🌐 Protected Audience (formerly FLEDGE)

1. Introduction

This section is non-normative.

The Protected Audience API facilitates selecting an advertisement to display to a user based on a previous interaction with the advertiser or advertising network.

When a user’s interactions with an advertiser indicate an interest in something, the advertiser can ask the browser to record this interest on-device by calling navigator.joinAdInterestGroup(). Later, when a website wants to select an advertisement to show to the user, the website can call navigator.runAdAuction() to ask the browser to conduct an auction where each of these on-device recorded interests are given the chance to calculate a bid to display their advertisement.

2. Joining Interest Groups

This first introductory paragraph is non-normative.

When a user’s interactions with a website indicate that the user may have a particular interest, an advertiser or someone working on behalf of the advertiser (e.g. a demand side platform, DSP) can ask the user’s browser to record this interest on-device by calling navigator.joinAdInterestGroup(). This indicates an intent to display an advertisement relevant to this interest to this user in the future. The user agent has an interest group set, a list of interest groups in which owner / name pairs are unique.

2.1. joinAdInterestGroup()

TODO: Currently, several of the IDL fields in AuctionAdInterestGroup are specified to use USVString rather than DOMString, only because the initial implementation currently does. This may contradict the recommended use of DOMString. (WICG/turtledove#1250)

[SecureContext]
partial interface Navigator {
  Promise<undefined> joinAdInterestGroup(AuctionAdInterestGroup group);
};

dictionary AuctionAd {
  required USVString renderURL;
  USVString sizeGroup;
  any metadata;

  USVString buyerReportingId;
  USVString buyerAndSellerReportingId;
  sequence<USVString> selectableBuyerAndSellerReportingIds;
  sequence<USVString> allowedReportingOrigins;
  DOMString adRenderId;
  USVString creativeScanningMetadata;
};

dictionary AuctionAdInterestGroupSize {
  required USVString width;
  required USVString height;
};

dictionary GenerateBidInterestGroup {
  required USVString owner;
  required USVString name;

  boolean enableBiddingSignalsPrioritization = false;
  record<DOMString, double> priorityVector;

  record<USVString, sequence<DOMString>> sellerCapabilities;
  DOMString executionMode = "compatibility";
  USVString biddingLogicURL;
  USVString biddingWasmHelperURL;
  USVString updateURL;
  USVString trustedBiddingSignalsURL;
  sequence<USVString> trustedBiddingSignalsKeys;
  DOMString trustedBiddingSignalsSlotSizeMode = "none";
  long maxTrustedBiddingSignalsURLLength;
  USVString trustedBiddingSignalsCoordinator;
  any userBiddingSignals;
  sequence<AuctionAd> ads;
  sequence<AuctionAd> adComponents;
  record<DOMString, AuctionAdInterestGroupSize> adSizes;
  record<DOMString, sequence<DOMString>> sizeGroups;
};

dictionary ProtectedAudiencePrivateAggregationConfig {
  USVString aggregationCoordinatorOrigin;
};

dictionary AuctionAdInterestGroup : GenerateBidInterestGroup {
  double priority = 0.0;
  record<DOMString, double> prioritySignalsOverrides;
  required double lifetimeMs;
  DOMString additionalBidKey;
  ProtectedAudiencePrivateAggregationConfig privateAggregationConfig;
};

AuctionAdInterestGroup is used by navigator.joinAdInterestGroup(), and when an interest group is stored to interest group set. priority and prioritySignalsOverrides are not passed to generateBid() because they can be modified by generatedBid() calls, so could theoretically be used to create a cross-site profile of a user accessible to generateBid() methods, otherwise. lifetimeMs is not passed to generateBid() because it’s ambiguous what should be passed: the lifetime when the group was joined, or the remaining lifetime. Providing the remaining lifetime would also potentially give access to more granular timing information than the API would otherwise allow, when state is shared across interest groups.

The joinAdInterestGroup(group) method steps are:

Temporarily, Chromium does not include the required keyword for lifetimeMs, and instead starts this algorithm with the step

If group["lifetimeMs"] does not exist, throw a TypeError.

This is detectable because it can change the set of fields that are read from the argument when a TypeError is eventually thrown, but it will never change whether the call succeeds or fails.

Let global be this’s relevant global object.
If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "NotAllowedError" DOMException.
Let settings be this’s relevant settings object.
Assert that settings’s origin is not an opaque origin and its scheme is "https".
Let interestGroup be a new interest group.

Validate the given group and set interestGroup’s fields accordingly.

Set interestGroup’s expiry to the current coarsened wall time plus group["lifetimeMs"] milliseconds.
Set interestGroup’s next update after to the current coarsened wall time plus 24 hours.
Set interestGroup’s last updated to the current coarsened wall time.
Set interestGroup’s owner to the result of parsing an https origin on group["owner"].
If interestGroup’s owner is failure, then throw a TypeError.
Optionally, throw a "NotAllowedError" DOMException.

Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the owner’s site not being enrolled.
Set interestGroup’s name to group["name"].
Set interestGroup’s priority to group["priority"].
Set interestGroup’s enable bidding signals prioritization to group["enableBiddingSignalsPrioritization"].
If group["priorityVector"] exists, then set interestGroup’s priority vector to group["priorityVector"].
If group["prioritySignalsOverrides"] exists, then set interestGroup’s priority signals overrides to group["prioritySignalsOverrides"].
If group["privateAggregationConfig"] exists:
1. Let aggregationCoordinator be the result of obtaining the coordinator from a Private Aggregation config given group["privateAggregationConfig"].
2. If aggregationCoordinator is a DOMException, then throw aggregationCoordinator.
3. Set interestGroup’s Private Aggregation coordinator to aggregationCoordinator.
If group["sellerCapabilities"] exists, for each sellerString → capabilities of group["sellerCapabilities"]:
1. Let sellerCapabilities be a new set of seller capabilities.
2. For each capabilityString of capabilities:
  1. If capabilityString is "interest-group-counts" or "latency-stats", then append capabilityString to sellerCapabilities.
    
    Note: For forward compatibility with new values, don’t throw.
3. If sellerString is "*", then set interestGroup’s all sellers capabilities to sellerCapabilities.
4. Otherwise:
  1. If interestGroup’s seller capabilities is null, then set interestGroup’s seller capabilities to a new ordered map whose keys are origins and whose values are sets of seller capabilities.
  2. Let sellerUrl be the result of running the URL parser on sellerString.
  3. If sellerUrl is not failure:
    1. Let seller be sellerUrl’s origin.
    2. If interestGroup’s seller capabilities does not contain seller, then set interestGroup’s seller capabilities[seller] to sellerCapabilities.
If group["executionMode"] is "compatibility", "frozen-context", or "group-by-origin", then set interestGroup’s execution mode to it.

For each groupMember and interestGroupField in the following table

Group member	Interest group field
"`biddingLogicURL`"	bidding url
"`biddingWasmHelperURL`"	bidding wasm helper url
"`updateURL`"	update url

If group contains groupMember:
1. Let parsedUrl be the result of running parse and verify a bidding code or update URL on group[groupMember] and interestGroup’s owner.
2. If parsedUrl is failure, then throw a TypeError.
3. Set interestGroup’s interestGroupField to parsedUrl.

If group["trustedBiddingSignalsURL"] exists:
1. Let parsedUrl be the result of running parse and verify a trusted signals URL on group[trustedBiddingSignalsURL].
2. If parsedUrl is failure, then throw a TypeError.
3. Set interestGroup’s trusted bidding signals url to parsedUrl.
If group["trustedBiddingSignalsKeys"] exists, then set interestGroup’s trusted bidding signals keys to group["trustedBiddingSignalsKeys"].
If group["maxTrustedBiddingSignalsURLLength"] exists:
1. If group["maxTrustedBiddingSignalsURLLength"] ≥ 0, set interestGroup’s max trusted bidding signals url length to group["maxTrustedBiddingSignalsURLLength"], otherwise throw a TypeError.
If group["trustedBiddingSignalsCoordinator"] exists:
1. Let parsedCoordinator be the result of parsing an https origin on group["trustedBiddingSignalsCoordinator"].
2. If parsedCoordinator is failure, then throw a TypeError.
3. Set interestGroup’s trusted bidding signals coordinator to parsedCoordinator.
If group["userBiddingSignals"] exists:
1. Set interestGroup’s user bidding signals to the result of serializing a JavaScript value to a JSON string, given group["userBiddingSignals"]. This can throw a TypeError.
If group["trustedBiddingSignalsSlotSizeMode"] is one of "none", "slot-size", or "all-slots-requested-sizes", set interestGroup’s trusted bidding signals slot size mode to group["trustedBiddingSignalsSlotSizeMode"].
Let adSizes be a new map whose keys are strings and values are ad sizes.
If group["adSizes"] exists:
1. For each sizeName → size of group["adSizes"]:
  1. If sizeName is "", throw a TypeError.
  2. Let parsedSize be the result from running parse an AdRender ad size with size.
  3. If parsedSize is null, throw a TypeError.
  4. Set adSizes[sizeName] to parsedSize.
2. Set interestGroup’s ad sizes to adSizes.
Let sizeGroups be a new map whose keys are strings and values are lists of strings
If group["sizeGroups"] exists:
1. For each sizeGroupName → sizeList of group["sizeGroups"]:
  1. If sizeGroupName is "", throw a TypeError.
  2. For each sizeName of sizeList:
    1. If sizeName is "" or adSizes[sizeName] does not exist, throw a TypeError.
  3. Set sizeGroups[sizeGroupName] to sizeList.
2. Set interestGroup’s size groups to sizeGroups.

For each groupMember and interestGroupField in the following table

Group member	Interest group field
"`ads`"	ads
"`adComponents`"	ad components

If group contains groupMember, for each ad of group[groupMember]:
1. Let igAd be a new interest group ad.
2. Let renderURL be the result of running the URL parser on ad["renderURL"].
3. Throw a TypeError if any of the following conditions hold:
  - renderURL is failure;
  - renderURL scheme is not "https";
  - renderURL includes credentials.
4. Set igAd’s render url to renderURL.
5. If ad["sizeGroup"] exists:
  1. Let sizeGroup be ad["sizeGroup}].
  2. Throw a TypeError if none of the following conditions hold:
    - adSizes[sizeGroup] exists.
    - sizeGroups[sizeGroup] exists.
  3. Set igAd’s size group to sizeGroup.
6. If ad["metadata"] exists, then let igAd’s metadata be the result of serializing a JavaScript value to a JSON string, given ad["metadata"]. This can throw a TypeError.
7. If ad["adRenderId"] exists:
  1. If ad["adRenderId"]'s length > 12, throw a TypeError.
  2. If any code point in ad["adRenderId"] is not an ASCII code point, throw a TypeError.
  3. Set igAd’s ad render id to ad["adRenderId"].
8. If ad["creativeScanningMetadata"] exists, then set igAd’s creative scanning metadata to it.
9. If groupMember is "ads":
  1. If ad["buyerReportingId"] exists, then set igAd’s buyer reporting ID to it.
  2. If ad["buyerAndSellerReportingId"] exists, then set igAd’s buyer and seller reporting ID to it.
  3. If ad["selectableBuyerAndSellerReportingIds"] exists, then set igAd’s selectable buyer and seller reporting IDs to it.
  4. If ad["allowedReportingOrigins"] exists:
    1. Let allowedReportingOrigins be a new list of origins.
    2. For each originStr in ad["allowedReportingOrigins"]:
      1. Let origin be the result of parsing an https origin on originStr.
      2. If origin is failure, then throw a TypeError.
      3. Append origin to allowedReportingOrigins.
      4. If allowedReportingOrigins’s size > 10, throw a TypeError.
    3. Set igAd’s allowed reporting origins to allowedReportingOrigins.
10. Append igAd to interestGroup’s interestGroupField.

If group["additionalBidKey"] exists:
1. Let decodedKey be the result of running forgiving-base64 decode with group["additionalBidKey"].
2. Throw a TypeError if any of the following conditions hold:
  - decodedKey is a failure;
  - decodedKey’s length is not 32;
  - group["ads"] exists;
  - group["updateURL"] exists.
3. Set interestGroup’s additional bid key to decodedKey.

If interestGroup’s estimated size > 1048576 bytes, then throw a TypeError.
Let p be a new promise.
Let queue be the result of starting a new parallel queue.
Enqueue the following steps to queue:
1. Let permission be the result of checking interest group permissions with interestGroup’s owner, settings, and "join".
2. If permission is false, then queue a global task on DOM manipulation task source, given global, to reject p with a "NotAllowedError" DOMException and abort these steps.
3. Queue a global task on DOM manipulation task source, given global, to resolve p with undefined.
4. If the browser is currently storing an interest group with owner and name that matches interestGroup, then set the bid counts, join counts, and previous wins of interestGroup to the values of the currently stored one and remove the currently stored one from the browser.
5. Set interestGroup’s joining origin to this’s relevant settings object’s top-level origin.
6. Set interestGroup’s join time to the current coarsened wall time.
7. If the most recent entry in interestGroup’s join counts corresponds to the current day in UTC, increment its count. If not, insert a new tuple the time set to the current UTC day and a count of 1.
8. Store interestGroup in the user agent’s interest group set.
9. Run update k-anonymity cache for interest group for interestGroup.
Return p.

2.2. Interest Group Storage Maintenance

There is a job that periodically performs storage maintenance on the user agent’s interest group set. It performs operations such as removing expired or excess interest groups. An interest group set must respect the following limits. Implementations may define their own values for the below constants, however we supply the below values as a starting point, inspired by what the initial implementation of this specification uses:

Interest group set max owners is 1000, which defines the max number of owners in the user agent’s interest group set.
Max regular interest groups per owner is 2000, which defines the max number of regular interest groups in the user agent’s interest group set for an owner.
Max negative interest groups per owner is 20000, which defines the max number of negative interest groups in the user agent’s interest group set for an owner.
Max interest groups total size per owner is 10*1024*1024, which defines the max total sizes of interest groups in the user agent’s interest group set for an owner. It includes both regular interest groups and negative interest groups.

To perform storage maintenance:

Let ownersAndExpiry be a new ordered map whose keys are origins and values are moments.

Note: The key is from owner, and value is from expiry. It’s used to determine a set of owners whose interest groups will be removed from the user agent’s interest group set because the number of distinct owners exceeds the Interest group set max owners limit. It’s sorted based on their values (expiry) in descending order, in order to remove interest groups of owners expiring soonest first.
Let now be the current coarsened wall time.
For each ig of the user agent’s interest group set:
1. Let owner be ig’s owner.
2. If ig’s expiry is before now, then remove ig from the user agent’s interest group set and continue.
3. If ownersAndExpiry[owner] exists, then set ownersAndExpiry[owner] to ig’s expiry if it comes after ownersAndExpiry[owner].
4. Otherwise, set ownersAndExpiry[owner] to ig’s expiry.
If ownersAndExpiry’s size > interest group set max owners, then set ownersAndExpiry to ownersAndExpiry sorted in descending order with a being less than b if a’s value comes before b’s value, where values are expiry.
Let owners be the keys of ownersAndExpiry.
For each i in the range from 0 to owners’s size, exclusive:
1. If i ≥ interest group set max owners, then remove interest groups from the user agent’s interest group set whose owner is owners[i], and continue.
2. Let regularIgs be a list of regular interest groups in the user agent’s interest group set whose owner is owners[i].
3. If regularIgs’s size > max regular interest groups per owner, then clear excess interest groups with regularIgs and max regular interest groups per owner.
4. Let negativeIgs be a list of negative interest groups in the user agent’s interest group set whose owner is owners[i].
5. If negativeIgs’s size > max negative interest groups per owner, then clear excess interest groups with negativeIgs and max negative interest groups per owner.
For each owner of owners:
1. Let igs be a list of interest groups in the user agent’s interest group set whose owner is owner, sorted in descending order with a being less than b if a’s expiry comes before b’s expiry.
2. Let cumulativeSize be 0.
3. For each ig of igs:
  1. If the sum of cumulativeSize and ig’s estimated size > max interest groups total size per owner, then remove ig from the user agent’s interest group set.
  2. Otherwise, increment cumulativeSize by ig’s estimated size.

To clear excess interest groups with a list of interest groups igs, and an integer maxIgs:

Let sortedIgs be igs sorted in descending order with a being less than b if a’s expiry comes before b’s expiry.

Note: In order to remove interest groups expiring soonest first, sort interest groups based on their expiry in descending order.
For each i in the range from maxIgs to igs’s size, exclusive:
1. Remove sortedIgs[i] from the user agent’s interest group set.

3. Leaving Interest Groups

3.1. leaveAdInterestGroup()

This first introductory paragraph is non-normative.

navigator.leaveAdInterestGroup() removes a user from a particular interest group.

[SecureContext]
partial interface Navigator {
  Promise<undefined> leaveAdInterestGroup(optional AuctionAdInterestGroupKey group = {});
};

dictionary AuctionAdInterestGroupKey {
  required USVString owner;
  required USVString name;
};

The leaveAdInterestGroup(group) method steps are:

Let global be this’s relevant global object.
Let settings be this’s relevant settings object.
Let frameOrigin be settings’s origin.
Assert that frameOrigin is not an opaque origin and its scheme is "https".
Let p be a new promise.
If group is empty:
1. Let instance be global’s browsing context’s fenced frame config instance.
2. If instance is null, then return.
3. Let interestGroup be instance’s interest group descriptor.
4. Run these steps in parallel:
  1. Queue a global task on DOM manipulation task source, given global, to resolve p with undefined.
  2. If interestGroup is not null:
    1. Let owner be interestGroup’s owner.
    2. If owner is same origin with frameOrigin, then remove interest groups from the user agent’s interest group set whose owner is owner and name is interestGroup’s name.
Otherwise:
1. If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "NotAllowedError" DOMException.
  
  Note: Both joining and leaving interest groups use the "join-ad-interest-group" feature.
2. Let owner be the result of parsing an https origin with group["owner"].
3. If owner is failure, throw a TypeError.
4. Run these steps in parallel:
  1. Let permission be the result of checking interest group permissions with owner, settings, and "leave".
  2. If permission is false, then queue a global task on DOM manipulation task source, given global, to reject p with a "NotAllowedError" DOMException and abort these steps.
  3. Queue a global task on DOM manipulation task source, given global, to resolve p with undefined.
  4. Remove interest groups from the user agent’s interest group set whose owner is owner and name is group["name"].
Return p.

3.2. clearOriginJoinedAdInterestGroups()

This first introductory paragraph is non-normative.

navigator.clearOriginJoinedAdInterestGroups() removes a user from interest groups whose joining origin is the associated Navigator’s relevant settings object’s top-level origin.

[SecureContext]
partial interface Navigator {
  Promise<undefined> clearOriginJoinedAdInterestGroups(
      USVString owner, optional sequence<USVString> interestGroupsToKeep = []);
};

The clearOriginJoinedAdInterestGroups(owner, interestGroupsToKeep) method steps are:

Let settings be this’s relevant settings object.
Let frameOrigin be settings’s origin.
Assert that frameOrigin is not an opaque origin and its scheme is "https".
Let p be a new promise.
Let global be this’s relevant global object.
If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "NotAllowedError" DOMException.

Note: Both joining and leaving interest groups use the "join-ad-interest-group" feature.
Let ownerOrigin be the result of parsing an https origin with owner.
If ownerOrigin is failure, throw a TypeError.
Run these steps in parallel:
1. Let permission be the result of checking interest group permissions with ownerOrigin, settings, and "leave".
2. If permission is false, then queue a global task on the DOM manipulation task source given global, reject p with a "NotAllowedError" DOMException and abort these steps.
3. Queue a global task on the DOM manipulation task source given global, to resolve p with undefined.
4. Remove interest groups from the user agent’s interest group set whose owner is ownerOrigin, whose joining origin is frameOrigin, and whose name is not in interestGroupsToKeep.
Return p.

