Spec: Define per-context contribution limits

This change adds the web-visible `maxContributions` field, which enables some callers to request different numbers of contributions per report.
patcg-individual-drafts · Oct 16, 2024 · 507e622 · 507e622
1 parent f5cda2b
commit 507e622
Showing 1 changed file with 60 additions and 14 deletions.
diff --git a/spec.bs b/spec.bs
@@ -379,6 +379,8 @@ An aggregatable report is a [=struct=] with the following items:
 :: A [=string=] or null
 : <dfn>filtering ID max bytes</dfn>
 :: A positive integer
+: <dfn>max contributions</dfn>
+:: A positive integer
 : <dfn>queued</dfn>
 :: A [=boolean=]
 
@@ -411,6 +413,8 @@ items:
 :: A [=string=] or null
 : <dfn>filtering ID max bytes</dfn> (default: [=default filtering ID max bytes=])
 :: A positive integer
+: <dfn>requested max contributions</dfn> (default: null)
+:: A positive integer or null
 
 </dl>
 
@@ -467,10 +471,20 @@ controls which [=origins=] are valid [=aggregation coordinators=]. Every
 <dfn>Default aggregation coordinator</dfn> is an [=aggregation coordinator=]
 that controls which is used for a report if none is explicitly selected.
 
-<dfn>Maximum report contributions</dfn> is a [=map=] from [=context type=] to
-positive integers. Semantically, it defines the maximum number of contributions
-that can be present in a single report for every kind of calling context, e.g.
-Shared Storage.
+<dfn>Maximum maxContributions</dfn> is a positive integer that defines an upper
+bound on the number of contributions per [=aggregatable report=].
+
+<dfn>Valid maxContributions range</dfn> is a non-empty [=set=] of positive
+integers. Its value is [=the inclusive range=] 1 to [=maximum
+maxContributions=]. The values in this range exhaustively define the possible
+values for the number of contributions per [=aggregatable report=].
+
+<dfn>Default maxContributions by API</dfn> is a [=map=] from [=context types=]
+to positive integers. Semantically, it defines the default number of
+contributions per report for every kind of calling context, e.g. Shared Storage.
+The values in this map are used when callers do not specifically request another
+value. Each of the values in this map must be [=set/contained=] in the [=valid
+maxContributions range=].
 
 <dfn>Minimum report delay</dfn> is a non-negative [=duration=] that controls the
 minimum delay to deliver an [=aggregatable report=].
@@ -666,6 +680,9 @@ scope</dfn> given a [=pre-specified report parameters=] |params| and a
     filtering ID max bytes=].
 1. [=Assert=]: |filteringIdMaxBytes| is [=set/contained=] in the [=valid
     filtering ID max bytes range=]
+1. Let |requestedMaxContributions| be |params|' [=pre-specified report
+    parameters/requested max contributions=].
+1. [=Assert=]: |requestedMaxContributions| is null or greater than zero.
 1. [=map/Set=] [=pre-specified report parameters map=][|batchingScope|] to
     |params|.
 
@@ -701,11 +718,13 @@ null |timeout|:
             1. [=iteration/Break=].
     1. If |hasProcessedContribution| is false, [=list/append=] |contribution| to
         |mergedContributions|.
+1. Let |effectiveMaxContributions| be the result of [=determining the effective
+    max contributions=] with |preSpecifiedParams| and |api|.
 1. Let |truncatedContributions| be a new [=list=].
-1. If |mergedContributions| has a [=list/size=] greater than [=maximum report
-    contributions=][|api|]:
-    1. [=set/For each=] |n| of [=the exclusive range|the range=] 0 to [=maximum
-        report contributions=][|api|], exclusive:
+1. If |mergedContributions| has a [=list/size=] greater than
+    |effectiveMaxContributions|:
+    1. [=set/For each=] |n| of [=the exclusive range|the range=] 0 to
+         |effectiveMaxContributions|, exclusive:
         1. [=set/Append=] |mergedContributions|[|n|] to
             |truncatedContributions|.
 1. Otherwise, set |truncatedContributions| to |mergedContributions|.
@@ -754,7 +773,7 @@ To <dfn>obtain an aggregatable report</dfn> given an [=origin=]
 |reportingOrigin|, a [=context type=] |api|, a [=list=] of
 {{PAHistogramContribution}}s |contributions|, a [=debug details=]
 |debugDetails|, an [=aggregation coordinator=] |aggregationCoordinator|, a
-[=pre-specified report parameters=] |preSpecifiedParams|, a [=moment] or null
+[=pre-specified report parameters=] |preSpecifiedParams|, a [=moment=] or null
 |timeout| and a [=moment=] |currentTime|,
 perform the following steps. They return an [=aggregatable report=].
 1. [=Assert=]: |reportingOrigin| is a [=potentially trustworthy origin=].
@@ -782,6 +801,9 @@ perform the following steps. They return an [=aggregatable report=].
     : [=aggregatable report/filtering ID max bytes=]
     :: |preSpecifiedParams|' [=pre-specified report parameters/filtering ID max
         bytes=]
+    : [=aggregatable report/max contributions=]
+    :: The result of [=determining the effective max contributions=] with
+        |preSpecifiedParams| and |api|.
     : [=aggregatable report/queued=]
     :: false
 1. Return |report|.
@@ -804,6 +826,21 @@ They return a [=moment=].
 
