List of Specifications

High level overviews of the core APIs from Google or others, as well as shared resources for developer support during the FOT #1 and beyond

The intent of the Topics API is to provide callers with coarse-grained, contextual advertising topics that the page visitor might currently be interested in

Core API for creating privacy-protected audiences (interest groups) and a privacy-preserving mechanism for running and bidding on ad auctions

Supports measurement of clicks and views with event-level and aggregate reports

The fenced frame enforces a boundary between the embedding page and the cross-site embedded document (the ad) such that user data visible to the two sites is not able to be joined together. This can be helpful in preventing user tracking or other privacy threats.

Core elements of the Trusted Execution Environment (TEE) and Key Value Server. Includes defining the TEE, bidding and auction services, and key value services

The Attribution Reporting API is designed to provide two types of reports: an "event-level report," which corresponds to a single attributed event, and a summary report. Adtechs use the aggregation service to generate summary reports, which offer detailed conversion data (such as purchase values and cart contents) and flexibility for click and view data

A proposal from the WC3 Privacy Advertising Technology Community Group that introduces a generic mechanism for measuring aggregate, cross-site data in a privacy-preserving manner

Trusted servers in FLEDGE are used to add real-time signals into ad selection for both buyers and sellers. The FLEDGE proposal specifies that these trusted servers should provide basic key-value lookups to facilitate fetching these signals but do no event-level logging or have other side effects

The Bidding and Auction Services proposal outlines a way to allow Protected Audience computation to take place on cloud servers in a trusted execution environment, rather than running locally on a user's device.

Provides a set of APIs for an online attestation process, an attestation model, which requires developers to agree to restrictions around the usage of the Google Sandbox services to prevent re-identification of users across sites

Related Website Sets (RWS) is a way for a company to declare relationships among sites, so that browsers allow limited third-party cookie access for specific purposes.

To prevent certain types of side-channel cross-site tracking, Chrome has partitioned most storage and communications APIs in third-party contexts.

A browser-related storage API that is intentionally not partitioned by top-frame site (though still partitioned by context origin of course!). To limit cross-site reidentification of users, data in Shared Storage may only be read in a restricted environment

The goal of the Private State Tokens is to transfer a limited number of signals across sites through time in a privacy preserving manner.

‍

This API proposes a new per-origin storage area for “Privacy Pass” style cryptographic tokens, which are accessible in third party contexts. These tokens are non-personalized and cannot be used to track users, but are cryptographically signed so they cannot be forged.

Allow developers to opt into a cookie in "partitioned" storage, with a separate cookie jar per top-level site.

Privacy Sandbox Resources for Chromium Developers

Federated Credential Management attempts to preserve and elevate identity federation (e.g. OpenID, OAuth and SAML) for a more private Web

A specification to reduce ability of third-parties to perform bounce tracking. Bounce tracking refers to the use of redirects in a top-level context along with link decoration to join user identities between sites.

An approach to local storage that basically ties storage of any item to a particular top-level domain so that no cross-site tracking can occur

Safe Browsing is a Google service that lets client applications check URLs against Google's constantly updated lists of unsafe web resources.

Chrome is reintroducing a proposal to protect users against cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses for qualifying traffic as described above.

This specification defines navigational tracking and when and how browsers are required to prevent it from happening.

A browser’s network resources, such as connections, DNS cache, and alternative service data are generally shared globally. Network State Partitioning will partition much of this state to prevent these resources from being shared across first-party contexts

An attempt to create a metric that communicates the amount of data collected (the amount of privacy exposure) by a specific browser. Once the metric is in place, then privacy budget limits can be put in place to establish a standard for the industry to follow

The Storage Access API enables content inside iframes to request and be granted access to their client-side storage, so that embedded content which relies on having access to client-side storage can work in such User Agents.

‍

There is currently an intension to extend the Storage Access API to non-cookie storage.  This would provide a means for authenticated cross-site embeds to check their blocking status and request access to storage if they are blocked.

‍

The User-Agent string specifies details about the browser and device you use so that sites you visit render and function well. However, it is also a significant surface for so-called passive fingerprinting. Client Hints API enables sites to request the information they need directly and will eventually reduce details contained in the User-Agent string, limiting the information shared about an online user

Web Risk is the enterprise version of the Safe Browsing API. It is a Google Cloud service that lets client applications check URLs against Google's constantly updated lists of unsafe web resources.

An interface that web developers use to schedule asynchronous and non-blocking delivery of data that minimizes resource contention with other time-critical operations, while ensuring that such requests are still processed and delivered to destination. Used extensively by for reporting in Protected Audiences and Attribution Reporting APIs

This specification defines a mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself.

This are documents that define cookies and how they operates.