4. Running Ad Auctions

This first introductory paragraph is non-normative.

When a website or someone working on behalf of the website (e.g. a supply side platform, SSP) wants to conduct an auction to select an advertisement to display to the user, they can call the navigator.runAdAuction() function, providing an auction configuration that tells the browser how to conduct the auction and which on-device recorded interests are allowed to bid in the auction for the chance to display their advertisement.

4.1. runAdAuction()

[SecureContext]
partial interface Navigator {
  Promise<(USVString or FencedFrameConfig)?> runAdAuction(AuctionAdConfig config);
  readonly attribute boolean deprecatedRunAdAuctionEnforcesKAnonymity;
};

dictionary AuctionReportBuyersConfig {
  required bigint bucket;
  required double scale;
};

dictionary AuctionReportBuyerDebugModeConfig {
  boolean enabled = false;

  // Must only be provided if `enabled` is true.
  bigint? debugKey;
};

dictionary AuctionRealTimeReportingConfig {
  required DOMString type;
};

dictionary AuctionAdConfig {
  required USVString seller;
  required USVString decisionLogicURL;

  USVString trustedScoringSignalsURL;
  long maxTrustedScoringSignalsURLLength;
  USVString trustedScoringSignalsCoordinator;
  boolean sendCreativeScanningMetadata;
  sequence<USVString> interestGroupBuyers;
  Promise<any> auctionSignals;
  Promise<any> sellerSignals;
  Promise<DOMString?> directFromSellerSignalsHeaderAdSlot;
  Promise<record<USVString, USVString>?> deprecatedRenderURLReplacements;
  unsigned long long sellerTimeout;
  unsigned short sellerExperimentGroupId;
  Promise<record<USVString, any>?> perBuyerSignals;
  Promise<record<USVString, unsigned long long>?> perBuyerTimeouts;
  Promise<record<USVString, unsigned long long>?> perBuyerCumulativeTimeouts;
  unsigned long long reportingTimeout;
  USVString sellerCurrency;
  Promise<record<USVString, USVString>?> perBuyerCurrencies;
  record<USVString, unsigned short> perBuyerMultiBidLimits;
  record<USVString, unsigned short> perBuyerGroupLimits;
  record<USVString, unsigned short> perBuyerExperimentGroupIds;
  record<USVString, record<USVString, double>> perBuyerPrioritySignals;

  sequence<bigint> auctionReportBuyerKeys;
  record<DOMString, AuctionReportBuyersConfig> auctionReportBuyers;
  AuctionReportBuyerDebugModeConfig auctionReportBuyerDebugModeConfig;
  sequence<DOMString> requiredSellerCapabilities;
  ProtectedAudiencePrivateAggregationConfig privateAggregationConfig;

  record<DOMString, DOMString> requestedSize;
  sequence<record<DOMString, DOMString>> allSlotsRequestedSizes;
  Promise<undefined> additionalBids;
  DOMString auctionNonce;
  AuctionRealTimeReportingConfig sellerRealTimeReportingConfig;
  record<USVString, AuctionRealTimeReportingConfig> perBuyerRealTimeReportingConfig;
  sequence<AuctionAdConfig> componentAuctions = [];
  AbortSignal? signal;
  Promise<boolean> resolveToConfig;

  Promise<Uint8Array> serverResponse;
  USVString requestId;
};

Note: To help with ease of adoption, the browser will support the attribute navigator.deprecatedRunAdAuctionEnforcesKAnonymity while k-anonymity enforcement is being rolled out. This attribute is true when navigator.runAdAuction() enforces § 7 K-anonymity when running an auction and false otherwise. The attribute is not useful once k-anonymity enforcement is fully rolled out, and hence this attribute will be deprecated and removed some time after this point. See https://developers.google.com/privacy-sandbox/relevance/protected-audience-api/k-anonymity for more up to date information.

The runAdAuction(config) method steps are:

Let global be this’s relevant global object.
Let settings be this’s relevant settings object.
If global’s associated Document is not allowed to use the "run-ad-auction" policy-controlled feature, then throw a "NotAllowedError" DOMException.
Let privateAggregationAllowed be the result of determining whether global’s associated Document is allowed to use the "private-aggregation" policy-controlled feature.
Let auctionConfig be the result of running validate and convert auction ad config with config and true.
If auctionConfig is failure, then throw a TypeError.
Optionally, throw a "NotAllowedError" DOMException.

Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the seller’s site not being enrolled.
Let p be a new promise.
Let configMapping be global’s associated Document’s node navigable’s traversable navigable’s fenced frame config mapping.
Let pendingConfig be the result of constructing a pending fenced frame config with auctionConfig.
Let urn be the result of running store a pending config on configMapping with pendingConfig.
If urn is failure, then resolve p with null and return p.
Let bidIgs be a new list of interest groups.
If config["signal"] exists, then:
1. Let signal be config["signal"].
2. If signal is aborted, then reject p with signal’s abort reason and return p.
3. Otherwise add the following abort steps to signal:
  1. Set auctionConfig’s aborted to true.
  2. Set auctionConfig’s abort reason to signal’s abort reason.
  3. For each auction in auctionConfig’s component auctions:
    1. Set auction’s aborted to true.
Assert that settings’s origin is not an opaque origin and its scheme is "https".
Let queue be the result of starting a new parallel queue.
Enqueue the following steps to queue:
1. Let reportingContextMap be the result of creating a reporting context map given auctionConfig and privateAggregationAllowed.
2. If auctionConfig’s server response is not null:
  1. Let winnerInfo be the result of running parse and validate server response with auctionConfig, null, global, bidIgs, and reportingContextMap.
3. Otherwise:
  1. Let realTimeContributionsMap be a new real time reporting contributions map.
  2. Let winnerInfo be the result of running generate and score bids with auctionConfig, null, global, bidIgs, reportingContextMap, and realTimeContributionsMap.
4. Let auctionReportInfo be a new auction report info.
5. If winnerInfo is not failure, then:
  1. Set auctionReportInfo to the result of running collect forDebuggingOnly reports with reportingContextMap, auctionConfig’s seller, and winnerInfo.
  2. Set auctionReportInfo’s real time reporting contributions map to realTimeContributionsMap.
6. If auctionConfig’s aborted is true:
  1. Queue a global task on the DOM manipulation task source, given global, to reject p with auctionConfig’s abort reason.
7. Otherwise if winnerInfo is failure, then queue a global task on DOM manipulation task source, given global, to reject p with a "TypeError".
8. Otherwise if winnerInfo is null or winnerInfo’s leading bid is null:
  1. Queue a global task on DOM manipulation task source, given global, to resolve p with null.
  2. For each reportUrl of auctionReportInfo’s debug loss report urls:
    1. Send report with reportUrl and settings.
  3. Send real time reports with auctionReportInfo’s real time reporting contributions map and settings.
  4. Process the Private Aggregation contributions given auctionConfig, reportingContextMap.
9. Otherwise:
  1. Let winner be winnerInfo’s leading bid.
  2. Let fencedFrameConfig be the result of filling in a pending fenced frame config with pendingConfig, auctionConfig, reportingContextMap, winnerInfo, auctionReportInfo, and settings.
  3. Finalize a pending config on configMapping with urn and fencedFrameConfig.
  4. Wait until auctionConfig’s resolve to config is a boolean.
  5. Let result be fencedFrameConfig.
  6. If auctionConfig’s resolve to config is false, then set result to urn.
  7. Queue a global task on the DOM manipulation task source, given global, to resolve p with result.
  8. Run update previous wins with winner.
10. Run interest group update with auctionConfig’s interest group buyers and settings’s policy container.
11. Run update bid counts with bidIgs.
Return p.

To construct a pending fenced frame config given an auction config config:

Return a fenced frame config with the following items:

mapped url

a struct with the following items:

value

"about:blank"

visibility

"opaque"

container size

the result of

converting config’s requested size to pixel values (WICG/turtledove#986)

content size

null

interest group descriptor

a struct with the following items:

value

a struct with the following items:

owner

""

name

""

visibility

"opaque"

on navigate callback

null

effective sandboxing flags

a struct with the following items:

value

TODO: fill this in once fenced frame sandbox flags are more fully specified

visibility

"opaque"

effective enabled permissions

a struct with the following items:

value

«"attribution-reporting", "private-aggregation", "shared-storage", "shared-storage-select-url"»

visibility

"opaque"

fenced frame reporting metadata

null

exfiltration budget metadata

null

nested configs

a struct with the following items:

value

an empty list «»

visibility

"opaque"

embedder shared storage context

null

To fill in a pending fenced frame config given a fenced frame config pendingConfig, auction config auctionConfig, reporting context map reportingContextMap, leading bid info winningBidInfo, auction report info auctionReportInfo, and an environment settings object settings:

Let winningBid be winningBidInfo’s leading bid.
Let replacements be an ordered map whose keys are strings and whose values are strings.
For each replacement in auctionConfig’s deprecated render url replacements:
1. Let k be replacement’s match.
2. Let v be replacement’s replacement.
3. Set replacements[k] to v.
Let replacedAdURL be the result of running substitute macros with replacements and winningBid’s ad descriptor’s url.
Set pendingConfig’s mapped url’s value to replacedAdURL.
Let adSize be winningBid’s ad descriptor’s size.
Let concreteAdSize be the result of

resolving screen-relative sizes to pixel values for adSize. (WICG/turtledove#986)
Let adWidthString and adHeightString be the result of

converting concreteAdSize to strings. (WICG/turtledove#986)
Let sizeMacroMap be the ordered map «[ "{%AD_WIDTH%}" → adWidthString, "{%AD_HEIGHT%}" → adHeightString, "${AD_WIDTH}" → adWidthString, "${AD_HEIGHT}" → adHeightString]»
Set pendingConfig’s mapped url’s value to the result of substituting macros with sizeMacroMap into winningBid’s ad descriptor’s url.
If adSize is not null:
1. Set pendingConfig’s content size to a struct with the following items:
  
  value
  
  concreteAdSize.
  
  Cast concreteAdSize into the format that is eventually chosen for value. (WICG/turtledove#986)
  
  visibility
  
  "opaque"
Set pendingConfig’s interest group descriptor’s value to a struct with the following items:

owner

winningBid’s interest group’s owner

name

winningBid’s interest group’s name
Let fencedFrameReportingMap be the map «[ "buyer" → «», "seller" → «» ]».
If auctionConfig’s component auctions is empty, then set fencedFrameReportingMap["component-seller"] to an empty list «».
Set pendingConfig’s fenced frame reporting metadata to a struct with the following items:

value

A struct with the following items:

fenced frame reporting map

fencedFrameReportingMap

direct seller is seller

true if auctionConfig’s component auctions is empty, false otherwise

allowed reporting origins

winningBid’s bid ad’s allowed reporting origins

visibility

"opaque"
Set pendingConfig’s on navigate callback to an algorithm with these steps:
1. Asynchronously finish reporting with pendingConfig’s fenced frame reporting metadata’s value’s fenced frame reporting map, auctionConfig, reportingContextMap, winningBidInfo, auctionReportInfo and settings.
Let adComponentDescriptorsWithReplacements be a new list of ad descriptors.
If winningBid’s ad component descriptors is not null:
1. For each adComponentDescriptor of winningBid’s ad component descriptors:
  1. Let descriptorWithReplacement be a new ad descriptor.
  2. Set descriptorWithReplacement’s size to adComponentDescriptor’s size.
  3. Set descriptorWithReplacement’s url to the result of running substitute macros with replacements and adComponentDescriptor’s url.
  4. Append descriptorWithReplacement to adComponentDescriptorsWithReplacements.
Set pendingConfig’s nested configs’s value to the result of running create nested configs with adComponentDescriptorsWithReplacements.
Return pendingConfig.

To asynchronously finish reporting given a fenced frame reporting map reportingMap, auction config auctionConfig, reporting context map reportingContextMap, leading bid info leadingBidInfo, auction report info auctionReportInfo, and an environment settings object settings:

Increment a winning bid’s k-anonymity count given leadingBidInfo’s leading bid.
If leadingBidInfo’s leading non-k-anon-enforced bid is not null, and leadingBidInfo’s leading non-k-anon-enforced bid’s reporting id ≠ leadingBidInfo’s leading bid’s reporting id, increment a winning bid’s k-anonymity count given leadingBidInfo’s leading non-k-anon-enforced bid.
Let buyerDone, sellerDone, and componentSellerDone be booleans, initially false.
If leadingBidInfo’s component seller is null, set componentSellerDone to true.
While:
1. If buyerDone, sellerDone, and componentSellerDone are all true, then break.
2. Wait until one of the following fields of leadingBidInfo being not null:
3. If buyerDone is false and leadingBidInfo’s buyer reporting result is not null:
  1. Let buyerMap be leadingBidInfo’s buyer reporting result’s reporting beacon map.
  2. If buyerMap is null, set buyerMap to an empty map «[]».
  3. Let macroMap be leadingBidInfo’s buyer reporting result’s reporting macro map.
  4. Finalize a reporting destination with reportingMap, buyer, buyerMap, and macroMap.
  5. Send report with leadingBidInfo’s buyer reporting result’s report url and settings.
  6. Set buyerDone to true.
4. If sellerDone is false and leadingBidInfo’s seller reporting result is not null:
  1. Let sellerMap be leadingBidInfo’s seller reporting result’s reporting beacon map.
  2. If sellerMap is null, set sellerMap to an empty map «[]».
  3. Finalize a reporting destination with reportingMap, seller, and sellerMap.
  4. Send report with leadingBidInfo’s seller reporting result’s report url and settings.
  5. Set sellerDone to true.
5. If componentSellerDone is false and leadingBidInfo’s component seller reporting result is not null:
  1. Let componentSellerMap be leadingBidInfo’s component seller reporting result’s reporting beacon map.
  2. If componentSellerMap is null, set componentSellerMap to an empty map «[]».
  3. Finalize a reporting destination with reportingMap, component-seller, and componentSellerMap.
  4. Send report with leadingBidInfo’s component seller reporting result’s report url and settings.
  5. Set componentSellerDone to true.
For each reportUrl of auctionReportInfo’s debug win report urls:
1. Send report with report and settings.
For each reportUrl of auctionReportInfo’s debug loss report urls:
1. Send report with report and settings.
Send real time reports with auctionReportInfo’s real time reporting contributions map and settings.
Process the Private Aggregation contributions given auctionConfig, reportingContextMap.

To create nested configs given ad component descriptors adComponentDescriptors:

Let nestedConfigs be an empty list «».
If adComponentDescriptors is null:
1. Return nestedConfigs.
For each adComponentDescriptor of adComponentDescriptors:
1. Let fencedFrameConfig be a fenced frame config with the following items:
  
  mapped url
  
  a struct with the following items:
  
  value
  
  adComponentDescriptor’s url
  
  visibility
  
  "opaque"
  
  container size
  
  null
  
  content size
  
  If adComponentDescriptor’s size is null, then null. Otherwise, a struct with the following items:
  
  value
  
  adComponentDescriptor’s size TODO: Resolve screen-relative sizes and macros and cast this properly.
  
  visibility
  
  "opaque"
  
  interest group descriptor
  
  null
  
  on navigate callback
  
  null
  
  effective sandboxing flags
  
  a struct with the following items:
  
  value
  
  TODO: fill this in once fenced frame sandbox flags are more fully specified
  
  visibility
  
  "opaque"
  
  effective enabled permissions
  
  a struct with the following items:
  
  value
  
  «"attribution-reporting", "private-aggregation", "shared-storage", "shared-storage-select-url"»
  
  visibility
  
  "opaque"
  
  fenced frame reporting metadata
  
  null
  
  exfiltration budget metadata
  
  null
  
  nested configs
  
  a struct with the following items:
  
  value
  
  an empty list «»
  
  visibility
  
  "opaque"
  
  embedder shared storage context
  
  null
2. Append fencedFrameConfig to nestedConfigs.
Return nestedConfigs.

To validate and convert auction ad config given an AuctionAdConfig config and a boolean isTopLevel:

Assert that these steps are not running in parallel.
Let auctionConfig be a new auction config.
Let seller be the result of parsing an https origin with config["seller"].
If seller is failure, then return failure.
Set auctionConfig’s seller to seller.
If config["serverResponse"] exists:
1. If config["requestId"] does not exist, then throw a TypeError.
2. Let resolvedAndTypeChecked be the promise representing performing the following steps upon fulfillment of config["serverResponse"] with result:
  1. Set auctionConfig’s server response to the transferred result.
  2. Set auctionConfig’s server response id to config["requestId"].
3. Upon rejection of resolvedAndTypeChecked:
  1. Set auctionConfig’s server response to failure.
Note: The JavaScript code calling runAdAuction() is responsible for not resolving config["serverResponse"] until server responses have been retrieved from one or more `Ad-Auction-Result` and `Ad-Auction-Result-Nonce` headers, as resolving this Promise early would cause a race condition in which the script runners might run without the server responses that it needs. There are two ways that server responses can be retrieved.
(1) The JavaScript code issues a request whose initiator type is "fetch" and whose adAuctionHeaders option is set to true. The JavaScript code has to resolve config["serverResponse"] after the corresponding call to fetch() has resolved to a response. The JavaScript code can also choose to wait to call runAdAuction() until after the corresponding call to fetch() has resolved to a response, and can then immediately resolve config["serverResponse"];
(2) issue an iframe navigation request with the adauctionheaders content attribute set to true. In this case, the JavaScript code is retrieved as part of the iframe navigation response, at which point the JavaScript code in the iframe makes the call to runAdAuction(), and config["serverResponse"] can be specified directly without a Promise.
Otherwise:
1. If config["requestId"] exists, then throw a TypeError.
2. If config["decisionLogicURL"] does not exist, then throw a TypeError.
If config["decisionLogicURL"] exists:
1. Let decisionLogicURL be the result of running the URL parser on config["decisionLogicURL"].
2. If decisionLogicURL is failure, or it is not same origin with auctionConfig’s seller, then return failure.
3. Set auctionConfig’s decision logic url to decisionLogicURL.
If config["trustedScoringSignalsURL"] exists:
1. Let trustedScoringSignalsURL be the result of parse and verify a trusted signals URL on config["trustedScoringSignalsURL"].
2. If trustedScoringSignalsURL is failure, return failure.
3. Set auctionConfig’s trusted scoring signals url to trustedScoringSignalsURL.
If config["maxTrustedScoringSignalsURLLength"] exists:
1. If config["maxTrustedScoringSignalsURLLength"] ≥ 0, set auctionConfig’s max trusted scoring signals url length to config["maxTrustedScoringSignalsURLLength"], otherwise throw a TypeError.
If config["trustedScoringSignalsCoordinator"] exists:
1. Let parsedCoordinator be the result of parsing an https origin on config["trustedScoringSignalsCoordinator"].
2. If parsedCoordinator is failure, then throw a TypeError.
3. Set auctionConfig’s trusted scoring signals coordinator to parsedCoordinator.
If config["sendCreativeScanningMetadata"] exists:
1. Set auctionConfig’s send creative scanning metadata to config["sendCreativeScanningMetadata"].
If config["interestGroupBuyers"] exists:
1. Let buyers be a new empty list.
2. For each buyerString in config["interestGroupBuyers"]:
  1. Let buyer be the result of parsing an https origin with buyerString.
  2. If buyer is failure, then return failure.
  3. Append buyer to buyers.
3. Set auctionConfig’s interest group buyers to buyers.
If config["auctionSignals"] exists:
1. Set auctionConfig’s auction signals to config["auctionSignals"].
2. Handle an input promise in configuration given auctionConfig and auctionConfig’s auction signals:
  - To parse the value result:
    1. If result is undefined or null, set auctionConfig’s auction signals to null.
    2. Otherwise, set auctionConfig’s auction signals to the result of serializing a JavaScript value to a JSON string given result.
  - To handle an error, set auctionConfig’s auction signals to failure.
If config["requestedSize"] exists:
1. Let adSize be the result from running parse an AdRender ad size with config["requestedSize"]
2. If adSize is null, throw a TypeError.
3. Set auctionConfig’s requested size to adSize.
If config["allSlotsRequestedSizes"] exists:
1. If config["allSlotsRequestedSizes"] is empty, throw a TypeError.
2. Set auctionConfig’s all slots requested sizes to a new set.
3. For each adSizeValue in config["allSlotsRequestedSizes"]:
  1. Let adSize be the result of running parse an AdRender ad size with adSizeValue.
  2. If adSize is null, throw a TypeError.
  3. If auctionConfig’s all slots requested sizes contains adSize, throw a TypeError.
  4. Append adSize to auctionConfig’s all slots requested sizes.
4. If auctionConfig’s requested size is not null, and auctionConfig’s all slots requested sizes does not contain auctionConfig’s requested size, throw a TypeError.
If config["sellerSignals"] exists:
1. Set auctionConfig’s seller signals to config["sellerSignals"].
2. Handle an input promise in configuration given auctionConfig and auctionConfig’s seller signals:
  - To parse the value result:
    1. If result is undefined or null, set auctionConfig’s seller signals to null.
    2. Otherwise, set auctionConfig’s seller signals to the result of serializing a JavaScript value to a JSON string, given result.
  - To handle an error, set auctionConfig’s seller signals to failure.
If config["auctionNonce"] exists, then set auctionConfig’s auction nonce to the result of running get uuid from string with config["auctionNonce"].
If config["additionalBids"] exists:
1. Throw a TypeError if any of the following conditions hold:
  - config["auctionNonce"] does not exist;
  - config["interestGroupBuyers"] does not exist, or is empty;
  - config["componentAuctions"] is not empty.
2. Set auctionConfig’s expects additional bids to true.
3. Handle an input promise in configuration given auctionConfig and config["additionalBids"]:
  
