Update: Permissions-Policy change during testing
Maud Nalpas
Hi everyone,
To address feedback we've received and ease experimentation, the default allowlist for the Attribution Reporting API Permissions-Policy has been changed to *, starting with the stable release of Chrome 106. This change is only effective during the testing phase.
Read more details in the updated Handbook > Permissions section.
# What does the new behavior change?
During testing, the Permissions-Policy is no longer needed on cross-origin iframes. By default, the Attribution Reporting API will be enabled in these frames.
During testing, origin trial tokens are only needed in the iframe calling the API.
# What remains unchanged?
A site can still disable the Attribution Reporting API for all parties—including scripts with top-level access and all iframes—by sending the HTTP response header:
Permissions-Policy: attribution-reporting=()
# What should you do?
Expect more traffic. The new behavior means that the API will be available in more contexts, by default.
No code changes are needed.
We recommend that you keep allow=attribution-reporting where you've already added it. Even though it isn't required during the testing phase due to the new behavior in the stable release of Chrome 106, it will be required again in the future. Keeping it also will make it easier to detect places where you'll need to take action with your partners. More on this below.
You can keep your origin trial token. The new behavior will be effective starting with the stable release of Chrome 106, even for tokens created before the behavior change.
Your feature detection code should remain unchanged, and look as documented here. Regardless of the new behavior starting with the stable release of Chrome 106, you should detect that the feature is available before using it. This is important because a nesting context—for example, a page your code runs in, or a page that embeds an iframe your code runs in—can still disable the API regardless of the new behavior.
As this change is temporary, start preparing now with your partners (publisher, SSPs, or other) for a future where Attribution Reporting will need to be explicitly allowed.
Look out for warnings in DevTools. These will be visible starting from Chrome 107 or 108, as we're currently implementing them. When you see a DevTools issue on a missing attribution-reporting Permission-Policy, take action. Add Permissions-Policy where necessary in your codebase, for example on iframes. Get in touch with relevant partners (for example, SSPs) so that they add the Permissions-Policy on their iframes.
If you identify challenges with this in the long term, please file an issue on the API proposal repository or engage on this issue.
# How can the new behavior be tested?
Open Chrome 106 stable (available starting from September 27th). Open this demo. Follow the instructions on the demo page.
Given the new behavior, you should see "Is Attribution Reporting allowed? → ✅ YES" for all embedded iframes.
The previous behavior would instead display "Is Attribution Reporting allowed? → ❌ NO" for the first two embedded iframes.
# Do you have a question?
For questions about the new behavior, please file an issue on our dev support repo.
For questions or concerns about this in the long term, please file an issue on the API proposal repository.