CORB prevents the browser from receiving a cross-origin data resource if it has an X-Content-Type-Options: nosniff or if CORS doesn’t explicitly allow access to the resource (see CORS below)

CBOR is a binary data serialization format based on JSON. Like JSON it allows the transmission of data objects that contain name–value pairs, but in a more concise manner. This increases processing and transfer speeds at the cost of human readability.

Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets websites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.

The browser's same-origin policy blocks reading a resource from a different origin. This prevent malicious sites from reading other sites' data, but it also prevents legitimate uses.

‍

CORS, which is turned off by default, lets the server tell the browser it can use an additional origin.

The File API defines the basic representations for files, lists of files, errors raised by access to files, and programmatic ways to read files.

The File System Access API enables developers to build powerful web apps that interact with files on the user's local device, such as IDEs, photo and video editors, and text editors among others. It is used by GPS to interface with its SQLite storage

V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others. It implements ECMAScript and WebAssembly, and runs on Windows 7 or later, macOS 10.12+, and Linux systems that use x64, IA-32, ARM, or MIPS processors. V8 can run standalone, or can be embedded into any C++ application.

Sandbox2 is an open-source C++ security sandbox for Linux written by security engineers at Google. Sandbox2 allows developers to run untrusted third-party developed software where they don't have access to source code, or don't have resources to perform a source code assessment

An API that can be used to understand the visibility and position of DOM elements ("targets") relative to a containing element or to the top-level viewport ("root"). It presents a security weakness for Fenced Frames and will ultimately not be supported int he Fenced Frames API

A browser element that pulls the state of the user agent. A fundamental HTML underlying technology underlying the Sandbox

Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website.

Describes threat models for feature abuse on the web and outlines normative requirements which should be incorporated into documents specifying new features

WebAssembly is a type of binary-code that can be run in modern web browsers, it enables us to write code in multiple languages and run it at near-native speed on the web.

This is a deeply technical, fundamental browser standard that most business types can ignore and yet understand the Privacy Sandbox. However, it is fundamental to how various Privacy Sandbox capabilities work, for example script runners. So mentioned here.

Web workers are designed to perform computationally intensive or long-running tasks in a separate thread, improving responsiveness of the main thread. They were intended to be used for long-running scripts with high startup performance costs and high per-instance memory costs, that are not interrupted by scripts that respond to user-generated interactions.

Worklets are a lightweight version of web workers that allow developers to extend the CSS rendering engine to handle custom CSS properties, functions and animations.

Fenced Frames are designed to be able to provide a second type of protection as well: they will not use the network to load any data from a server, instead only rendering content that was previously downloaded (e.g. as a Web Bundle). This restriction is focused on preventing information leakage based on server-side joins via timing attacks.

Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security.

Hybrid public key encryption (HPKE) uses a symmetric encryption algorithm to encrypt data, and encapsulates the symmetric encryption material using a public key encryption algorithm. It is used in Topics API, as well as browser auctions and bidding.

Used by private state tokens API to generate the certificate used to validate browser represents a real person

Currently proposed by Safari and supported by Apple, but not supported by the Google Privacy Sandbox at this time, Private Click Measurement allows advertisers to track when a user clicks an ad on one site and makes a purchase (or triggers a conversion) on another site without exposing the user's identity or browsing behavior. It is an alternative to Google's Attribution Reporting API

Conceptual discussions around additional ideas, modifications, and extensions to the privacy sandbox for RTB including:

• Dovekey
• Augury
• Frequency Capping
• Structured User Agent
• Structured Geolocation

FLoC stands for Federated Learning of Cohorts. It was a first attempt at creating contextual audiences. It was superseded by the Topics APIl

INACTIVE: Multi-party Computation of Ads on the Web

INACTIVE: Masked Learning, Aggregation and Reporting worKflow

An alternative proposal for behavioral targeting that was withdrawn in favor of Protected Audiences API

INACTIVE: SPARROW was an answer to TURTLEDOVE’s limitations. Introduced by Criteo, an ad tech company, SPARROW stands for ‘Secure Private Advertising Remotely Run on Web Server.”  The proposal aimed at providing more value for the ad ecosystem, more control and transparency, and safeguarding the user experience

‍

Important elements are now part of the Protected Audiences API

‍

INACTIVE: Private and Anonymized Requests for Ads that Keep Efficacy and Enhance Transparency

From prebid: A proposal to adapt Turtledove (now Protected Audiences) to allow for parallel auctions.

This proposal is about technologies that would be implemented to offer a path for doing reporting and measurement in a privacy-preserving way in the browser, as opposed to server-side infrastructure.

SWAN enables transparent audit trail of the companies that process people’s data. It provides visual indicators to confirm compliance by external auditors. It also provides consumers the option to block annoying adverts and report offenders

Was an addendum aggregating and discussing issues related to DSP and SSP elements in the original TurtleDove specification, and provided recommendations for changes.