  Note: The JavaScript code calling runAdAuction() is responsible for not resolving config["additionalBids"] until additional bids have been retrieved from one or more `Ad-Auction-Additional-Bid` headers, as resolving this Promise early would cause a race condition in which additional bids might not be included in the auction. There are two ways that additional bids can be retrieved.
  (1) The JavaScript code issues a request whose initiator type is "fetch" and whose adAuctionHeaders option is set to true. The JavaScript code has to resolve config["additionalBids"] after the corresponding call to fetch() has resolved to a response. The JavaScript code can also choose to wait to call runAdAuction() until after the corresponding call to fetch() has resolved to a response, and can then immediately resolve config["additionalBids"];
  (2) issue an iframe navigation request with the adauctionheaders content attribute set to true. In this case, the JavaScript code is retrieved as part of the iframe navigation response, at which point the JavaScript code in the iframe makes the call to runAdAuction(), and config["additionalBids"] can be immediately resolved.
  - To parse the value result:
    1. Set auctionConfig’s expects additional bids to false.
  - To handle an error:
    1. Set auctionConfig’s expects additional bids to failure.
If config["directFromSellerSignalsHeaderAdSlot"] exists:
1. Handle an input promise in configuration given auctionConfig and config["directFromSellerSignalsHeaderAdSlot"]:
  
  Note: The JavaScript code calling runAdAuction() is responsible for not resolving config["directFromSellerSignalsHeaderAdSlot"] until direct from seller signals have been retrieved from one or more `Ad-Auction-Signals` headers, as resolving this Promise early would cause a race condition in which the script runners might run without the direct from seller signals that it needs. There are two ways that direct from seller signals can be retrieved.
  (1) The JavaScript code issues a request whose initiator type is "fetch" and whose adAuctionHeaders option is set to true. The JavaScript code has to resolve config["directFromSellerSignalsHeaderAdSlot"] after the corresponding call to fetch() has resolved to a response. The JavaScript code can also choose to wait to call runAdAuction() until after the corresponding call to fetch() has resolved to a response, and can then immediately resolve config["directFromSellerSignalsHeaderAdSlot"];
  (2) issue an iframe navigation request with the adauctionheaders content attribute set to true. In this case, the JavaScript code is retrieved as part of the iframe navigation response, at which point the JavaScript code in the iframe makes the call to runAdAuction(), and config["directFromSellerSignalsHeaderAdSlot"] can be specified directly without a Promise.
  - To parse the value result:
    1. Set auctionConfig’s direct from seller signals header ad slot to result.
  - To handle an error:
    1. Set auctionConfig’s direct from seller signals header ad slot to failure.
If config["deprecatedRenderURLReplacements"] exists:
1. Set auctionConfig’s deprecated render url replacements to config["deprecatedRenderURLReplacements"].
2. Handle an input promise in configuration given auctionConfig and auctionConfig’s deprecated render url replacements:
  - To parse the value result:
    1. Let renderUrlReplacements be a new empty list of ad keyword replacements.
    2. If result is not null:
      1. For each replacement in result:
        
        If validate a url macro with replacement’s match returns false, then throw a TypeError.
        
        Otherwise, append replacement to renderUrlReplacements.
    3. Set auctionConfig’s deprecated render url replacements to renderUrlReplacements.
  - To handle an error, set auctionConfig’s deprecated render url replacements to failure.
If config["sellerTimeout"] exists, set auctionConfig’s seller timeout to config["sellerTimeout"] in milliseconds or 500, whichever is smaller.
Let reportingTimeout be config["reportingTimeout"] if it exists, 50 otherwise.
Set config["reportingTimeout"] to reportingTimeout in milliseconds or 5000, whichever is smaller.
If config["sellerExperimentGroupId"] exists, then set auctionConfig’s seller experiment group id to config["sellerExperimentGroupId"].
If config["sellerCurrency"] exists:
1. If the result of checking whether a string is a valid currency tag on config["sellerCurrency"] is false, then return failure.
2. Set auctionConfig’s seller currency to config["sellerCurrency"].
If config["perBuyerSignals"] exists:
1. Set auctionConfig’s per buyer signals to config["perBuyerSignals"].
2. Handle an input promise in configuration given auctionConfig and auctionConfig’s per buyer signals:
  - To parse the value result:
    1. If result is null:
      1. Set auctionConfig’s per buyer signals to null.
    2. Otherwise:
      1. Set auctionConfig’s per buyer signals to a new ordered map whose keys are origins and whose values are strings.
      2. For each key → value of result:
        
        Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a TypeError.
        
        Let signalsString be the result of serializing a JavaScript value to a JSON string, given value.
        
        Set auctionConfig’s per buyer signals[buyer] to signalsString.
  - To handle an error, set auctionConfig’s per buyer signals to failure.

For each idlTimeoutMember, perBuyerTimeoutField, allBuyersTimeoutField in the following table

IDL timeout member	Per buyer timeout field	All buyers timeout field
"`perBuyerTimeouts`"	per buyer timeouts	all buyers timeout
"`perBuyerCumulativeTimeouts`"	per buyer cumulative timeouts	all buyers cumulative timeout

If config contains idlTimeoutMember:
1. Set auctionConfig’s perBuyerTimeoutField to config[idlTimeoutMember].
2. Handle an input promise in configuration given auctionConfig and auctionConfig’s perBuyerTimeoutField:
  - To parse the value result:
    1. If result is null:
      1. Set auctionConfig’s perBuyerTimeoutField to null.
    2. Otherwise:
      1. Set auctionConfig’s perBuyerTimeoutField to a new ordered map whose keys are origins and whose values are durations in milliseconds.
      2. For each key → value of result:
        
        If perBuyerTimeoutField is "perBuyerTimeouts", and value > 500, then set value to 500.
        
        If key is "*", then set auctionConfig’s allBuyersTimeoutField to value in milliseconds, and continue.
        
        Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a TypeError.
        
        Set auctionConfig’s perBuyerTimeoutField[buyer] to value in milliseconds.
  - To handle an error, set auctionConfig’s perBuyerTimeoutField to failure.

If config["perBuyerGroupLimits"] exists, for each key → value of config["perBuyerGroupLimits"]:
1. If value is 0, then return failure.
2. If key is "*", then set auctionConfig’s all buyers group limit to value, and continue.
3. Let buyer be the result of parsing an https origin with key.
4. If buyer is failure, then return failure.
5. Set auctionConfig’s per buyer group limits[buyer] to value.
If config["perBuyerExperimentGroupIds"] exists, for each key → value of config["perBuyerExperimentGroupIds"]:
1. If key is "*", then set auctionConfig’s all buyer experiment group id to value, and continue.
2. Let buyer the result of parsing an https origin with key.
3. If buyer is failure, then return failure.
4. Set auctionConfig’s per buyer experiment group ids[buyer] to value.
If config["perBuyerMultiBidLimits"] exists, for each key → value of config["perBuyerMultiBidLimits"]:
1. If key is "*", then set auctionConfig’s all buyers multi-bid limit to value, and continue.
2. Let buyer the result of parsing an https origin with key.
3. If buyer is failure, then return failure.
4. Set auctionConfig’s per buyer multi-bid limits[buyer] to value.
If config["perBuyerPrioritySignals"] exists, for each key → value of config["perBuyerPrioritySignals"]:
1. Let signals be an ordered map whose keys are strings and whose values are double.
2. for each k → v of value:
  1. If k starts with "browserSignals.", throw a TypeError.
  2. Set signals[k] to v.
3. If key is "*", then set auctionConfig’s all buyers priority signals to value, and continue.
4. Let buyer be the result of parsing an https origin with key.
5. If buyer is failure, then return failure.
6. Set auctionConfig’s per buyer priority signals[buyer] to signals.
If config["auctionReportBuyerKeys"] exists:
1. Let interestGroupBuyers be auctionConfig’s interest group buyers.
2. If interestGroupBuyers is null, set interestGroupBuyers to a new list.
3. For each index of the range 0 to config[ "auctionReportBuyerKeys"]'s size, exclusive:
  1. Let key be config["auctionReportBuyerKeys"][index].
  2. If key is not contained in the range 0 to 2¹²⁸, exclusive, throw a TypeError.
  3. If index ≥ interestGroupBuyers’ size, continue.
    
    Note: Continue is used (instead of break) to validate all given buyer keys.
  4. Let origin be interestGroupBuyers[index].
  5. Set auctionConfig’s auction report buyer keys[origin] to key.
  Check behavior when an origin is repeated in interestGroupBuyers.
If config["auctionReportBuyers"] exists:
1. For each reportType → reportBuyerConfig of config[ "auctionReportBuyers"]:
  1. If « "interestGroupCount", "bidCount", "totalGenerateBidLatency", "totalSignalsFetchLatency" » does not contain reportType, continue.
    
    Note: No error is thrown to allow forward compatibility if additional report types are added later.
    
    Should these strings be dash delimited?
  2. If reportBuyerConfig["bucket"] is not contained in the range 0 to 2¹²⁸, exclusive, throw a TypeError.
    
    Consider validating the case where the bucket used (after summing) is too large. Currently, the implementation appears to overflow. (WICG/turtledove#1040)
  3. Set auctionConfig’s auction report buyers[reportType] to reportBuyerConfig.
If config["auctionReportBuyerDebugModeConfig"] exists:
1. Let debugModeConfig be config["auctionReportBuyerDebugModeConfig"].
2. Let enabled be debugModeConfig["enabled"].
3. Let debugKey be debugModeConfig["debugKey"].
4. If debugKey is not null:
  1. If debugKey is not contained in the range 0 to 2⁶⁴, exclusive, throw a TypeError.
  2. If enabled is false, throw a TypeError.
5. Set auctionConfig’s auction report buyer debug details to a new debug details with the items:
  
  enabled
  
  enabled
  
  key
  
  debugKey
If config["requiredSellerCapabilities"] exists:
1. Let sellerCapabilities be a new set of seller capabilities.
2. For each capabilityString of config["requiredSellerCapabilities"]:
  1. If capabilityString is "interest-group-counts" or "latency-stats", then append capabilityString to sellerCapabilities.
    
    Note: For forward compatibility with new values, don’t throw.
3. Set auctionConfig’s required seller capabilities to sellerCapabilities.
If config["privateAggregationConfig"] exists:
1. Let aggregationCoordinator be the result of obtaining the coordinator from a Private Aggregation config given config["privateAggregationConfig"].
2. If aggregationCoordinator is a DOMException, return failure.
3. Set auctionConfig’s seller Private Aggregation coordinator to aggregationCoordinator.
If config["perBuyerCurrencies"] exists:
1. Set auctionConfig’s per buyer currencies to config["perBuyerCurrencies"]
2. Handle an input promise in configuration given auctionConfig and auctionConfig’s per buyer currencies:
  - To parse the value result:
    1. If result is null:
      1. Set auctionConfig’s per buyer currencies to null.
    2. Otherwise:
      1. Set auctionConfig’s per buyer currencies to a new ordered map whose keys are origins and whose values are currency tags.
      2. for each key → value of result:
        
        If the result of checking whether a string is a valid currency tag given value is false, throw a TypeError.
        
        If key is "*", then set auctionConfig’s all buyers currency to value, and continue.
        
        Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a TypeError.
        
        Set auctionConfig’s per buyer currencies[buyer] to value.
  - To handle an error, set auctionConfig’s per buyer currencies to failure.
If config["sellerRealTimeReportingConfig"] exists:
1. If config["sellerRealTimeReportingConfig"]["type"] is "default-local-reporting", then set auctionConfig’s seller real time reporting config to "default-local-reporting".
If config["perBuyerRealTimeReportingConfig"] exists, For each key → value of config["perBuyerRealTimeReportingConfig"]:
1. Let buyer the result of parsing an https origin with key.
2. If buyer is failure, then return failure.
3. If value["type"] is "default-local-reporting", then set auctionConfig’s per buyer real time reporting config[buyer] to "default-local-reporting".
If config["componentAuctions"] is not empty:
1. If config["interestGroupBuyers"] exists and is not empty, then return failure.
2. If config["deprecatedRenderURLReplacements"] exists, then throw a TypeError.
For each component in config["componentAuctions"]:
1. If isTopLevel is false, then return failure.
2. Let componentAuction be the result of running validate and convert auction ad config with component and false.
3. If componentAuction is failure, then return failure.
4. Append componentAuction to auctionConfig’s component auctions.
Set auctionConfig’s config idl to config.
If config["resolveToConfig"] exists:
1. Let auctionConfig’s resolve to config be config["resolveToConfig"].
2. TODO: What should happen if this rejects?
3. Upon fulfillment of auctionConfig’s resolve to config with resolveToConfig, set auctionConfig’s resolve to config to resolveToConfig.
Return auctionConfig.

To validate a url macro given a string macro:

Return true if any of the following conditions hold:
- macro starts with "'${'" and ends with "'}'";
- macro starts with "'%%'" and ends with "'%%'".
Otherwise, return false.

To update bid count given a list of interest groups igs:

For each ig in igs:
1. Let loadedIg be the interest group from the user agent’s interest group set whose owner is ig’s owner and whose name is ig’s name, continue if none found.
2. If the most recent entry in loadedIg’s bid counts corresponds to the current day in UTC, increment its count. If not, insert a new tuple of the time set to the current UTC day and a count of 1.
3. Replace the interest group that has loadedIg’s owner and name in the user agent’s interest group set with loadedIg.

To update previous wins given a generated bid bid:

Let ig be bid’s interest group.
Let loadedIg be the interest group from the user agent’s interest group set whose owner is ig’s owner and whose name is ig’s name, return if none found.
Let win be a new previous win.
Set win’s time to the current coarsened wall time.
Let ad be a new interest group ad with the following items:

render url

bid’s bid ad’s render url

metadata

bid’s bid ad’s metadata

ad render ID

bid’s bid ad’s ad render ID
Set win’s ad to ad.
Append win to loadedIg’s previous wins.
Replace the interest group that has loadedIg’s owner and name in the user agent’s interest group set with loadedIg.

To build bid generators map given an auction config auctionConfig:

Let bidGenerators be a new ordered map whose keys are origins and whose values are per buyer bid generators.
Let negativeTargetInfo be a new negative target info.
For each buyer in auctionConfig’s interest group buyers:
1. For each ig of the user agent’s interest group set whose owner is buyer:
  1. Let igName be ig’s name.
  2. If ig’s additional bid key is not null:
    1. Set negativeTargetInfo[(buyer, igName)] to (ig’s joining origin, ig’s additional bid key).
  3. Continue if any of the following conditions hold:
    - ig’s bidding url is null;
    - ig’s ads is null, or is empty;
    - the result of running check if required seller capabilities are permitted with auctionConfig and ig is false.
  4. Let signalsUrl be ig’s trusted bidding signals url.
  5. Let slotSizeQueryParam be the result of calculating the ad slot size query param given ig and auctionConfig.
  6. Let joiningOrigin be ig’s joining origin.
  7. If bidGenerators does not contain buyer:
    1. Let perBuyerGenerator be a new per buyer bid generator.
    2. Let perSignalsUrlGenerator be a new per signals url bid generator.
    3. Set perSignalsUrlGenerator[joiningOrigin] to « ig ».
    4. Set perSlotSizeQueryParam[slotSizeQueryParam] to perSignalsUrlGenerator.
    5. Set perBuyerGenerator[signalsUrl] to perSlotSizeQueryParam.
    6. Set bidGenerators[buyer] to perBuyerGenerator.
    7. TODO: add a perBiddingScriptUrlGenerator layer that replaces the list of IGs with a map from biddingScriptUrl to a list of IGs.
  8. Otherwise:
    1. Let perBuyerGenerator be bidGenerators[buyer].
    2. If perBuyerGenerator does not contain signalsUrl:
      1. Let perSignalsUrlGenerator be a new per signals url bid generator.
      2. Set perSignalsUrlGenerator[joiningOrigin] to « ig ».
      3. Set perSlotSizeQueryParam[slotSizeQueryParam] to perSignalsUrlGenerator.
      4. Set perBuyerGenerator[signalsUrl] to perSlotSizeQueryParam.
    3. Otherwise:
      1. Let perSlotSizeQueryParam be perBuyerGenerator[signalsUrl].
      2. If perSlotSizeQueryParam does not contain slotSizeQueryParam:
        
        Let perSignalsUrlGenerator be a new per signals url bid generator.
        
        Set perSignalsUrlGenerator[joiningOrigin] to « ig ».
        
        Set perSlotSizeQueryParam[slotSizeQueryParam] to perSignalsUrlGenerator.
      3. Otherwise:
        
        Let perSignalsUrlGenerator be perSlotSizeQueryParam[slotSizeQueryParam].
        
        If perSignalsUrlGenerator does not contain joiningOrigin, then set perSignalsUrlGenerator[joiningOrigin] to « ig ».
        
        Otherwise, append ig to perSignalsUrlGenerator[joiningOrigin].
Return « bidGenerators, negativeTargetInfo ».

To check if required seller capabilities are permitted given an auction config auctionConfig and an interest group ig:

Let seller be auctionConfig’s seller.
Let requiredSellerCapabilities be auctionConfig’s required seller capabilities.
Return true if all of the following conditions hold:
- ig’s seller capabilities is not null;
- ig’s seller capabilities[seller] exists;
- requiredSellerCapabilities is a subset of ig’s seller capabilities[seller].
Return false.

