fixup! Spec: Define per-context contribution limits

spec.bs

@@ -473,17 +473,12 @@ that controls which is used for a report if none is explicitly selected.
 <dfn>Maximum maxContributions</dfn> is a positive integer that defines an upper
 bound on the number of contributions per [=aggregatable report=].
 
-<dfn>Valid maxContributions range</dfn> is a non-empty [=set=] of positive
-integers. Its value is [=the inclusive range=] 1 to [=maximum
-maxContributions=]. The values in this range exhaustively define the possible
-values for the number of contributions per [=aggregatable report=].
-
 <dfn>Default maxContributions by API</dfn> is a [=map=] from [=context types=]
 to positive integers. Semantically, it defines the default number of
 contributions per report for every kind of calling context, e.g. Shared Storage.
 The values in this map are used when callers do not specifically request another
-value. Each of the values in this map must be [=set/contained=] in the [=valid
-maxContributions range=].
+value. Each value in this map must be less than or equal to [=maximum
+maxContributions=].
 
 <dfn>Minimum report delay</dfn> is a non-negative [=duration=] that controls the
 minimum delay to deliver an [=aggregatable report=].
@@ -587,11 +582,14 @@ steps. They return a [=boolean=]:
     contributions=] is not null, return true.
 1. Return false.
 
-Note: Even when budget is insufficient for the requested contributions, a report
-    has to be sent when the caller provided a context ID, non-default filtering
-    ID max bytes, or non-null max contributions. See [Protecting against leaks
-    via the number of
-    reports](#protecting-against-leaks-via-the-number-of-reports).
+Note: It is sometimes necessary to send a 'null report' to conceal the fact that
+ there were no contributions. For instance, it's possible that budget, which is
+ cross-site data in its own right, was insufficient for the requested
+ contributions. Alternatively, the caller might have chosen to make no
+ contributions after reading cross-site data. In these kinds of scenarios, the
+ absence of a report could reveal cross-site data to the reporting endpoint. See
+ [Protecting against leaks via the number of
+ reports](#protecting-against-leaks-via-the-number-of-reports).
 
 </div>
 
@@ -850,8 +848,7 @@ They return a [=moment=].
 <div algorithm>
 To <dfn>determine the max contributions</dfn> given a [=pre-specified report
 parameters=] |preSpecifiedParams| and a [=context type=] |api|, perform the
-following steps. They return a positive integer that is [=set/contained=] in the
-[=valid maxContributions range=].
+following steps. They return a positive integer.
 1. Let |requestedMaxContributions| be |preSpecifiedParams|' [=pre-specified
     report parameters/requested max contributions=].
 1. If |requestedMaxContributions| is null, return [=default maxContributions by
@@ -1298,15 +1295,13 @@ However, the number of reports with the given metadata could expose some
 cross-site information. To protect against this, the API delays sending reports
 by a randomized amount of time to make it difficult to determine whether a
 report was sent or not from any particular event. In the case that a
-[=aggregatable report/context ID=] is supplied, a non-default [=aggregatable
-report/filtering ID max bytes=] is specified, or a [=aggregatable report/max
-contributions=] is specified, the API makes the number of reports sent
-deterministic (sending 'null reports' if necessary -- each containing only a
-contribution with a value of 0 in the payload). Additional mitigations may also
-be possible in the future, e.g. adding noise to the report count.
-
-Issue: Shouldn't the paragraph above refer to fields of [=pre-specified report
- parameters=] instead of [=aggregatable report=]?
+[=pre-specified report parameters/context ID=] is supplied, a non-default
+[=pre-specified report parameters/filtering ID max bytes=] is specified, or a
+[=pre-specified report parameters/requested max contributions=] is specified,
+the API makes the number of reports sent deterministic (sending 'null reports'
+if necessary — each containing only a contribution with a value of 0 in the
+payload). Additional mitigations may also be possible in the future, e.g. adding
+noise to the report count.
 
 ### Protecting against leaks via payload size ### {#protecting-against-leaks-via-payload-size}