introduced with the words “for example” or are set apart from the normative text with class="example", like this:

This is an example of an informative example.

Informative notes begin with the word “Note” and are set apart from the normative text with class="note", like this:

Note, this is an informative note.

Conformant Algorithms

Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm.

Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

[ENCODING]
Anne van Kesteren. Encoding Standard. Living Standard. URL: https://encoding.spec.whatwg.org/
[FETCH]
Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
[HTML]
Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[INFRA]
Anne van Kesteren; Domenic Denicola. Infra Standard. Living Standard. URL: https://infra.spec.whatwg.org/
[PERMISSIONS-POLICY-1]
Ian Clelland. Permissions Policy. URL: https://w3c.github.io/webappsec-permissions-policy/
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
[RFC8949]
C. Bormann; P. Hoffman. Concise Binary Object Representation (CBOR). December 2020. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc8949
[RFC9180]
R. Barnes; et al. Hybrid Public Key Encryption. February 2022. Informational. URL: https://www.rfc-editor.org/rfc/rfc9180
[SECURE-CONTEXTS]
Mike West. Secure Contexts. URL: https://w3c.github.io/webappsec-secure-contexts/
[URL]
Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
[WEBIDL]
Edgar Chen; Timothy Gu. Web IDL Standard. Living Standard. URL: https://webidl.spec.whatwg.org/

Informative References

[STORAGE]
Anne van Kesteren. Storage Standard. Living Standard. URL: https://storage.spec.whatwg.org/

IDL Index

interface mixin HTMLAttributionSrcElementUtils {
    [CEReactions] attribute USVString attributionSrc;
};

HTMLAnchorElement includes HTMLAttributionSrcElementUtils;
HTMLImageElement includes HTMLAttributionSrcElementUtils;
HTMLScriptElement includes HTMLAttributionSrcElementUtils;

Issues Index

Monkeypatch window.open().
Specify monkeypatches for source/trigger registration.
Determine whether to limit length or code point length for filter and d above.
Check for "ar_debug" cookie on reportingOrigin and return allowed if it exists, is Secure, is HttpOnly, and is SameSite=None.
confirm that the maximum destinations size is workable.
Specify the steps for making attributionsrc request.
Check for transient activation. Issue: Specify the steps for making an attributionsrc request with decodedSrc.
Determine whether to limit length or code point length for key above using max bytes per aggregation key identifier.
Ensure that all sites in attributionDestinations have HTTP/HTTPS schemes.
Should fake reports respect the user agent’s max event-level reports per attribution destination?
Allow the user agent to return null if values’s size is greater than some constant.
Determine whether to limit length or code point length for sourceKey above using max bytes per aggregation key identifier.
Determine whether to limit length or code point length for key above using max bytes per aggregation key identifier.
properly define the "finishing issuance" operation.
properly define "begin redemption" operation. Consider running the algorithm at report sending time.
This would ideally be replaced by a more descriptive algorithm in Infra. See infra/201
This fetch should use a network partition key for an opaque origin. [Issue #220]
This fetch should use a network partition key for an opaque origin. [Issue #220]