To obtain the coordinator from a Private Aggregation config given a ProtectedAudiencePrivateAggregationConfig config, perform the following steps. They return an aggregation coordinator, null or a DOMException.

If config["aggregationCoordinatorOrigin"] does not exist, return null.
Return the result of obtaining the Private Aggregation coordinator given config["aggregationCoordinatorOrigin"].

To generate potentially multiple bids given an ordered map-or-null allTrustedBiddingSignals, and an origin-or-null crossOriginTrustedBiddingSignalsOrigin, a string auctionSignals, a BiddingBrowserSignals browserSignals, a string-or-null perBuyerSignals, a DirectFromSellerSignalsForBuyer directFromSellerSignalsForBuyer, a duration perBuyerTimeout in milliseconds, a currency tag expectedCurrency, an unsigned short multiBidLimit, an interest group ig, a reporting context reportingContext, a moment auctionStartTime, and an environment settings object settings, perform the following steps. They return a failure if failing to fetch the script or wasm, otherwise a tuple of (list of generated bids, bid debug reporting info, list of real time reporting contributions, Private Aggregation contributions, execution metrics).

Let igGenerateBid be the result of building an interest group passed to generateBid with ig.
Set browserSignals["joinCount"] to the sum of ig’s join counts for all days within the last 30 days.
Set browserSignals["recency"] to the current coarsened wall time minus ig’s join time, in milliseconds.
Set browserSignals["bidCount"] to the sum of ig’s bid counts for all days within the last 30 days.
Set browserSignals["adComponentsLimit"] to 40.
Set browserSignals["multiBidLimit"] to multiBidLimit.
Let prevWins be a new sequence<PreviousWin>.
For each prevWin of ig’s previous wins for all days within the the last 30 days:
1. Let timeDelta be auctionStartTime minus prevWin’s time.
2. Set timeDelta to 0 if timeDelta is negative, timeDelta’s nearest second (rounding down) otherwise.
3. Let prevWinAdIDL be a new AuctionAd with the following items:
  
  renderURL
  
  the serialization of prevWin’s render url
  
  metadata
  
  prevWin’s metadata
  
  adRenderId
  
  prevWin’s ad render ID
4. Let prevWinElement be the sequence<PreviousWinElement> «timeDelta, prevWinAdIDL».
5. Append prevWinElement to prevWins.
Set browserSignals["prevWinsMs"] to prevWins.
Let metrics be a new execution metrics.
Let biddingScriptFetcher be the result of creating a new script fetcher with ig’s bidding url, and settings.
Let biddingScript be the result of waiting for script body from a fetcher given biddingScriptFetcher.
Add a sample to an averager given metrics’s code fetch time averager and biddingScriptFetcher’s fetch duration.
If biddingScript is failure, return failure.
If ig’s bidding wasm helper url is not null:
1. Let wasmFetchStart be settings’s current monotonic time.
2. Let wasmModuleObject be the result of fetching WebAssembly with ig’s bidding wasm helper url and settings.
3. Let wasmFetchDuration be the duration from wasmFetchStart to settings’s current monotonic time, in milliseconds.
4. Add a sample to an averager given metrics’s code fetch time averager and wasmFetchDuration.
5. If wasmModuleObject is not failure, then set browserSignals["wasmHelper"] to wasmModuleObject.
6. Otherwise, return failure.
Let trustedBiddingSignals be null.
If allTrustedBiddingSignals is not null:
1. Assert that ig’s trusted bidding signals keys is not null.
2. Set trustedBiddingSignals to an ordered map whose keys are strings and whose values are any.
3. For each key of ig’s trusted bidding signals keys:
  1. If allTrustedBiddingSignals[key] exists, then set trustedBiddingSignals[key] to allTrustedBiddingSignals[key].
Let sameOriginTrustedBiddingSignals be null.
Let crossOriginTrustedBiddingSignals be null.
If trustedBiddingSignals is not null:
1. If crossOriginTrustedBiddingSignalsOrigin is null, then set sameOriginTrustedBiddingSignals to trustedBiddingSignals.
2. Otherwise:
  1. Set crossOriginTrustedBiddingSignals to a new ordered map whose keys are strings and whose values are any.
  2. Let originKey be the serialization of crossOriginTrustedBiddingSignalsOrigin.
  3. Set crossOriginTrustedBiddingSignalsOrigin[originKey] to trustedBiddingSignals.
Return the result of evaluating a bidding script with biddingScript, multiBidLimit, ig, reportingContext, metrics, expectedCurrency, igGenerateBid, auctionSignals, perBuyerSignals, sameOriginTrustedBiddingSignals, crossOriginTrustedBiddingSignals, browserSignals, directFromSellerSignalsForBuyer and perBuyerTimeout.

To generate and score bids given an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, a global object global, a list of interest groups bidIgs, a reporting context map reportingContextMap, and a real time reporting contributions map realTimeContributionsMap:

Assert that these steps are running in parallel.
Let settings be global’s relevant settings object.
Let policyContainer be settings’s policy container.
Let topLevelOrigin be settings’s top-level origin.
Let seller be auctionConfig’s seller.
Let auctionStartTime be the current coarsened wall time.
Let decisionLogicFetcher be the result of creating a new script fetcher with auctionConfig’s decision logic url and settings.
Let trustedScoringSignalsBatcher be the result of creating a trusted scoring signals batcher with auctionConfig’s max trusted scoring signals url length.
Let « bidGenerators, negativeTargetInfo » be the result of running build bid generators map with auctionConfig.
If auctionConfig’s aborted is true, return failure.
Let leadingBidInfo be a new leading bid info.
Let queue be the result of starting a new parallel queue.
Let capturedAuctionSignalsHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured ad auction signals headers.
If auctionConfig’s component auctions are not empty:
1. Assert topLevelAuctionConfig is null.
2. Let pendingComponentAuctions be auctionConfig’s component auctions’s size.
3. Let topLevelDirectFromSellerSignalsForSeller be null.
4. Let topLevelDirectFromSellerSignalsRetrieved be false.
5. For each component in auctionConfig’s component auctions, enqueue the following steps to queue:
  1. If component’s server response is not null:
    1. Let compWinnerInfo be the result of running parse and validate server response with component, auctionConfig, global, bidIgs, and reportingContextMap.
  2. Otherwise:
    1. Let compWinnerInfo be the result of running generate and score bids with component, auctionConfig, global, bidIgs, reportingContextMap, and realTimeContributionsMap.
  3. If recursively wait until configuration input promises resolve given auctionConfig does not return failure, and compWinnerInfo is not failure, then:
    1. If topLevelDirectFromSellerSignalsRetrieved is false:
      1. Let topLevelDirectFromSellerSignals be the result of running get direct from seller signals given seller, auctionConfig’s direct from seller signals header ad slot, and capturedAuctionSignalsHeaders.
      2. Set topLevelDirectFromSellerSignalsForSeller to the result of running get direct from seller signals for a seller given topLevelDirectFromSellerSignals.
      3. Set topLevelDirectFromSellerSignalsRetrieved to true.
    2. If compWinnerInfo’s leading bid is not null, then run score and rank a bid with auctionConfig, reportingContextMap[auctionConfig], compWinnerInfo’s leading bid, leadingBidInfo, decisionLogicFetcher, trustedScoringSignalsBatcher, null, "top-level-auction", null, topLevelOrigin, realTimeContributionsMap, and policyContainer.
    3. If compWinnerInfo’s leading non-k-anon-enforced bid is not null, then run score and rank a bid with auctionConfig, reportingContextMap[ auctionConfig], compWinnerInfo’s leading non-k-anon-enforced bid, leadingBidInfo, decisionLogicFetcher, trustedScoringSignalsBatcher, topLevelDirectFromSellerSignalsForSeller, null, "top-level-auction", null, topLevelOrigin, realTimeContributionsMap, and policyContainer.
  4. Decrement pendingComponentAuctions by 1.
6. Wait until pendingComponentAuctions is 0.
7. If auctionConfig’s aborted is true, return failure.
8. Set reportingContextMap[auctionConfig]'s local leader info to a copy of leadingBidInfo.
9. If leadingBidInfo’s leading bid is null, return null.
10. Let winningComponentConfig be leadingBidInfo’s auction config.
11. Set leadingBidInfo’s auction config to auctionConfig.
12. Set leadingBidInfo’s component seller to winningComponentConfig’s seller.
13. Let « topLevelSellerSignals, unusedTopLevelReportResultBrowserSignals » be the result of running report result with leadingBidInfo, reportingContextMap[auctionConfig], topLevelDirectFromSellerSignalsForSeller, winningComponentConfig, and global.
14. Set leadingBidInfo’s auction config to winningComponentConfig.
15. Set leadingBidInfo’s component seller to null.
16. Set leadingBidInfo’s top level seller to seller.
17. Set leadingBidInfo’s top level seller signals to topLevelSellerSignals.
18. Let directFromSellerSignals be the result of running get direct from seller signals given winningComponentConfig’s seller, winningComponentConfig’s direct from seller signals header ad slot, and capturedAuctionSignalsHeaders.
19. Let directFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given directFromSellerSignals.
20. Let directFromSellerSignalsForBuyer be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and leadingBidInfo’s leading bid’s interest group’s owner.
21. Let « sellerSignals, reportResultBrowserSignals » be the result of running report result with leadingBidInfo, reportingContextMap[winningComponentConfig], directFromSellerSignalsForSeller, null, and global.
22. Run report win with leadingBidInfo, reportingContextMap[winningComponentConfig], sellerSignals, reportResultBrowserSignals, directFromSellerSignalsForBuyer, and settings.
23. Set reportingContextMap[auctionConfig]'s winner reporting id to leadingBidInfo’s leading bid’s reporting id.
24. Set reportingContextMap[winningComponentConfig]'s winner reporting id to leadingBidInfo’s leading bid’s reporting id.
25. Return leadingBidInfo.
If waiting until configuration input promises resolve given auctionConfig returns failure, then return failure.
Let allBuyersExperimentGroupId be auctionConfig’s all buyer experiment group id.
Let allBuyersGroupLimit be auctionConfig’s all buyers group limit.
Let auctionSignals be auctionConfig’s auction signals.
Let directFromSellerSignals be the result of running get direct from seller signals given seller, auctionConfig’s direct from seller signals header ad slot, and capturedAuctionSignalsHeaders.
Let directFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given directFromSellerSignals.
Let browserSignals be a BiddingBrowserSignals.
Let topLevelHost be the result of running the host serializer on topLevelOrigin’s host.
Set browserSignals["topWindowHostname"] to topLevelHost.
Set browserSignals["seller"] to the serialization of seller.
If auctionConfig’s requested size is not null, set browserSignals["requestedSize"] to the result of running convert an ad size to a map with auctionConfig’s requested size.
Let auctionLevel be "single-level-auction".
Let reportingContext be reportingContextMap[auctionConfig].
Let componentAuctionExpectedCurrency be null.
If topLevelAuctionConfig is not null:
1. Set browserSignals["topLevelSeller"]] to the serialization of topLevelAuctionConfig’s seller.
2. Set auctionLevel to "component-auction".
3. Set componentAuctionExpectedCurrency to the result of looking up per-buyer currency with topLevelAuctionConfig and seller.
Let pendingBuyers be bidGenerators’s size.
Let additionalBids be the result of running validate and convert additional bids with auctionConfig, topLevelAuctionConfig, negativeTargetInfo, reportingContextMap and global.
Let pendingAdditionalBids be the size of additionalBids.
For each additionalBid of additionalBids, run the following steps in parallel:
1. Score and rank a bid with auctionConfig, reportingContext additionalBid’s bid, leadingBidInfo, decisionLogicFetcher, trustedScoringSignalsBatcher, directFromSellerSignalsForSeller, null, auctionLevel, componentAuctionExpectedCurrency, topLevelOrigin, realTimeContributionsMap, and policyContainer.
2. Decrement pendingAdditionalBids by 1.
For each buyer → perBuyerGenerator of bidGenerators, enqueue the following steps to queue:
1. Let cumulativeTimeoutTracker be the result of creating a cumulative timeout tracker given auctionConfig and buyer.
2. Let buyerExperimentGroupId be allBuyersExperimentGroupId.
3. Let perBuyerExperimentGroupIds be auctionConfig’s per buyer experiment group ids.
4. If perBuyerExperimentGroupIds is not null and perBuyerExperimentGroupIds[buyer] exists, then set buyerExperimentGroupId to perBuyerExperimentGroupIds[buyer].
5. Let metrics be the result of accessing per-participant metrics for reportingContext, buyer, generate-bid.
6. Apply interest groups limits to prioritized list:
  1. Let buyerGroupLimit be allBuyersGroupLimit.
  2. Let perBuyerGroupLimits be auctionConfig’s per buyer group limits.
  3. If perBuyerGroupLimits is not null and perBuyerGroupLimits[buyer] exists, then set buyerGroupLimit to perBuyerGroupLimits[buyer].
  4. Let igs be a new list of interest groups.
  5. For each signalsUrl → perSlotSizeQueryParam of perBuyerGenerator:
    1. For each slotSizeQueryParam → perSignalsUrlGenerator of perSlotSizeQueryParam:
      1. For each joiningOrigin → groups of perSignalsUrlGenerator:
        
        Extend igs with groups.
  6. Update storage metrics given metrics and igs.
    
    Note: This is done before any filtering, since it represents storage resource usage.
  7. Sort in descending order igs, with a being less than b if a’s priority is less than b’s priority.
  8. Remove the first buyerGroupLimit items from igs.
  9. For each signalsUrl → perSlotSizeQueryParam of perBuyerGenerator:
    1. For each slotSizeQueryParam → perSignalsUrlGenerator of perSlotSizeQueryParam:
      1. For each joiningOrigin → groups of perSignalsUrlGenerator:
        
        Remove from groups any interest group contained in igs.
        
        Increment metrics’s participating interest group count by size of groups.
7. Let perBuyerSignals be null.
8. If auctionConfig’s per buyer signals is not null and per buyer signals[buyer] exists, then set perBuyerSignals to auctionConfig’s per buyer signals[buyer].
9. Let perBuyerTimeout be auctionConfig’s all buyers timeout.
10. If auctionConfig’s per buyer timeouts is not null and per buyer timeouts[buyer] exists, then set perBuyerTimeout to auctionConfig’s per buyer timeouts[buyer].
11. Let expectedCurrency be the result of looking up per-buyer currency with auctionConfig and buyer.
12. Let multiBidLimit be the result of looking up per-buyer multi-bid limit with auctionConfig and buyer.
13. Set browserSignals["forDebuggingOnlyInCooldownOrLockout"] to the result of running is debugging only in cooldown or lockout with buyer.
14. Let optedInForRealTimeReporting be true if auctionConfig’s per buyer real time reporting config[buyer] is "default-local-reporting", false otherwise.
15. For each slotSizeQueryParam → perSlotSizeQueryParam of perBuyerGenerator:
  1. For each signalsUrl → perSignalsUrlGenerator of perSlotSizeQueryParam:
    1. Let crossOriginTrustedBiddingSignalsOrigin be null.
    2. If buyer is not same origin with signalsUrl’s origin, then set crossOriginTrustedBiddingSignalsOrigin to signalsUrl’s origin.
    3. Let trustedBiddingSignalsBatcher be a new trusted bidding signals batcher.
    4. Let fetchSignalStartTime be settings’s current monotonic time.
    5. For each joiningOrigin → groups of perSignalsUrlGenerator:
      1. For each ig of groups:
        
        Batch or fetch trusted bidding signals given trustedBiddingSignalsBatcher, ig, signalsUrl, buyerExperimentGroupId, topLevelOrigin, slotSizeQueryParam, and policyContainer.
      2. Fetch the current outstanding trusted signals batch given trustedBiddingSignalsBatcher, signalsUrl, buyer, buyerExperimentGroupId, topLevelOrigin, and slotSizeQueryParam.
      3. Fetch the trusted key value signals batch given trustedBiddingSignalsBatcher, signalsUrl, buyer, buyerExperimentGroupId, topLevelOrigin, and slotSizeQueryParam.
    6. Process updateIfOlderThanMs with buyer, and trustedBiddingSignalsBatcher’s all per interest group data.
    7. Let fetchSignalDuration be the duration from fetchSignalStartTime to settings’s current monotonic time, in milliseconds.
    8. Expend cumulative timeout time given cumulativeTimeoutTracker and fetchSignalDuration.
    9. For each joiningOrigin → groups of perSignalsUrlGenerator:
      1. For each ig of groups:
        
        If cumulativeTimeoutTracker is expired then increment metrics’s cumulative timeouts occurred by 1 and continue.
        
        If ig’s bidding url is null, continue.
        
        Let effectiveBuyerTimeout be the result of computing effective timeout given cumulativeTimeoutTracker and perBuyerTimeout.
        
        Let generateBidStartTime be settings’s current monotonic time.
        
        Let directFromSellerSignalsForBuyer be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and ig’s owner.
        
        Let dataVersion be null.
        
        Let allTrustedBiddingSignals be an ordered map-or-null, initially null.
        
        Let igName be ig’s name.
        
        If trustedBiddingSignalsBatcher’s no signals flags[igName] does not exist:
        
        Set dataVersion to trustedBiddingSignalsBatcher’s data versions[igName].
        
        Set allTrustedBiddingSignals to all trusted bidding signals.
        
        Otherwise if trustedBiddingSignalsBatcher’s no signals flags[igName] is "fetch-failed", and optedInForRealTimeReporting is true, then:
        
        Add a platform contribution with trusted bidding signals failure bucket, realTimeContributionsMap, and igName.
        
        Remove browserSignals["dataVersion"].
        
        Remove browserSignals["crossOriginDataVersion"].
        
        If dataVersion is not null:
        
        If crossOriginTrustedBiddingSignalsOrigin is not null, then set browserSignals["crossOriginDataVersion"] to dataVersion.
        
        Otherwise, set browserSignals["dataVersion"] to dataVersion.
        
        Let generateBidResult be the result of generate potentially multiple bids given allTrustedBiddingSignals, crossOriginTrustedBiddingSignalsOrigin, auctionSignals, a clone of browserSignals, perBuyerSignals, directFromSellerSignalsForBuyer, effectiveBuyerTimeout, expectedCurrency, multiBidLimit, ig, reportingContext, auctionStartTime, and settings.
        
        If generateBidResult is failure, then:
        
        If optedInForRealTimeReporting is true, then add a platform contribution with bidding script failure bucket, realTimeContributionsMap and buyer.
        
        Continue.
        
        Let (bidsBatch, bidDebugReportInfo, realTimeContributions, paContributions, executionMetrics) be generateBidResult.
        
        Let generateBidDuration be the duration from generateBidStartTime to settings’s current monotonic time, in milliseconds.
        
        Expend cumulative timeout time given cumulativeTimeoutTracker and generateBidDuration.
        
        If cumulativeTimeoutTracker is expired then:
        
        Increment metrics’s cumulative timeouts occurred by 1.
        
        continue.
        
        Let bidsToScore be the result of applying adjust bid list based on k-anonymity to bidsBatch.
        
        Let foundKAnonBids be false.
        
        For each generatedBid of bidsToScore:
        
        If generatedBid’s for k-anon auction is true, set foundKAnonBids to true.
        
        If bidsToScore is not empty but foundKAnonBids is false:
        
        Note: generate potentially multiple bids is now rerun with only k-anonymous ads to give the buyer a chance to generate potentially multiple bids for k-anonymous ads. Allowing the buyer to first generate potentially multiple bids for non-k-anonymous ads provides a mechanism to bootstrap the k-anonymity count, otherwise no ads would ever trigger increment k-anonymity count and all ads would fail query k-anonymity count.
        
