Skip to content

Commit

Permalink
Add Clarifying Note About Cross Origin Retrieval Header for Delegatio…
Browse files Browse the repository at this point in the history 
…n File (#1029)

Ran into this while testing, probably should be assumed but wanted to save someone else the trouble.
  • Loading branch information
@thegreatfatzby
thegreatfatzby authored Jun 21, 2024
1 parent d9983cf commit 3779f0f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion FLEDGE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ If any of these per-owner limits are exceeded, the interest group(s) that would

#### 1.3 Permission Delegation

When a frame navigated to one domain calls joinAdInterestGroup(), leaveAdInterestGroup(), or clearOriginJoinedAdInterestGroups() for an interest group with a different owner, the browser will fetch the URL https://owner.domain/.well-known/interest-group/permissions/?origin=frame.origin, where `owner.domain` is domain that owns the interest group and `frame.origin` is the origin of the frame. The fetch uses the `omit` [credentials mode](https://fetch.spec.whatwg.org/#concept-request-credentials-mode), using the [Network Partition Key](https://fetch.spec.whatwg.org/#network-partition-keys) of the frame that invoked the method. To avoid leaking cross-origin data through the returned Promise unexpectedly, the fetch uses the `cors` [mode](https://fetch.spec.whatwg.org/#concept-request-mode). The fetched response should have a JSON MIME type and be of the format:
When a frame navigated to one domain calls joinAdInterestGroup(), leaveAdInterestGroup(), or clearOriginJoinedAdInterestGroups() for an interest group with a different owner, the browser will fetch the URL https://owner.domain/.well-known/interest-group/permissions/?origin=frame.origin, where `owner.domain` is domain that owns the interest group and `frame.origin` is the origin of the frame. The fetch uses the `omit` [credentials mode](https://fetch.spec.whatwg.org/#concept-request-credentials-mode), using the [Network Partition Key](https://fetch.spec.whatwg.org/#network-partition-keys) of the frame that invoked the method. To avoid leaking cross-origin data through the returned Promise unexpectedly, the fetch uses the `cors` [mode](https://fetch.spec.whatwg.org/#concept-request-mode). The fetched response should have a JSON MIME type, have a `Access-Control-Allow-Origin` that allows it to load from the calling origin, and be of the format:

```
{ "joinAdInterestGroup": true/false,
Expand Down

0 comments on commit 3779f0f

Please sign in to comment.