Chromium Embedder - Greased B&A Support Header

[Brandr0id]

@michaelkleber, @JensenPaul

One of the things we've added in the Ad Selection API is a platform header to indicate to the B&A seller side what capabilities the client (browser) requires for a private auction to occur.

Example:

Sec-Auction-Platform-Support: "Microsoft Edge";min-version="3.11.0.0", "Not;A=Brand";min-version="3.10.0.0"

Can we add this to the Chromium impl as a way for any seller to understand what platform support they would need to handle a given auction? We feel this would help with both different potential server images as well as provide a mechanism as the API and underlying auction data structure evolves if there are any breaking changes or required additions that old versions may not be compatible with.

Once we align on if/what is to be added happy to move this over to a crbug and/or have patches put up to allow any embedder to specify platform details.

[michaelkleber]

I don't understand what you mean by "what capabilities the client (browser) requires for a private auction to occur". Can you say more about what party uses the header and how?

[Brandr0id]

Sure! Effectively this gets sent when a fetch or iframe request is made to the untrusted seller server in front of the SFE service. With this data a seller can determine if the request needs to go to say a Protected Audience or Ad Selection (or potentially other) SFE instance. Additionally if the browser's encrypted payload contains data only suitable for a certain version of the B&A (e.g. version 3.11.0.0 in our case is the first version) a seller can know if they haven't deployed at least that version yet the request cannot be handled properly. Presumably there will be grace periods and deprecation of API fields etc as this all evolves but as fields are removed or breaking changes occur this would let the client be explicit to the server side about the min version this auction requires to function or run successfully.

[michaelkleber]

Ah I see. But then why would you want this to be an HTTP header? This should only be sent with very specific requests, but it seems to me like the browser wouldn't even know which requests these are.

[Brandr0id]

Ahh yeah, sorry to clarify we'd ideally want to scope this to where the current B&A APIs interact with the Fetch JS API and iframe element via the adAuctionHeaders request attribute and element attribute. Currently to handle a server auction in runAdAuction the browser must observe the response and reference the request seen/sent by the browser. This is gated by the adAuctionHeaders attribute so we have a good gate as to when the browser is issuing an HTTP request that is tied to a remote server auction.