        Let kAnonRestrictedIG be the result of running create a k-anon restricted deep copy of the interest group given ig.
        
        Let effectiveBuyerTimeout be the result of computing effective timeout given cumulativeTimeoutTracker and perBuyerTimeout.
        
        Let generateBidStartTime be settings’s current monotonic time.
        
        Set (generatedBids, bidDebugReportInfo, realTimeContributions, paContributions, executionMetrics) to the result of running generate potentially multiple bids with allTrustedBiddingSignals, crossOriginTrustedBiddingSignalsOrigin, auctionSignals, a clone of browserSignals, perBuyerSignals, directFromSellerSignalsForBuyer, effectiveBuyerTimeout, expectedCurrency, 1 (for multiBidLimit), kAnonRestrictedIG, reportingContext, auctionStartTime, and settings.
        
        Note: passing 1 for multiBidLimit limits the rerun to producing at most a single bid.
        
        Let generateBidDuration be the duration from generateBidStartTime to settings’s current monotonic time, in milliseconds.
        
        Expend cumulative timeout time given cumulativeTimeoutTracker and generateBidDuration.
        
        If cumulativeTimeoutTracker is expired then:
        
        Increment metrics’s cumulative timeouts occurred by 1.
        
        continue.
        
        Assert that size of generatedBids ≤ 1.
        
        For each generatedBid of generatedBids:
        
        Assert that query generated bid k-anonymity count given generatedBid returns true.
        
        Apply any component ads target to a bid given generatedBid.
        
        Append generatedBid to bidsToScore.
        
        Register bids for reporting given bidsToScore, ig, bidDebugReportInfo, paContributions, executionMetrics, and reportingContext.
        
        If auctionConfig’s per buyer real time reporting config[buyer] is "default-local-reporting", then insert entries to map given realTimeContributionsMap, buyer, and realTimeContributions.
        
        For each bidToScore of bidsToScore:
        
        If bidToScore’s for k-anon auction is true, append bidToScore’s interest group to bidIgs.
        
        Score and rank a bid with auctionConfig, reportingContext, bidToScore, leadingBidInfo, decisionLogicFetcher, trustedScoringSignalsBatcher, directFromSellerSignalsForSeller, dataVersion, auctionLevel, componentAuctionExpectedCurrency, topLevelOrigin, realTimeContributionsMap, and policyContainer.
16. Update cumulative buyer time metrics given metrics and cumulativeTimeoutTracker.
17. Decrement pendingBuyers by 1.
Wait until both pendingBuyers and pendingAdditionalBids are 0.
If auctionConfig’s aborted is true, return failure.
Set reportingContext’s local leader info to leadingBidInfo.
If leadingBidInfo’s leading bid is null, return null.
If topLevelAuctionConfig is null:
1. Let « sellerSignals, reportResultBrowserSignals » be the result of running report result with leadingBidInfo, reportingContext, directFromSellerSignalsForSeller, null, and global.
2. Let directFromSellerSignalsForWinner be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and leadingBidInfo’s leading bid’s interest group’s owner.
3. Run report win with leadingBidInfo, reportingContext, sellerSignals, reportResultBrowserSignals, directFromSellerSignalsForWinner, and settings.
4. Set reportingContext’s winner reporting id to leadingBidInfo’s leading bid’s reporting id.
Let replacements be an ordered map whose keys are strings and whose values are strings.
1. For each ad keyword replacement, replacement, within deprecated render url replacements:
  1. Let k be replacement’s match.
  2. Let v be replacement’s replacement.
  3. Set replacements[k] to v.
Set leadingBidInfo’s leading bid’s ad descriptor to the result of substitute macros with replacements and leading bid’s ad descriptor.
If leadingBidInfo’s leading bid’s ad descriptors is not null:
1. For each ad descriptor, adDescriptor, within leading bid’s ad descriptors:
  1. Set adDescriptor to the result of substitute macros with replacements and adDescriptor.
Return leadingBidInfo.

To build an interest group passed to generateBid given an interest group ig:

Let igGenerateBid be a new GenerateBidInterestGroup with the following fields:

owner
The serialization of ig’s owner
name
ig’s name
enableBiddingSignalsPrioritization
ig’s enable bidding signals prioritization
priorityVector
ig’s priority vector if not null, otherwise not set.
executionMode
ig’s execution mode
biddingLogicURL
The serialization-or-undefined of ig’s bidding url
biddingWasmHelperURL
The serialization of ig’s bidding wasm helper url
updateURL
The serialization of ig’s update url
trustedBiddingSignalsURL
The serialization of ig’s trusted bidding signals url
trustedBiddingSignalsKeys
ig’s trusted bidding signals keys, if not null, otherwise not set.
trustedBiddingSignalsSlotSizeMode
ig’s trusted bidding signals slot size mode
maxTrustedBiddingSignalsURLLength
ig’s max trusted bidding signals url length
trustedBiddingSignalsCoordinator
The serialization of ig’s trusted bidding signals coordinator
userBiddingSignals
Parse a JSON string to a JavaScript value given ig’s user bidding signals
ads
ig’s ads converted to an AuctionAd sequence
adComponents
ig’s ad components converted to an AuctionAd sequence
Return igGenerateBid.

To convert to an AuctionAd sequence given a list-or-null ads:

If ads is null, then return undefined.
Let adsIDL be a new sequence<AuctionAd>.
For each ad of ads:
1. Let adIDL be a new AuctionAd.
2. Set adIDL["renderURL"] to the serialization of ad’s render url.
3. If ad’s selectable buyer and seller reporting IDs is not null:
  1. Set adIDL["selectableBuyerAndSellerReportingIds"] to ad’s selectable buyer and seller reporting IDs.
  2. If ad’s buyer and seller reporting id is not null then set adIDL["buyerAndSellerReportingId"] to ad’s buyer and seller reporting id.
  3. If ad’s buyer reporting id is not null then set adIDL["buyerReportingId"] to ad’s buyer reporting id.
4. If ad’s size group is not null, then set adIDL["sizeGroup"] to ad’s size group.
5. If ad’s metadata is not null, then set adIDL["metadata"] to the result of parsing a JSON string to a JavaScript value given ad’s metadata.
6. If ad’s creative scanning metadata is not null, then set adIDL["creativeScanningMetadata"] to it.
7. Append adIDL to adsIDL.
Return adsIDL.

To fetch and decode trusted scoring signals given a trusted scoring signals batcher batcher, an auction config auctionConfig, a generated bid generatedBid, a script fetcher decisionLogicFetcher, an origin topLevelOrigin, a real time reporting contributions map realTimeContributionsMap, and a policy container policyContainer:

Let isCrossOrigin be false.
Let sameOriginTrustedScoringSignals be null.
Let crossOriginTrustedScoringSignals be null.
Let scoringDataVersion be null.
Let sendCreativeScanningMetadata be auctionConfig’s send creative scanning metadata.
If auctionConfig’s trusted scoring signals coordinator is not null, set sendCreativeScanningMetadata to false.
Let owner be generatedBid’s interest group’s owner.
Let mainAd be the result of filling in creative info given sendCreativeScanningMetadata, generatedBid’s ad descriptor, owner, bid ad.
Let adComponents be a new empty set.
for each i in the range from 0 to bid ad components’s size - 1, inclusive:
1. Let adComponentCreativeInfo be the result of filling in creative info given sendCreativeScanningMetadata, generatedBid’s ad component descriptors[i], owner, generatedBid’s bid ad components[i].
2. Append adComponentCreativeInfo to adComponents.
If auctionConfig’s trusted scoring signals url is not null:
1. Let request be a new trusted scoring signals request with the following items:
  
  send creative scanning metadata
  
  sendCreativeScanningMetadata.
  
  seller
  
  auctionConfig’s seller
  
  seller script fetcher
  
  decisionLogicFetcher
  
  base url
  
  auctionConfig’s trusted scoring signals url
  
  seller experiment group id
  
  auctionConfig’s seller experiment group id
  
  top level origin
  
  topLevelOrigin
  
  ad
  
  mainAd
  
  ad components
  
  adComponents
  
  policy container
  
  policyContainer
  
  signal coordinator
  
  auctionConfig’s trusted scoring signals coordinator
  
  owner origin
  
  owner
  
  joining origin
  
  generatedBid’s interest group’s joining origin
2. If auctionConfig’s trusted scoring signals url’s origin is not same origin with auctionConfig’s seller, then set isCrossOrigin to true.
3. Let result be the result of fetching trusted scoring signals with batching with batcher and request.
4. If result is not failure:
  1. Let allTrustedScoringSignals be result’s all trusted scoring signals:
  2. Set scoringDataVersion to result’s data version.
  3. Let trustedScoringSignals be a new empty map.
  4. Set trustedScoringSignals["renderURL"] to a new empty map.
  5. If allTrustedScoringSignals["renderURLs"] exists and allTrustedScoringSignals["renderURLs"][renderURL] exists, then set trustedScoringSignals["renderURL"][renderURL] to allTrustedScoringSignals["renderURLs"][renderURL].
  6. If adComponentRenderURLs is not empty:
    1. Let adComponentRenderURLsValue be a new empty map.
    2. If allTrustedScoringSignals["adComponentRenderURLs"] exists, for each adComponentRenderURL in adComponentRenderURLs:
      1. If allTrustedScoringSignals["adComponentRenderURLs"][adComponentRenderURL] exists, then set adComponentRenderURLsValue[adComponentRenderURL] to allTrustedScoringSignals["adComponentRenderURLs"][adComponentRenderURL].
    3. Set trustedScoringSignals["adComponentRenderURLs"] to adComponentRenderURLsValue.
  7. If isCrossOrigin is false, set sameOriginTrustedScoringSignals to trustedScoringSignals.
  8. Otherwise:
    1. Set crossOriginTrustedScoringSignals to a new map.
    2. Let originKey be the serialization given auctionConfig’s trusted scoring signals url’s origin.
    3. Set crossOriginTrustedScoringSignals[originKey] to trustedScoringSignals.
5. Otherwise if auctionConfig’s seller real time reporting config is "default-local-reporting",then:
  1. Add a platform contribution with trusted scoring signals failure bucket, realTimeContributionsMap, and auctionConfig’s seller.
Return «isCrossOrigin, sameOriginTrustedScoringSignals, crossOriginTrustedScoringSignals, scoringDataVersion»

To score and rank a bid given an auction config auctionConfig, a reporting context reportingContext, a generated bid generatedBid, a leading bid info leadingBidInfo, a script fetcher decisionLogicFetcher, a trusted scoring signals batcher trustedScoringSignalsBatcher a DirectFromSellerSignalsForSeller directFromSellerSignalsForSeller, an unsigned long-or-null biddingDataVersion, an enum auctionLevel, which is "single-level-auction", "top-level-auction", or "component-auction", a currency tag componentAuctionExpectedCurrency, an origin topLevelOrigin, a real time reporting contributions map realTimeContributionsMap, and a policy container policyContainer:

Let «trustedScoringSignalsAreCrossOrigin, sameOriginTrustedScoringSignals, crossOriginTrustedScoringSignals, scoringDataVersion» be the result of fetch and decode trusted scoring signals given trustedScoringSignalsBatcher, auctionConfig, generatedBid, decisionLogicFetcher, topLevelOrigin, realTimeContributionsMap, and policyContainer.
Let adMetadata be generatedBid’s ad.
Let bidValue be generatedBid’s bid.
If generatedBid’s modified bid is not null, then set bidValue to generatedBid’s modified bid.
Let owner be generatedBid’s interest group’s owner.
Let browserSignals be a ScoringBrowserSignals with the following fields:

topWindowHostname
The result of running the host serializer on topLevelOrigin’s host
interestGroupOwner
Serialized owner
renderURL
The result of running the URL serializer on generatedBid’s ad descriptor’s url
renderSize
The result of running convert an ad size to a map with generatedBid’s ad descriptor’s size if it is not null, undefined otherwise
biddingDurationMsec
generatedBid’s bid duration
bidCurrency
The result of serializing a currency tag with generatedBid’s bid’s currency
dataVersion
scoringDataVersion if it is not null and trustedScoringSignalsAreCrossOrigin is false, unset otherwise.
crossOriginDataVersion
scoringDataVersion if it is not null and trustedScoringSignalsAreCrossOrigin is true, unset otherwise.
adComponents
generatedBid’s ad component descriptors converted to a string sequence
forDebuggingOnlyInCooldownOrLockout
The result of running is debugging only in cooldown or lockout with seller
creativeScanningMetadata
generatedBid’s bid ad’s creative scanning metadata if non-null, unset otherwise.
adComponentsCreativeScanningMetadata
Unset if generatedBid’s bid ad components is empty; the result of extracting component ad creative scanning metadata given generatedBid’s bid ad components otherwise.
Let decisionLogicScript be the result of wait for script body from a fetcher given decisionLogicFetcher.
If decisionLogicScript is failure, then:
1. If auctionConfig’s seller real time reporting config is "default-local-reporting", then add a platform contribution with scoring script failure bucket, realTimeContributionsMap and seller.
2. Return.
Let metrics be the result of access per-participant metrics given reportingContext, auctionConfig’s seller, score-ad.
Add a sample to an averager given metrics’s code fetch time averager and decisionLogicFetcher’s fetch duration.
Let « scoreAdResult, debugWinReportUrl, debugLossReportUrl, realTimeContributions, paContributions, executionMetrics » be the result of evaluating a scoring script with decisionLogicScript, adMetadata, bidValue’s value, auctionConfig, reportingContext, sameOriginTrustedScoringSignals, crossOriginTrustedScoringSignals, browserSignals, directFromSellerSignalsForSeller, and auctionConfig’s seller timeout.
Increment metrics’s script executions attempted by 1.
If executionMetrics’s script timed out is true, increment metrics’s script timeouts occurred by 1.
If generatedBid’s for k-anon auction is true:

Note: Non-k-anonymous bids do not participate in reporting (except for platform real-time contributions, and some special handling of private aggregation requests involving reject-reason); as it would be problematic to report a winner that didn’t actually win.
1. Let reportingId be generatedBid’s reporting id.
2. If reportingContext’s debug reporting info[reportingId] does not exist, set it to a new bid debug reporting info.
3. Let bidDebugReportInfo be reportingContext’s debug reporting info [reportingId].
4. If auctionLevel is "top-level-auction":
  1. Set bidDebugReportInfo’s top level seller debug loss report url to debugLossReportUrl.
  2. Set bidDebugReportInfo’s top level seller debug win report url to debugWinReportUrl.
5. Otherwise:
  1. Set bidDebugReportInfo’s seller debug loss report url to debugLossReportUrl.
  2. Set bidDebugReportInfo’s seller debug win report url to debugWinReportUrl.
6. If auctionLevel is "component-auction", then set bidDebugReportInfo’s component seller to seller.
7. If auctionConfig’s seller real time reporting config is "default-local-reporting", then insert entries to map given realTimeContributionsMap, seller, and realTimeContributions.
8. Insert reportingId into reportingContext’s seller participants.
9. Commit private aggregation contributions given paContributions, reportingId, and reportingContext.
Let scoreAdOutput be result of processing scoreAd output with scoreAdResult.
Return if any of the following conditions hold:
- scoreAdOutput is failure;
- auctionLevel is not "single-level-auction", and scoreAdOutput ["allowComponentAuction"] is false;
- scoreAdOutput["desirability"] ≤ 0.
If auctionLevel is "component-auction":
1. Set generatedBid’s component seller to seller.
2. Let bidToCheck be generatedBid’s bid.
3. If scoreAdOutput["bid"] exists:
  1. Let modifiedBidValue be scoreAdOutput["bid"].
  2. If modifiedBidValue ≤ 0, return.
  3. Let modifiedBidCurrency be null.
  4. If scoreAdOutput["bidCurrency] exists, then set modifiedBidCurrency to scoreAdOutput["bidCurrency].
  5. Set generatedBid’s modified bid to a bid with currency with value modifiedBidValue and currency modifiedBidCurrency.
  6. Set bidToCheck to generatedBid’s modified bid.
4. If the result of checking a currency tag with componentAuctionExpectedCurrency and bidToCheck’s currency is false, return.
5. If the result of checking a currency tag with auctionConfig’s seller currency and bidToCheck’s currency is false, return.
If auctionConfig’s seller currency is not null:
1. If generatedBid’s bid’s currency is equal to auctionConfig’s seller currency:
  1. Set generatedBid’s bid in seller currency to generatedBid’s bid’s value.
  2. If scoreAdOutput["incomingBidInSellerCurrency"] exists and does not equal generatedBid’s bid in seller currency, return.
2. Otherwise if scoreAdOutput["incomingBidInSellerCurrency"] exists, then set generatedBid’s bid in seller currency to scoreAdOutput["incomingBidInSellerCurrency"].
Let score be scoreAdOutput["desirability"].
If generatedBid’s for k-anon auction is false:
1. Let updateLeadingNonKAnonEnforcedBid be false.
2. If leadingBidInfo’s leading non-k-anon-enforced bid is null, or score > leadingBidInfo’s top non-k-anon-enforced score:
  1. Set updateLeadingNonKAnonEnforcedBid to true.
  2. Set leadingBidInfo’s top non-k-anon-enforced bids count to 1.
3. If leadingBidInfo’s leading non-k-anon-enforced bid is not null and score = leadingBidInfo’s top non-k-anon-enforced score:
  1. Increment leadingBidInfo’s top non-k-anon-enforced bids count by 1.
  2. Set updateLeadingNonKAnonEnforcedBid to true with 1 in leadingBidInfo’s top non-k-anon-enforced bids count chance.
4. If updateLeadingNonKAnonEnforcedBid is true:
  1. Set leadingBidInfo’s top non-k-anon-enforced score to score.
  2. Set leadingBidInfo’s leading non-k-anon-enforced bid to generatedBid.
5. Return.
Let updateLeadingBid be false.
If leadingBidInfo’s leading bid is null, or score > leadingBidInfo’s top score:
1. Set updateLeadingBid to true.
2. Set leadingBidInfo’s top bids count to 1.
3. Set leadingBidInfo’s at most one top bid owner to true.
Otherwise if score equals leadingBidInfo’s top score:
1. Increment leadingBidInfo’s top bids count by 1.
2. Set updateLeadingBid to true with 1 in leadingBidInfo’s top bids count chance.
3. If updateLeadingBid is false, then update highest scoring other bid with score, leadingBidInfo’s leading bid, and leadingBidInfo.
4. If owner is not same origin with leadingBidInfo’s leading bid’s interest group’s owner, then set leadingBidInfo’s at most one top bid owner to false.
Otherwise if score is greater than or equal to leadingBidInfo’s second highest score, then update highest scoring other bid with score, bidValue, and leadingBidInfo.
If updateLeadingBid is true:
1. If leadingBidInfo’s leading bid is not null, then update highest scoring other bid with leadingBidInfo’s top score, leadingBidInfo’s leading bid, and leadingBidInfo.
2. Set leadingBidInfo’s top score to score.
3. Set leadingBidInfo’s leading bid to generatedBid.
4. Set leadingBidInfo’s auction config to auctionConfig.
5. Set leadingBidInfo’s bidding data version to biddingDataVersion.
6. Set leadingBidInfo’s scoring data version to scoringDataVersion.

To convert to a string sequence given a list-or-null adComponents:

If adComponents is null, return undefined.
Let result be a new sequence<USVString>.
For each component of adComponents:
1. Append serialized component’s url to result.
Return result.