 </div>
 
+<div algorithm>
+To <dfn>determine the effective max contributions</dfn> given a [=pre-specified
+report parameters=] |preSpecifiedParams| and a [=context type=] |api|, perform
+the following steps. They return a positive integer that is [=set/contained=] in
+the [=valid maxContributions range=].
+1. Let |defaultMaxContributions| be [=default maxContributions by API=][|api|].
+1. Let |requestedMaxContributions| be |preSpecifiedParams|' [=pre-specified
+    report parameters/requested max contributions=].
+1. If |requestedMaxContributions| is null, return |defaultMaxContributions|.
+1. If |requestedMaxContributions| is greater than [=maximum maxContributions=],
+    return [=maximum maxContributions=].
+1. Return |requestedMaxContributions|.
+
+</div>
+
 Sending reports {#sending-reports}
 ----------------------------------
 
@@ -1027,8 +1064,9 @@ To <dfn>obtain the plaintext payload</dfn> given an [=aggregatable report=]
     |report|, perform the following steps. They return a [=byte sequence=].
 1. Let |payloadData| be a new [=list=].
 1. Let |contributions| be |report|'s [=aggregatable report/contributions=].
-1. Let |maxContributions| be
-    [=maximum report contributions=][[=aggregatable report/api=]].
+1. Let |maxContributions| be |report|'s [=aggregatable report/max contributions=].
+1. If |maxContributions| is null, set it to [=default maxContributions by
+    API=][[=aggregatable report/api=]].
 1. [=Assert=]: |contributions|' [=list/size=] is not greater than
     |maxContributions|.
 1. [=iteration/While=] |contributions|' [=list/size=] is less than
@@ -1196,6 +1234,9 @@ Note: Without this, [=aggregatable reports=] would be subject to delays, making
 
 </div>
 
+Issue: Add Shared Storage monkey patch that defines the `maxContributions`
+field.
+
 Protected Audience API monkey patches {#protected-audience-api-monkey-patches}
 ==============================================================================
 
@@ -1341,16 +1382,21 @@ WebIDL modifications {#protected-audience-api-webidl-modifications}
 The {{AuctionAdConfig}} and {{AuctionAdInterestGroup}} dictionaries are
 modified to add a new field:
 <xmp class="idl">
-dictionary ProtectedAudiencePrivateAggregationConfig {
+dictionary ProtectedAudienceAuctionPrivateAggregationConfig {
+  USVString aggregationCoordinatorOrigin;
+  [EnforceRange] unsigned long long maxContributions;
+};
+
+dictionary ProtectedAudienceInterestGroupPrivateAggregationConfig {
   USVString aggregationCoordinatorOrigin;
 };
 
 partial dictionary AuctionAdConfig {
-  ProtectedAudiencePrivateAggregationConfig privateAggregationConfig;
+  ProtectedAudienceAuctionPrivateAggregationConfig privateAggregationConfig;
 };
 
 partial dictionary AuctionAdInterestGroup {
-  ProtectedAudiencePrivateAggregationConfig privateAggregationConfig;
+  ProtectedAudienceInterestGroupPrivateAggregationConfig privateAggregationConfig;
 };
 </xmp>