To extract component ad creative scanning metadata given a list of interest group ad bidAdComponents:

Let result be a new sequence<USVString?>.
For each componentAd of bidAdComponents:
1. Append componentAd’s creative scanning metadata to result.
Return result.

To update highest scoring other bid given a double score, a generated bid-or-null bid, and a leading bid info leadingBidInfo:

If bid is null, return.
Let owner be bid’s interest group’s owner.
If score is greater than leadingBidInfo’s second highest score:
1. Set leadingBidInfo’s highest scoring other bid to bid.
2. Set leadingBidInfo’s highest scoring other bids count to 1.
3. Set leadingBidInfo’s second highest score to score.
4. Set leadingBidInfo’s highest scoring other bid owner to owner if leadingBidInfo’s at most one top bid owner is true, null otherwise.
Otherwise if score is equal to leadingBidInfo’s second highest score:
1. Increment leadingBidInfo’s highest scoring other bids count by 1.
2. Set leadingBidInfo’s highest scoring other bid to bid with 1 in leadingBidInfo’s highest scoring other bids count chance.
3. If leadingBidInfo’s highest scoring other bid owner is not null and owner is not same origin with leadingBidInfo’s highest scoring other bid owner, then set leadingBidInfo’s highest scoring other bid owner to null.

The Ad-Auction-Allowed HTTP response header is a structured header whose value must be a boolean.

To validate fetching response headers given a response response:

If getting `Ad-Auction-Allowed` and "item" from response’s header list does not return a true value, return false.
If response’s status is not an ok status, return false.
Return true.

To validate fetching response mime and body given a response response, null, failure, or a byte sequence responseBody, and a string mimeType:

If responseBody is null or failure, return false.
Let headerMimeType be the result of extracting a MIME type from response’s header list.
Return false if any of the following conditions hold:
- headerMimeType is failure;
- mimeType is "text/javascript" and headerMimeType is not a JavaScript MIME type;
- mimeType is "application/json" and headerMimeType is not a JSON MIME type.
- mimeType is "application/wasm" and the result of getting "Content-Type" from response’s header list is null or not byte-case-insensitive equal to "application/wasm".
- mimeType is "message/ad-auction-trusted-signals-response" and the result of getting "Content-Type" from response’s header list is null or not byte-case-insensitive equal to "message/ad-auction-trusted-signals-response".
  
  Note: This was intended to match the behavior of compiling a potential WebAssembly response, but diverges by failing to remove leading and trailing HTTP tab or space bytes.
If mimeType is not "application/wasm":
1. Let mimeTypeCharset be "utf-8".
2. If headerMimeType’s parameters["charset"] exists, set mimeTypeCharset to headerMimeType’s parameters["charset"].
3. Return true if any of the following conditions hold:
  - mimeTypeCharset is "utf-8", and responseBody is UTF-8 encoded;
  - mimeTypeCharset is "us-ascii", and all bytes in responseBody are ASCII bytes.
4. Return false.
Return true.

To validate fetching response given a response response, null, failure, or a byte sequence responseBody, and a string mimeType:

If the result of validating fetching response headers given response is false, then return false.
If the result of validating fetching response mime and body given response, responseBody, mimeType is false, then return false.
Return true.

To fetch WebAssembly given a URL url and an environment settings object settings:

Let request be a new request with the following properties:

URL

url

header list

«Accept: application/wasm»

client

null

origin

settings’s origin

mode

"no-cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

"none"

policy container

A new policy container whose IP address space is settings’s policy container’s IP address space

Stop using "no-cors" mode where possible (WICG/turtledove#667).
Let moduleObject be null.
Fetch request with processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
1. If validate fetching response with response, responseBody and "application/wasm" returns false, set moduleObject to failure and return.
2. Let module be the result of compiling a WebAssembly module response.
3. If module is error, set moduleObject to failure.
4. Otherwise, set moduleObject to module.
Wait for moduleObject to be set.
Return moduleObject.

The Data-Version HTTP response header is a structured header whose value must be an integer. The X-fledge-bidding-signals-format-version HTTP response header is a structured header whose value must be an integer.

To fetch trusted signals given a URL url, an origin scriptOrigin, a policy container policyContainer, and a boolean isBiddingSignal. They return a tuple consisting of (ordered map or null, ordered map or null, integer or null):

Let request be a new request with the following properties:

URL

url

origin

scriptOrigin

header list

«Accept: application/json»

client

null

mode

"cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

"none"

policy container

A new policy container whose IP address space is policyContainer’s IP address space
Let signals be null.
Let dataVersion be null.
Let formatVersion be null.
Let perInterestGroupData be an ordered map whose keys are name strings and whose values are bidding signals per interest group data.
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
1. If validate fetching response with response, responseBody and "application/json" returns false, set signals to failure and return.
2. Let headers be response’s header list.
3. Set dataVersion to the result of getting a structured field value given `Data-Version` and "item" from headers.
4. If dataVersion is not null:
  1. If dataVersion is not an integer, or is less than 0 or more than 2³²−1, set signals to failure and return.
5. If isBiddingSignal is true, then set formatVersion to the result of getting a structured field value given `X-fledge-bidding-signals-format-version` and "item" from headers.
6. Set signals to the result of parsing JSON bytes to an Infra value responseBody.
Wait for signals to be set.
If signals is a parsing exception, or if signals is not an ordered map, return a tuple (null, null, null).
If formatVersion is 2:
1. If signals["keys"] does not exist, tuple (null, null, null ).
2. Set signals to signals["keys"].
3. If signals is not an ordered map, return a tuple (null, null, null).
4. If signals["perInterestGroupData"] exists and is an ordered map:
  1. Assert isBiddingSignal is true.
  2. Let perInterestGroupData be signals["perInterestGroupData"].
For each key → value of signals:
1. Set signals[key] to the result of serializing an Infra value to a JSON string given value.
Return a tuple (signals, perInterestGroupData, dataVersion).

To fetch trusted key value signals given a URL url, a byte sequence body, a string-or-null context, an origin scriptOrigin, a policy container policyContainer, an map-or-null indexMap whose keys are strings and values are tuples consisting of an interger and an integer , and a boolean isBiddingSignal:

Let request be a new request with the following properties:

URL

url

method

POST

body

body

origin

scriptOrigin

header list

«Content-Type: message/ad-auction-trusted-signals-request, Accept: message/ad-auction-trusted-signals-response»

client

null

mode

"cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

"none"

policy container

A new policy container whose IP address space is policyContainer’s IP address space
Let signals be null.
Let signalsMap be an empty map, whose keys are strings and values are maps.
Let dataVersion be an empty ordered map, whose keys are strings and values are integers.
Let perInterestGroupData be an ordered map whose keys are name strings and whose values are bidding signals per interest group data.
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
1. If validate fetching response with response, responseBody and "message/ad-auction-trusted-signals-response" returns false, return « failure, null, null ».
2. Let resultList be the result of deserializing responseBody using context. The deserialization method may follow that described in Section 2.3.6 of the Protected Audience Key Value Services.
3. For each result in resultList:
  1. If result contains "dataVersion":
    1. If result["dataVersion"] is not an integer, or is less than 0 or more than 2³²−1, return « failure, null, null ».
  2. If isBiddingSignal is true:
    1. For each name → value in result["interestGroupNames"]:
      1. If indexMap[name] does not equal to result["index"], return « failure, null, null ».
      2. Set perInterestGroupData[name] to value.
      3. If result contains "dataVersion", set dataVersion[name] to result["dataVersion"].
    2. For each key → value in result["keys"]:
      1. Set signalsMap[key] to value.
  3. Otherwise:
    1. For each url → value in result["renderURLs"]:
      1. Set signalsMap[url] to value.
      2. If result contains "dataVersion", set dataVersion[url] to result["dataVersion"].
    2. For each url → value in result["adComponentRenderURLs"]:
      1. Set signalsMap[url] to value.
If signalsMap is not empty, set signals to signalsMap.
Return « signals, perInterestGroupData, dataVersion ».

Add "message/ad-auction-trusted-signals-request" to mimeType’s essence check list under "content-type" in CORS-safelisted request-header.

To encode trusted signals keys given a list of strings keys:

Let escapedKeys be a new list of strings.
For each keyStr in keys:
1. Append the result of UTF-8 percent-encoding keyStr using component percent-encode set to escapedKeys.
The Chrome implementation encodes 0x20 (SP) to U+002B (+), while UTF-8 percent-encoding encodes it to "%20".
Return the result of concatenating escapedKeys with separator set to ",".

To convert an ad size to a string given an ad size adSize.

Let sizeList be an empty list.
Let jsWidth be adSize’s width, converted to an ECMAScript value.
Append ToString(jsWidth) to sizeList.
Append adSize’s width to sizeList.
Append adSize’s width units to sizeList.
Append "," to sizeList.
Let jsHeight be adSize’s height, converted to an ECMAScript value.
Append ToString(jsHeight) to sizeList.
Append adSize’s height units to sizeList.
Return the result of concatenating sizeList.

To calculate the ad slot size query param given an interest group ig and auction config config:

Switch on ig’s trusted bidding signals slot size mode:
"none"
1. Return "".
"slot-size"
1. If config’s requested size is null, then return "".
2. Otherwise:
  1. Let adSizeString the result of running convert an ad size to a string on config’s requested size.
  2. Return the result of concatenating « "&slotSize=", adSizeString ».
"all-slots-requested-sizes"
1. If config’s all slots requested sizes is null, then return "".
2. Let allSizesList be a new list or strings.
3. For each adSize in config’s all slots requested sizes:
  1. Let adSizeString the result of running convert an ad size to a string on adSize.
  2. Append adSizeString to allSizesList.
4. Let allSizes be the result of concatenating allSizesList, with "," as a separator.
5. Return the result of concatenating « "&allSlotsRequestedSizes=", allSizes ».

To send report given a URL url, and an environment settings object settings:

Let request be a new request with the following properties:

URL

url

client

null

origin

settings’s origin

mode

"no-cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

"none"

policy container

A new policy container whose IP address space is settings’s policy container’s IP address space

Stop using "no-cors" mode where possible (WICG/turtledove#667).
Fetch request with useParallelQueue set to true.

To get direct from seller signals given an origin seller, a string-or-null adSlot, and a map capturedAuctionSignalsHeaders:

If adSlot is not a string, then return null.
Let directFromSellerSignals be null.
Let directFromSellerSignalsKey be a new direct from seller signals key with its seller set to seller, and ad slot set to adSlot.
If capturedAuctionSignalsHeaders[directFromSellerSignalsKey] exists:
1. Set directFromSellerSignals to capturedAuctionSignalsHeaders[directFromSellerSignalsKey].
Return directFromSellerSignals.

To get direct from seller signals for a seller given a direct from seller signals-or-null directFromSellerSignals:

Let directFromSellerSignalsForSeller be a new DirectFromSellerSignalsForSeller.
If directFromSellerSignals is null, then return directFromSellerSignalsForSeller.
Set directFromSellerSignalsForSeller["auctionSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s auction signals.
Set directFromSellerSignalsForSeller["sellerSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s seller signals.
Return directFromSellerSignalsForSeller.

To get direct from seller signals for a buyer given a direct from seller signals-or-null directFromSellerSignals, and an origin owner:

Let directFromSellerSignalsForBuyer be a new DirectFromSellerSignalsForBuyer.
If directFromSellerSignals is null, then return directFromSellerSignalsForBuyer.
Set directFromSellerSignalsForBuyer["auctionSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s auction signals.
If directFromSellerSignals’s per buyer signals[owner] exists:
1. Set directFromSellerSignalsForBuyer["perBuyerSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s per buyer signals[owner].
Return directFromSellerSignalsForBuyer.

To report result given a leading bid info leadingBidInfo, a reporting context reportingContext, a direct from seller signals-or-null directFromSellerSignals, an auction config-or-null winningComponentConfig, and a global object global:

Let config be leadingBidInfo’s auction config.
Let bidCurrency be null.
If winningComponentConfig is not null:
1. Assert that leadingBidInfo’s component seller is not null.
2. Set bidCurrency to winningComponentConfig’s seller currency.
3. If bidCurrency is null, then set bidCurrency to the result of looking up per-buyer currency with config and leadingBidInfo’s component seller.
Otherwise, set bidCurrency to the result of looking up per-buyer currency with config and leadingBidInfo’s leading bid’s interest group’s owner.
Let winner be leadingBidInfo’s leading bid.
Let sellerCurrency be leadingBidInfo’s auction config’s seller currency.
Let highestScoringOtherBid be leadingBidInfo’s highest scoring other bid’s bid in seller currency (or 0 if encountered a null).
If sellerCurrency is null, then set highestScoringOtherBid to leadingBidInfo’s highest scoring other bid’s bid’s value (or 0 if encountered a null).
Let bid be winner’s bid’s value.
Let modifiedBid be null.
If winner’s modified bid is not null:
1. If leadingBidInfo’s component seller is not null, then set bid to winner’s modified bid.
2. Otherwise, set modifiedBid to winner’s modified bid.
Let browserSignals be a ReportResultBrowserSignals with the following fields:

topWindowHostname
The result of running the host serializer on global’s top-level origin’s host.
interestGroupOwner
Serialized winner’s interest group’s owner.
renderURL
Serialized winner’s ad descriptor’s url
bid
Stochastically rounded bid
bidCurrency
The result of serializing a currency tag with bidCurrency
highestScoringOtherBid
highestScoringOtherBid
highestScoringOtherBidCurrency
sellerCurrency if it is not null, "???" otherwise
topLevelSeller
leadingBidInfo’s top level seller if it is not null, undefined otherwise
componentSeller
leadingBidInfo’s component seller if it is not null, undefined otherwise
desirability
Stochastically rounded leadingBidInfo’s top score
topLevelSellerSignals
leadingBidInfo’s top level seller signals if it is not null, undefined otherwise
modifiedBid
Stochastically rounded modifiedBid if it is not null, undefined otherwise
dataVersion
leadingBidInfo’s scoring data version if it is not null, undefined otherwise
Let igAd be the interest group ad from winner’s interest group’s ads whose render url is winner’s ad descriptor’s url.
If the winner’s selected buyer and seller reporting ID is not null:
1. Assert that the result of running query reporting ID k-anonymity count with winner’s interest group, igAd, and winner’s selected buyer and seller reporting ID is true.
  
  Note: The winning interest group ad is expected to be k-anonymous for reporting because any bid that included a selected buyer and seller reporting ID wouldn’t be considered k-anonymous, and thus couldn’t win the auction and wouldn’t be reported, unless that bid was k-anonymous for reporting with that selected buyer and seller reporting ID.
2. Set browserSignals["selectedBuyerAndSellerReportingId"] to winner’s selected buyer and seller reporting ID.
3. If igAd’s buyer and seller reporting ID is not null, set browserSignals["buyerAndSellerReportingId"] to it.
Otherwise, if the result of running query reporting ID k-anonymity count with winner’s interest group, igAd, and null is true:
1. If igAd’s buyer and seller reporting ID is not null, set browserSignals["buyerAndSellerReportingId"] to it.
Let metrics be the result of access per-participant metrics given reportingContext, config’s seller, report-result.
Let sellerReportingScriptFetcher be the result of creating a new script fetcher with config’s decision logic url and global’s relevant settings object.
Let sellerReportingScript be the result of waiting for script body from a fetcher given sellerReportingScriptFetcher.
Add a sample to an averager given metrics’s code fetch time averager and sellerReportingScriptFetcher’s fetch duration.
Let « sellerSignals, reportUrl, reportingBeaconMap, ignored, paContributions, executionMetrics » be the result of evaluating a reporting script with sellerReportingScript, "reportResult", reportingContext, config’s seller, config’s seller Private Aggregation coordinator, config’s config idl’s reportingTimeout, and « config’s config idl, browserSignals, directFromSellerSignals ».
Set metrics’s script executions attempted to 1.
If executionMetrics’s script timed out is true, set metrics’s script timeouts occurred to 1.
Let reportingResult be a reporting result with the following items:

report url

reportUrl

reporting beacon map

reportingBeaconMap
If leadingBidInfo’s top level seller is null (i.e., if we are reporting for a component seller), set leadingBidInfo’s component seller reporting result to reportingResult.
Otherwise, set leadingBidInfo’s seller reporting result to reportingResult.
Commit private aggregation contributions given paContributions, winner’s reporting id and reportingContext.
Remove browserSignals["desirability"].
Remove browserSignals["modifiedBid"].
Remove browserSignals["topLevelSellerSignals"].
Remove browserSignals["dataVersion"].

Note: Remove fields specific to ReportResultBrowserSignals which only sellers can learn about, so that they are not passed to "reportWin()".
Return « sellerSignals, browserSignals ».

To report win given a leading bid info leadingBidInfo, reporting context reportingContext, a string sellerSignals, a ReportingBrowserSignals browserSignals, a direct from seller signals-or-null directFromSellerSignals, and an environment settings object settings:

Let config be leadingBidInfo’s auction config.
Let winner be leadingBidInfo’s leading bid.
Let perBuyerSignals be config’s per buyer signals.
Let buyer be winner’s interest group’s owner.
Let perBuyerSignalsForBuyer be perBuyerSignals[buyer] if that member exists, and null otherwise.
Let reportWinBrowserSignals be a ReportWinBrowserSignals with the members that are declared on ReportingBrowserSignals initialized to their values in browserSignals.
Add the following fields to reportWinBrowserSignals:

dataVersion
leadingBidInfo’s bidding data version if it is not null, undefined otherwise.
adCost
Rounded winner’s ad cost
seller
Serialized config’s seller
madeHighestScoringOtherBid
Set to true if leadingBidInfo’s highest scoring other bid owner is not null, and buyer is same origin with leadingBidInfo’s highest scoring other bid owner, false otherwise
modelingSignals
winner’s modeling signals if it is not null, undefined otherwise (TODO: noise and bucket this signal)
Let ig be winner’s interest group.
Let metrics be the result of access per-participant metrics given reportingContext, ig’s owner, report-win.
Let igAd be the interest group ad from ig’s ads whose render url is winner’s ad descriptor’s url.
If winner’s selected buyer and seller reporting ID is not null:

Note: If the winning bid has a selected buyer and seller reporting ID, it would have already been set by the preceding call to report result, and provided to this algorithm in the ReportingBrowserSignals returned by that algorithm and provided to this one.
1. Assert that reportWinBrowserSignals’s ["selectedBuyerAndSellerReportingId"] is equal to winner’s selected buyer and seller reporting ID.
2. Assert that the result of running query reporting ID k-anonymity count with winner’s interest group, igAd, and selected buyer and seller reporting ID is true.
Otherwise if igAd’s buyer and seller reporting ID is not null:

Note: If the winning interest group ad has a buyer and seller reporting ID, it would have already been set by the preceding call to report result, and provided to this algorithm in the ReportingBrowserSignals returned by that algorithm and provided to this one.
1. Assert that reportWinBrowserSignals’s ["buyerAndSellerReportingId"] is equal to igAd’s buyer and seller reporting ID.
2. Assert that the result of running query reporting ID k-anonymity count with winner’s interest group, igAd, and null is true.
Otherwise if the result of running query reporting ID k-anonymity count with winner’s interest group, igAd, and null is true:
1. If igAd’s buyer reporting ID is not null, set reportWinBrowserSignals["buyerReportingId"] to igAd’s buyer reporting ID.
2. Otherwise, set reportWinBrowserSignals["interestGroupName"] to winner’s interest group name.
Let buyerReportingScriptFetcher be the result of creating a new script fetcher with winner’s interest group’s bidding url and settings.
Let buyerReportingScript be the result of waiting for script body from a fetcher given buyerReportingScriptFetcher.
Add a sample to an averager given metrics’s code fetch time averager and buyerReportingScriptFetcher’s fetch duration.
Let reportFunctionName be "reportWin".
If winner’s provided as additional bid is true:
1. Set reportFunctionName be "reportAdditionalBidWin".
Let « ignored, resultUrl, reportingBeaconMap, reportingMacroMap, paContributions, executionMetrics » be the result of evaluating a reporting script with buyerReportingScript, reportFunctionName, reportingContext, ig’s owner, ig’s Private Aggregation coordinator, leadingBidInfo’s auction config’s config idl’s reportingTimeout, and « leadingBidInfo’s auction config’s config idl’s auctionSignals, perBuyerSignalsForBuyer, sellerSignals, reportWinBrowserSignals, directFromSellerSignals ».
Set metrics’s script executions attempted to 1.
If executionMetrics’s script timed out is true, set metrics’s script timeouts occurred to 1.
Commit private aggregation contributions given paContributions, winner’s reporting id and reportingContext.
Set leadingBidInfo’s buyer reporting result to a reporting result with the following items:

report url

resultUrl

reporting beacon map

reportingBeaconMap

reporting macro map

reportingMacroMap

To parse and validate server response given an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, a global object global, a list of interest groups bidIgs, and a reporting context map reportingContextMap, perform the following steps. They return a leading bid info or a failure.

Assert that these steps are running in parallel.
If waiting until server response promise resolves given auctionConfig returns failure, then return failure.
Let requestId be the value of auctionConfig’s server response id.
Let requestContexts be the value of global’s associated Document’s node navigable’s traversable navigable’s saved Bidding and Auction request context.
If requestContexts[(seller,requestId)] does not exist, return null.
Let requestContext be requestContexts[(seller,requestId)].
Let response be the server auction response which is the result of deserializing auctionConfig’s server response with requestContext according to Section 2.3.5 of the Bidding and Auction Services IETF standard.
If response’s nonce exists:
1. Let capturedAuctionNonceHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured ad auction result nonce headers.
2. Let seller be auctionConfig’s seller.
3. If capturedAuctionNonceHeaders[seller] does not exist or does not contain the ASCII lowercase string representation of response’s nonce, then return failure.
Otherwise:
1. Let hash be the SHA-256 of auctionConfig’s server response.
2. Let capturedAuctionResultHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured ad auction result headers.
3. Let seller be auctionConfig’s seller.
4. If capturedAuctionResultHeaders[seller] does not exist or does not contain hash, then return failure.
If response is failure, then return failure.
If response’s top level seller is not null:
1. If topLevelAuctionConfig is null return failure.
2. If topLevelAuctionConfig’s seller is not equal to response’s top level seller, return failure.
Otherwise if topLevelAuctionConfig is not null, return failure.
Let kAnonWinningGroup be the interest group in the user agent’s interest group set whose owner is response’s interest group owner and name is response’s interest group name. Return failure if none found.
If kAnonWinningGroup’s ads is null, then return failure.
Let kAnonWinningAd be null.
For each ad of kAnonWinningGroup’s ads:
1. If response’s ad render url is ad’s render url, then set kAnonWinningAd to ad, and break.
Return failure if any of the following conditions hold:
- kAnonWinningAd is null;
- response’s buyer and seller reporting id is not null and not kAnonWinningAd’s buyer and seller reporting ID;
- response’s buyer reporting id is not null and not kAnonWinningAd’s buyer reporting ID;
- response’s selected buyer and seller reporting ID is not null, kAnonWinningAd’s selectable buyer and seller reporting IDs is null.
- response’s selected buyer and seller reporting ID is not null, kAnonWinningAd’s selectable buyer and seller reporting IDs is not null and it does not contain response’s selected buyer and seller reporting ID.
If response’s winner join candidates is not null:
1. If response’s winner join candidates’s ad render url hash is not equal to the result of running compute the key hash of ad on kAnonWinningGroup and kAnonWinningAd, return failure.
2. If response’s winner join candidates’s reporting id hash is not equal to the result of running compute the key hash of reporting ID on kAnonWinningGroup, kAnonWinningAd, and response’s selected buyer and seller reporting id, return failure.
Let kAnonWinningAdDescriptor be a new ad descriptor whose url is response’s ad render url.
Let kAnonWinningAdComponents be a new list of ad descriptors.
For each componentAd in response’s ad components:
1. Let ad be the interest group ad from kAnonWinningGroup’s ad components where the render url equals componentAd. If there is no matching element, return failure.
2. If response’s winner join candidates is not null and response’s winner join candidates’s ad component render url hashes does not contain the result from compute the key hash of component ad on ad, then return failure.
3. Append a new ad descriptor whose url is componentAd to kAnonWinningAdComponents.
Let bidDebugReportingInfo be a new bid debug reporting info.
For each key → maybeDebugReportUrl in response’s component win debugging only reports:
1. If maybeDebugReportUrl’s scheme is not "https", then continue.
2. If key’s from seller is true:
  1. Set bidDebugReportingInfo’s component seller to seller.
  2. If key’s is debug win is true, then set bidDebugReportingInfo’s seller debug win report url to maybeDebugReportUrl.
  3. Otherwise, set bidDebugReportingInfo’s seller debug loss report url to maybeDebugReportUrl.
3. Otherwise,
  1. Set bidDebugReportingInfo’s interest group owner to response’s interest group owner.
  2. If key’s is debug win is true, then set bidDebugReportingInfo’s bidder debug win report url to maybeDebugReportUrl.
  3. Otherwise, set bidDebugReportingInfo’s bidder debug loss report url to maybeDebugReportUrl.
Set bidDebugReportingInfo’s server filtered debugging only reports to response’s server filtered debugging only reports.
Let reportingContext be reportingContextMap[auctionConfig].
Set reportingContext’s debug reporting info to bidDebugReportingInfo.
Let reportingId be a reporting bid key with the following items:

context

reportingContext

source

bidding-and-auction-services

bidder origin

response’s interest group owner

bid identifier

response’s interest group name
Handle server response private aggregation fields given response, requestContext and reportingId.
Let kAnonWinningBid be a new generated bid with the following items:

reporting id

reportingId

bid

response’s bid

bid in seller currency

Null

ad

response’s ad metadata

ad descriptor

kAnonWinningAdDescriptor

ad component descriptors

kAnonWinningAdComponents

ad cost

Null

modeling signals

Null

interest group

kAnonWinningGroup

bid ad

kAnonWinningAd

modified bid

Null if topLevelAuctionConfig is null, otherwise response’s bid

bid duration

0

component seller

Null
Let buyerReportingResult be a new reporting result with the following items:

report url

The value of response’s buyer reporting’s reporting url.

reporting beacon map

The value of response’s buyer reporting’s beacon urls.
Let sellerReportingResult be a new reporting result with the following items:

report url

The value of response’s top level seller reporting’s reporting url.

reporting beacon map

The value of response’s top level seller reporting’s beacon urls.
Let componentSellerReportingResult be a new reporting result with the following items:

report url

The value of response’s component seller reporting’s reporting url.

reporting beacon map

The value of response’s component seller reporting’s beacon urls.
Let kAnonWinningScore be 0.0 if response’s score is null, response’s score otherwise.
If response’s ghost winner is not null:
1. Let nonKAnonWinningBid be the result of running parse and validate a ghost winner on auctionConfig, reportingContextMap, and response’s ghost winner.
2. If nonKAnonWinningBid is failure, set nonKAnonWinningBid to kAnonWinningBid.
Otherwise:
1. Set nonKAnonWinningBid to kAnonWinningBid.
Let winningBidInfo be a new leading bid info with the following items:

top score

kAnonWinningScore

top non-k-anon-enforced score

0

top bids count

1

top non-k-anon-enforced bids count

1

leading bid

kAnonWinningBid

leading non-k-anon-enforced bid

nonKAnonWinningBid

auction config

auctionConfig

highest scoring other bid

Null

top level seller

Null if topLevelAuctionConfig is null, otherwise topLevelAuctionConfig’s seller.

top level seller signals

Null

component seller

Null if topLevelAuctionConfig is null, otherwise auctionConfig’s seller.

bidding data version

Null

scoring data version

Null

buyer reporting result

buyerReportingResult

seller reporting result

sellerReportingResult

component seller reporting result

componentSellerReportingResult
For each igId in response’s bidding groups:
1. Let ig be the interest group in the user agent’s interest group set whose owner is igId’s owner and name is igId’s name. Continue if none found.
2. Append ig to bidIgs.
For each igId → updateIfOlderThan of response’s update groups:
1. Let ig be the interest group in the user agent’s interest group set whose owner is igId’s owner and name is igId’s name. Continue if none found.
2. If updateIfOlderThan is less than 10 mintues, set it to 10 minutes.
3. If current coarsened wall time − ig’s last updated ≥ updateIfOlderThan, set ig’s next update after to the current coarsened wall time + updateIfOlderThan.
Return winningBidInfo.

To handle server response private aggregation fields given a server auction response response, a reporting context reportingContext, and a reporting bid key reportingId:

Assert that these steps are running in parallel.
Commit server response private aggregation contributions given response’s component win private aggregation contributions, reportingContext, and reportingId.
Commit server response private aggregation contributions given response’s server filtered private aggregation reserved contributions, reportingContext, and reportingId.
Commit server response private aggregation contributions given response’s server filtered private aggregation non reserved contributions, reportingContext, and reportingId.

To commit server response private aggregation contributions given a map from a server auction private aggregation contribution key to a list of on event contribution entries contributionsMap, a reporting context reportingContext, and a reporting bid key reportingId:

For each key → contributions of contributionsMap:
1. Let reportingOrigin be key’s reporting origin.
2. Let event be key’s event.
3. Let coordinator be key’s coordinator.
4. If coordinator is null, set coordinator to the default aggregation coordinator.
5. Let eventToContributionsMap be a new Private Aggregation contributions.
6. Let batchingScope be null.
7. If event starts with "reserved.", set batchingScope to the result of running get or create a batching scope given reportingOrigin, coordinator and reportingContext.
  
  Note: Each non-reserved event will have a different batching scope that is created later.
8. For each contribution of contributions:
  1. Assert contribution["bucket"] is a bigint and is contained in the range 0 to 2¹²⁸, exclusive.
  2. Assert contribution["value"] is a long.
    
    Note: All bucket and value have been calculated on server side already.
  3. Let entry be a new on event contribution entry with the items:
    
    contribution
    
    contribution
    
    batching scope
    
    batchingScope
    
    debug scope
    
    A new debug scope.
    
    worklet function
    
    "generate-bid" (it does not matter for server returned contributions)
    
    origin
    
    reportingOrigin
  4. If eventToContributionsMap[event] does not exist, set eventToContributionsMap[event] to « entry ».
  5. Otherwise, append entry to eventToContributionsMap[event].
Commit private aggregation contributions given eventToContributionsMap, reportingId and reportingContext.

To parse and validate a ghost winner given an auction config auctionConfig, a reporting context map reportingContextMap, and a server auction ghost winner ghostWinner, perform the following steps. They return either a generated bid or a failure.

Let nonKAnonWinningGroup be the interest group in the user agent’s interest group set whose owner is ghostWinner’s interest group owner and name is ghostWinner’s interest group name. Return failure if none found.
If nonKAnonWinningGroup’s ads is null, then return failure.
Let nonKAnonWinningAd be null.
For each ad of nonKAnonWinningGroup’s ads:
1. If ghostWinner’s candidates’s ad render url hash is equal to the result of running compute the key hash of ad on nonKAnonWinningGroup and ad:
  1. Set nonKAnonWinningAd to ad.
  2. Break.
If nonKAnonWinningAd is null, return failure.
Let nonKAnonWinningAdDescriptor be a new ad descriptor whose url is nonKAnonWinningAd’s render url.
Let nonKAnonWinningAdComponents be a new list of ad descriptors.
For each componentAdHash in ghostWinner’s candidates’s [server auction join candidate/ad component render url hashes=]:
1. Let matchingAd be null.
2. For each componentAd in nonKAnonWinningGroup’s ad components:
  1. If componentAdHash equals the result of running compute the key hash of component ad on componentAd:
    1. Set matchingAd to componentAd.
    2. Break.
3. If matchingAd is null, return failure.
4. Append a new ad descriptor whose url is matchingAd’s render url to nonKAnonWinningAdComponents.
Let selectedBuyerAndSellerReportingId be null.
If ghostWinner’s candidates’s reporting id hash is not equal to the result of running compute the key hash of reporting ID on nonKAnonWinningGroup, nonKAnonWinningAd, and null:
1. For each selectedReportingId in nonKAnonWinningAd’s selectable buyer and seller reporting IDs:
  1. If ghostWinner’s candidates’s reporting id hash is equal to the result of running compute the key hash of reporting ID on nonKAnonWinningGroup, nonKAnonWinningAd, and selectedReportingId:
    1. Set selectedBuyerAndSellerReportingId to selectedReportingId.
    2. Break.
2. If selectedBuyerAndSellerReportingId is null, return failure.
Let reportingId be a reporting bid key with the following items:

context

reportingContextMap[auctionConfig]

source

bidding-and-auction-services

bidder origin

ghostWinner’s interest group owner

bid identifier

ghostWinner’s interest group name
Set reportingContextMap[auctionConfig]'s debug reporting info to a new bid debug reporting info.
Let bid be 0.
Let adMetadata be null.
If ghostWinner’s ghost winner bid info is not null:
1. If nonKAnonWinningAd’s render url is not equal to ghostWinner’s ghost winner bid info’s ad render url, return failure.
2. If the size of nonKAnonWinningAdComponents is not equal to the size of ghostWinner’s ghost winner bid info’s ad components, return failure.
3. For each idx in get the indices of nonKAnonWinningAdComponents:
  1. If nonKAnonWinningAdComponents[idx]'s render url is not equal to ghostWinner’s ghost winner bid info’s ad components[idx], return failure.
4. Set bid to ghostWinner’s ghost winner bid info’s modified bid.
5. Set adMetadata’s ghostWinner’s ghost winner bid info’s ad metadata.
6. If nonKAnonWinningAd’s buyer reporting id is not equal to ghostWinner’s ghost winner bid info’s buyer reporting id, return failure.
7. If nonKAnonWinningAd’s buyer and seller reporting id is not equal to ghostWinner’s ghost winner bid info’s buyer and seller reporting id, return failure.
8. If nonKAnonWinningAd’s selectable buyer and seller reporting IDs is null and ghostWinner’s ghost winner bid info’s selected buyer and seller reporting id is not null, return failure.
9. If nonKAnonWinningAd’s selectable buyer and seller reporting IDs is not null and does not contain ghostWinner’s ghost winner bid info’s selected buyer and seller reporting id, return failure.
Let nonKAnonWinningBid be a new generated bid with the following items:

reporting id

reportingId

bid

bid

bid in seller currency

Null

ad

adMetadata

ad descriptor

nonKAnonWinningAdDescriptor

ad component descriptors

nonKAnonWinningAdComponents

ad cost

Null

modeling signals

Null

interest group

nonKAnonWinningGroup

bid ad

nonKAnonWinningAd

modified bid

Null

bid duration

0

component seller

Null
Return nonKAnonWinningBid.

4.2. canLoadAdAuctionFencedFrame()

This first introductory paragraph is non-normative.

The process of running an ad auction through navigator.runAdAuction() is an expensive operation. To prevent wasted cycles if the resulting ad cannot be loaded in the current context, navigator.canLoadAdAuctionFencedFrame() is provided as a method to determine, before the ad auction begins, whether an ad auction-created fencedframe is allowed to be loaded in the current context. A fencedframe has restrictions on where and how it can be loaded that do not exist with iframes.

[SecureContext]
partial interface Navigator {
  boolean canLoadAdAuctionFencedFrame();
};

The canLoadAdAuctionFencedFrame() method steps are:

Let global be this’s relevant global object.
If global’s browsing context’s required CSP is not null, then return false.

Note: CSPEE lets arbitrary data flow from an embedder into a fencedframe via the policies it sets. Since this goes against the privacy guarantees of a Protected Audience-created fencedframe, this is disallowed.
Let CSPList be this’s relevant settings object’s policy container’s CSP list.
For each policy of CSPList:
1. For each directive of policy’s directive set:
  1. If directive’s name is either "fenced-frame-src", "frame-src", "child-src", or "default-src", and if directive’s value does not contain any of "https:", "https://*:*", or "*", then return false.
Let sandboxFlags be global’s associated Document’s active sandboxing flag set.
If the intersection of sandboxFlags and TBD is not empty, then return false.

TODO: Get the mandatory unsandboxed sandboxing flag set once it exists in the fenced frame spec. This will then determine the intersection between that and the sandboxFlags. (WICG/turtledove#1206)
Return true.

4.3. getInterestGroupAdAuctionData()

This first introductory paragraph is non-normative.

When a website or someone working on behalf of the website (e.g. a supply side platform, SSP) wants to conduct an auction using a trusted auction server to select an advertisement to display to the user, they can call the navigator.getInterestGroupAdAuctionData() function. This function returns an opaque Uint8Array as the request and a request ID string. The request can be sent to a trusted auction server through the JS [FETCH] API, which returns a response. The response along with the request ID can be then passed as part of an auction configuration to navigator.runAdAuction() to extract the results of the auction.

[SecureContext]
partial interface Navigator {
  Promise<AdAuctionData> getInterestGroupAdAuctionData(optional AdAuctionDataConfig config = {});
};

dictionary AdAuctionPerSellerData {
  required USVString seller;
  Uint8Array request;
  DOMString error;
};

dictionary AdAuctionData {
  required USVString requestId;
  Uint8Array request;
  sequence<AdAuctionPerSellerData> requests;
};

dictionary AdAuctionOneSeller {
  required USVString seller;
  USVString coordinatorOrigin;
};

dictionary AdAuctionDataConfig {
  USVString seller;
  USVString coordinatorOrigin;
  sequence<AdAuctionOneSeller> sellers;

  unsigned long requestSize;
  record<USVString, AdAuctionDataBuyerConfig> perBuyerConfig;
};

seller: The seller that will be used as the seller in the following AuctionAdConfig passed to navigator.runAdAuction(). Can not be specified with the sellers field. Exactly one of seller and sellers must be specified.
coordinatorOrigin: The origin of the coordinator hosting public encryption keys for the server running the ad auction. The scheme must be "https". An implementation may select which coordinators are acceptable. Can not be specified with the sellers field.
sellers: A list of seller origins and, optionally, their corresponding coordinators. When present, the AdAuctionData provided when the Promise returned by getInterestGroupAdAuctionData resolves contains the requests field instead of the request field. Can not be specified with the seller or coordinatorOrigin fields. Exactly one of seller and sellers must be specified.
requestSize: The desired size for the returned request. If any buyers are specified in perBuyerConfig, this will be the exact size of the returned request. Otherwise the returned request’s size will be at most the requestSize.
perBuyerConfig: Keys are serialized origins of buyers that should be included in the returned request. Values are AdAuctionDataBuyerConfig for that buyer.

dictionary AdAuctionDataBuyerConfig {
  unsigned long targetSize;
};

targetSize: The size of the request to allocate for this buyer. Required when AdAuctionDataConfig’s requestSize is not specified.

A server auction is an auction executed on a trusted auction server.

A server auction interest group is a struct with the following items:

name: A string that uniquely defines each interest group, as in name.
bidding signals keys: Null or a list of string, as in trusted bidding signals keys
user bidding signals: Null or a string, as in user bidding signals
ads: A list of strings containing the corresponding ad render IDs from the ads field.
components: A list of strings containing the corresponding ad render IDs from the ad components field.
browser signals: A server auction browser signals.
priority: A double. Used to select which interest groups for a given buyer are excluded from the serialized request due to space limitations.

A server auction browser signals is a struct with the following items:

bid count: A count of the number of bids for this interest group in the last 30 days. Calculated by summing the bid counts for all days within the last 30 days.
join count: A count of the number of joins for this interest group in the last 30 days. Calculated by summing the join counts.
recency ms: A duration, in milliseconds, representing the current coarsened wall time at the time this object was constructed minus the corresponding interest group’s join time, in milliseconds.
previous wins: A sequence<server auction previous win>

A server auction previous win is a struct with the following items:

time delta: A duration, in milliseconds, representing the current coarsened wall time at the time this object was constructed minus the corresponding previous win’s time, in seconds.
ad render ID: A string containing the ad render ID for the ad represented by this entry.

A server auction request context is a struct with the following items:

request ID: A unique identifier associated with this and only this invocation of navigator.getInterestGroupAdAuctionData(). This is used to look-up a specific request context.
request context: An opaque context used to handle the request, such as that returned from Section 2.2.4 of Bidding and Auction Services

A server auction response is a struct that contains auction result from a server auction. It has the following items:

nonce: version 4 UUID. A nonce to match against the `Ad-Auction-Result-Nonce` header in a fetch response from the seller. Used as a method of authorizing the response.
ad render url: URL. The leading bid’s ad descriptor’s url from the auction.
ad components: A list of URLs. A list of winning bid’s ad component descriptors’s urls from the auction.
interest group name: A string. The winning bid’s interest group name.
interest group owner: An origin. The winning bid’s interest group owner.
bidding groups: A list of tuples consisting of an origin owner and a string name for each interest group that bid in the auction.
update groups: A map. Its keys are tuples consisting of an origin for owner and a string for name. Its values are durations indicating the desired maximum time since the interest group was last updated.
score: Null or double. Null if the server auction is not a component auction, otherwise the desirability of component auction’s winning bid.
bid: Null or bid with currency. Null when the server auction is not a component auction. For component auctions, contains the winning bid’s modified bid when not null, otherwise the winning bid’s bid.
top level seller: Null or an origin. Null when the server auction is not a component auction. Otherwise the value is the expected top-level seller origin for that auction. This should match the seller for the top-level auction config.
ad metadata: Null or a JSON string. Null when the server auction is not a component auction. Otherwise the value contains the component auction’s winning bid’s ad.
buyer reporting id: Null or a string. When not null, this will be verified with the winning bid’s ad’s buyer reporting ID.
buyer and seller reporting id: Null or a string. When not null, this will be verified with the winning bid’s ad’s buyer and seller reporting ID.
selected buyer and seller reporting id: Null or a string, initially null. When not null, this will be verified with the winning bid’s ad’s selectable buyer and seller reporting IDs.
winner join candidate: Null or server auction join candidate. When not null, contains the k-anonymity hashes corresponding to the winning bid and indicates which k-anonymity hashes were used for k-anonymity enforcement on the server.
ghost winner: Null or server auction ghost winner. When not null, contains information about the non-k-anonymous winner of a server auction.
error: Null or string. When not null, contains an error message from the auction executed on the trusted auction server. May be used to provide additional context for the result of an auction.
buyer reporting: Server auction reporting info
top level seller reporting: Null or server auction reporting info.
component seller reporting: Null or server auction reporting info.
component win private aggregation contributions: A map whose keys are server auction private aggregation contribution keys, and whose values are lists of on event contribution entries. Private aggregation contributions from winners of component auctions run on trusted auction servers. These need to be filtered by the client based on the top level auction’s outcome.
server filtered private aggregation reserved contributions: A map whose keys are server auction private aggregation contribution keys, and whose values are lists of on event contribution entries. Server filtered private aggregation contributions with reserved event types (already set to "reserved.always"), which are not dependent on the final auction result and should always be reported.
server filtered private aggregation non reserved contributions: A map whose keys are server auction private aggregation contribution keys, and whose values are lists of on event contribution entries. Server filtered private aggregation contributions with non reserved event types, which are not dependent on the final auction result and should always be reported.
component win debugging only reports: A map whose keys are server auction debug report keys, and whose values are urls.
server filtered debugging only reports: A map whose keys are origins and whose values are lists of urls.

server auction join candidate is a struct with the following items:

ad render url hash: A SHA-256 hash of the k-anonymity key for the ad in the winning bid, as calculated using compute the key hash of ad.
ad component render url hashes: A list of SHA-256 hashes of k-anonymity keys for each of the ad components in the winning bid, as calculated using compute the key hash of component ad.
reporting id hash: A SHA-256 hash of the k-anonymity key for the reporting ID in the winning bid, as calculated using compute the key hash of reporting ID.

server auction ghost winner is a struct with the following items:

candidate: server auction join candidate associated with this winner.
interest group owner: An origin. The leading non-k-anon-enforced bid’s interest group’s owner.
interest group name: A string. The leading non-k-anon-enforced bid’s interest group’s name.
ghost winner bid info: Null or a server auction ghost winner bid info, initially null. Contains information needed for ghost winners in component auctions.

A server auction ghost winner bid info is a struct with the following items:

ad render url: A URL. The leading non-k-anon-enforced bid’s ad descriptor’s url from the auction.
ad components: A list of URLs. A list of the leading non-k-anon-enforced bid’s ad component descriptors’s urls from the server auction.
modified bid: bid with currency. Contains the leading non-k-anon-enforced bid’s modified bid when not null, otherwise the leading non-k-anon-enforced bid’s bid.
ad metadata: Null or a JSON string, initially null. Contains the component auction’s leading non-k-anon-enforced bid’s ad.
buyer reporting id: Null or a string, initially null. When not null, this will be verified with the leading non-k-anon-enforced bid’s ad’s buyer reporting ID.
buyer and seller reporting id: Null or a string, initially null. When not null, this will be verified with the leading non-k-anon-enforced bid’s ad’s buyer and seller reporting ID.
selected buyer and seller reporting id: Null or a string, initially null. When not null, this will be verified with the leading non-k-anon-enforced bid’s ad’s selectable buyer and seller reporting IDs.

A server auction reporting info is a struct with the following items:

reporting url: Null or a URL
beacon urls: ordered map whose keys are strings and whose values are URLs whose schemes are "https".

a server auction debug report key is a struct with the following items:

from seller: A boolean.
is debug win: A boolean.

a server auction private aggregation contribution key is a struct with the following items:

reporting origin: The origin of the script that contributed the contribution.
coordinator: Null or an aggregation coordinator.
event: A string.

The getInterestGroupAdAuctionData(configIDL) method steps are:

Let global be this’s relevant global object.
If global’s associated Document is not allowed to use the "run-ad-auction" policy-controlled feature, then throw a "NotAllowedError" DOMException.
Let settings be this’s relevant settings object.
Let configs be the result of running parse and verify ad auction data config on configIDL and settings’s top-level origin.
Let p be a new promise.
Let queue be the result of starting a new parallel queue.
Enqueue the following steps to queue:
1. Let igMap be a new map whose keys are origins and values are lists.
2. Let igPAggCoordinatorMap be a new map whose keys are tuples of (origins, strings) and values are origins.
3. Let startTime be a moment equal to the current coarsened wall time.
4. For each ig of the user agent’s interest group set:
  1. If ig’s ads is null or is empty, continue.
  2. Let owner be ig’s owner.
  3. Let name be ig’s name.
  4. If igMap[owner] does not exist, then set igMap[owner] to a new list.
  5. Let ads be a new list.
  6. For each ad in ig’s ads, append ad’s ad render ID to ads.
  7. Let components be a new list.
  8. For each component in ig’s ad components, append component’s ad render ID to components.
  9. Let prevWins be a new sequence<server auction previous win>.
  10. For each prevWin of ig’s previous wins for all days within the the last 30 days:
    1. Let timeDelta be startTime minus prevWin’s time.
    2. Set timeDelta to 0 if timeDelta is negative, timeDelta’s nearest second (rounding down) otherwise.
    3. Let serverPrevWin be a new server auction previous win with the following items:
      
      time delta
      
      timeDelta
      
      ad render ID
      
      the value of the ad render ID field in prevWin’s ad, or the empty string if not present
    4. Append serverPrevWin to prevWins.
  11. Let browserSignals be a new server auction browser signals with the following items:
    
    bid count
    
    the sum of ig’s bid counts with a bid day within the last 30 days
    
    join count
    
    the sum of ig’s join counts with a join day within the last 30 days
    
    recency ms
    
    the current coarsened wall time minus ig’s join time in millseconds
    
    previous wins
    
    prevWins
  12. Let serverIg be a new server auction interest group with the following items:
    
    name
    
    name
    
    bidding signals keys
    
    ig’s trusted bidding signals keys
    
    user bidding signals
    
    ig’s user bidding signals
    
    ads
    
    ads
    
    components
    
    components
    
    browser signals
    
    browserSignals
    
    priority
    
    ig’s priority
  13. Append serverIg to igMap[owner].
  14. If ig’s Private Aggregation coordinator is not null, then set igPAggCoordinatorMap[(owner, name)] to it.
5. Let results be a new list of auction data per seller results.
6. Let requestId be the string representation of a version 4 UUID.
7. For each config of configs:
  1. Let seller be config’s seller.
  2. If config’s coordinator is not one of the implementation-defined Bidding and Auction Services coordinators supported by this user agent:
    1. Let result be a new auction data per seller result with the following items:
      
      seller
      
      seller
      
      error
      
      "invalid coordinator"
    2. Append result to results.
    3. Continue.
  3. Let keyInfo be the result of looking up the server encryption key with config’s seller and seller’s coordinator.
  4. If keyInfo is failure:
    1. Let result be a new auction data per seller result with the following items:
      
      seller
      
      seller
      
      error
      
      "key lookup failed"
    2. Append result to results.
    3. Continue.
  5. Let (key, keyId) be keyInfo.
  6. Set config’s encryption key to key.
  7. Set config’s encryption key id to keyId.
  8. Let (requestBlob, context) be the result of serializing igMap with config and igPAggCoordinatorMap. The serialization method may follow that described in Section 2.2.4 of Bidding and Auction Services.
  9. Let result be a new auction data per seller result with the following items:
    
    seller
    
    seller
    
    request
    
    requestBlob
  10. Append result to results.
  11. Let requestContext be a new server auction request context.
  12. Set requestContext’s request ID field to requestId.
  13. Set requestContext’s request context field to context.
  14. Set global’s associated Document’s node navigable’s traversable navigable’s saved Bidding and Auction request context[(seller,requestId)] to requestContext.
8. Let IDLresults be a new AdAuctionData.
9. Set IDLresults["requestId"] to requestId.
10. If configIDL[seller] exists:
  1. Let sellerResult be results[0].
  2. If sellerResult’s error is not null:
    1. Queue a global task on the DOM manipulation task source, given global, to reject p with a TypeError.
    2. Abort these steps.
  3. Set IDLresults["request"] to requestBlob.
11. Otherwise:
  1. For each sellerResult in results:
    1. Let IDLresult be a new AdAuctionPerSellerData whose seller is the serialization of sellerResult’s seller.
    2. If sellerResult’s error is not null:
      1. Set IDLresult["error"] to sellerResult’s error.
      2. Append IDLresult to IDLresults["requests"].
    3. Otherwise:
      1. Set IDLresult["request"] to sellerResult’s request.
      2. Append IDLresult to IDLresults["requests"].
12. Queue a global task on the DOM manipulation task source, given global, to resolve p with IDLresults.
Return p.

To parse and verify ad auction data config given an AdAuctionDataConfig configIDL and origin top_level_origin:

Let configs be a new list of auction data configs.
Let perBuyerConfigs be the result of running parse per buyer auction data configs on configIDL["perBuyerConfig"].
Let requestSize be configIDL["requestSize"] if it exists, null otherwise.
If perBuyerConfigs is not empty and requestSize is null:
1. Set requestSize to 0.
2. For each buyerConfig of perBuyerConfigs’s values:
  1. If buyerConfig’s size is null, then throw a TypeError.
  2. Set requestSize to requestSize + buyerConfig’s size.
If configIDL["seller"] exists:
1. Let seller be the result of running parse an https origin on configIDL["seller"].
2. If configIDL["coordinatorOrigin"] exists:
  1. Let coordinator be the result of running parse an https origin on configIDL["coordinatorOrigin"].
3. Otherwise
  1. Let coordinator be the user agent’s default Bidding and Auction Services coordinator.
4. If seller or coordinator are failure, then throw a TypeError.
5. Let config be a new auction data config with the following items:
  
  publisher
  
  top_level_origin
  
  seller
  
  seller
  
  coordinator
  
  coordinator
  
  request size
  
  requestSize
  
  per buyer config
  
  perBuyerConfigs
6. Append config to configs.
Otherwise:
1. If configIDL["sellers"] does not exist, then throw a TypeError.
2. If configIDL["coordinatorOrigin"] exists, then throw a TypeError.
3. For each sellerConfig in configIDL["sellers"]:
  1. Let seller be the result of running parse an https origin on sellerConfig["seller"].
  2. If configs contains an auction data config whose seller is equal to seller, then throw a TypeError.
  3. If sellerConfig["coordinatorOrigin"] exists:
    1. Let coordinator be the result of running parse an https origin on sellerConfig["coordinatorOrigin"].
  4. Otherwise:
    1. Let coordinator be the user agent’s default Bidding and Auction Services coordinator.
  5. If seller or coordinator are failure, then throw a TypeError.
  6. Let config be a new auction data config with the following items:
    
    publisher
    
    top_level_origin
    
    seller
    
    seller
    
    coordinator
    
    coordinator
    
    request size
    
    requestSize
    
    per buyer config
    
    perBuyerConfigs
  7. Append config to configs.
Return configs.

To parse per buyer auction data configs given an AdAuctionDataBuyerConfig perBuyerConfigIDL:

Let configs be a new ordered map whose keys are origins and whose values are auction data configs.
For each buyerIDL → buyerConfigIDL of perBuyerConfigIDL:
1. Let buyerConfig be a new auction data buyer config.
2. Set buyerConfig’s size to buyerConfigIDL["targetSize"] if it exists, null otherwise.
3. Let buyer be the result of running parse an https origin on buyerIDL.
4. If buyer is failure, then throw a TypeError.
5. Set configs[buyer] to buyerConfig.
Return configs.

To look up the server encryption key given an origin origin and an origin coordinator:

Let keys be a list of (byte sequence, byte) tuples returned from looking up the HPKE public key encryption keys and their corresponding key IDs for origin specified by coordinator. The actual implementation of this lookup is implementation-defined, and may consist of fetching the keys from a known URL.
If keys is failure or keys is empty, return failure.
Return an element from keys, chosen at random.

5. Reporting

5.1. Common types and algorithms

A reporting bid source is an enum with the following possible values:

generate-bid: Bid produced by an invocation of generateBid().
additional-bid: Bid provided via the additional bids mechanism.
bidding-and-auction-services: Bid provided via Bidding and Auction Services mechanism.

A reporting bid key is a struct with the following items:

Note: This struct exists only to uniquely identify places bids came from, avoiding confusion in cases like bids made by the same interest group in different component auctions, or additional bids reusing names of regular interest groups. Implementations can likely find a more efficient way of achieving the same effect. Note that bids returned when generateBid() returns multiple items all share a key, as they share reporting information, too.

context: The reporting context corresponding to the component (or single-level) auction the bid originated in.
source: A reporting bid source describing where the bid came from.
bidder origin: The origin of the bidder.
bid identifier: A string distinguishing this source of reports from others of the same origin in the same context.

A reporting context is a struct with the following items:

debug reporting info

A map from reporting bid key to bid debug reporting info.

private aggregation batching scope map

A map from a tuple consisting of an origin (an origin) and a coordinator (an aggregation coordinator) to a batching scope.

Note: Does not include batching scopes for contributions conditional on non-reserved events.

private aggregation on event contributions

A map from a tuple of (reporting bid key, string) to a list of on event contribution entries.

private aggregation allowed

A boolean, initially false.

local leader info

A leading bid info, describing information on what, if anything, won the particular auction this reporting context is for.

winner reporting id

A reporting bid key or null, initially null. This can be null even if local leader info has a leader set, in case this context is for a component auction that lost at top-level.

bidder participants

A set of reporting bid keys, representing interest groups that got a chance to generate bids for the auction. This will be empty in top-level auctions, as the relevant state will be in the component auctions.

seller participants

A set of reporting bid keys, representing various scoreAd() executions. Note that some of these may be based on bids that started as additional bids or from component auctions run by Bidding and Auction services, and not interest groups, so this list may be quite different from bidder participants.

participant metrics

A map from a pair (origin, worklet function) to per participant metrics.

To access per-participant metrics given a reporting context reportingContext, an origin origin and worklet function workletFunction:

Let key be (origin, workletFunction).
If reportingContext’s participant metrics[key] does not exist, set it to a new per participant metrics.
Return reportingContext’s participant metrics[key].

A reporting context map is a map from auction config to reporting context.

To create a reporting context map given the auction config auctionConfig and a boolean privateAggregationAllowed:

Let reportingContextMap be a new reporting context map.
Set reportingContextMap[auctionConfig] to a new reporting context.
For each component in auctionConfig’s component auctions, set reportingContextMap[component] to a new reporting context.
For each _ → reportingContext of reportingContextMap:
1. Set reportingContext’s private aggregation allowed to privateAggregationAllowed
Return reportingContextMap.

To register bids for reporting given a list of generated bids generatedBids, interest group ig, bid debug reporting info bidDebugReportInfo, a Private Aggregation contributions paContributions, execution metrics executionMetrics and a reporting context reportingContext:

Let id be a new reporting bid key with the following items:

context

reportingContext

source

generate-bid

bidder origin

ig’s owner

bid identifier

ig’s name
Set reportingContext’s debug reporting info[id] to bidDebugReportInfo.
Let metrics be the result of access per-participant metrics given reportingContext, ig’s owner, generate-bid.
Merge samples to an averager given metrics’s code fetch time averager and executionMetrics’s code fetch time averager.
Set metrics’s script executions attempted to metrics’s participating interest group count.
If executionMetrics’s script timed out is true, increment metrics’s script timeouts occurred by 1.
Insert id into reportingContext’s bidder participants.
Commit private aggregation contributions given paContributions, id and reportingContext.
For each generatedBid of generatedBids:
1. Set generatedBid’s reporting id to id.

5.2. `forDebuggingOnly`

This first introductory paragraph is non-normative.

"generateBid()" and "scoreAd()" can call forDebuggingOnly’s reportAdAuctionWin(url) and reportAdAuctionLoss(url) methods for event-level forDebuggingOnly reports for winning and losing bids.

To collect a single forDebuggingOnly report given a URL reportUrl, an origin invokingOrigin, a boolean fromServer, and a list debugReportUrls:

Note: While the browser is experimenting with third party cookie deprecation (before they have been fully removed), the forDebuggingOnly reporting APIs supply temporary labels indicating when a particular instance would have been downsampled instead of using the following steps to downsample it.

If reportUrl is null, or the result of running is debugging only in cooldown or lockout with invokingOrigin is true, then return.
If the result of running sample a debug report with invokingOrigin and fromServer is true, then append reportUrl to debugReportUrls.

To collect forDebuggingOnly reports given a reporting context map reportingContextMap, origin seller, and leading bid info-or-null winnerInfo:

Let auctionReportInfo be a new auction report info.
Let winningBid be winnerInfo’s leading bid if winnerInfo is not null, null otherwise.
For each _ → reportingContext of reportingContextMap:
1. For each reportingId -> bidDebugReportInfo of reportingContext’s debug reporting info:
  1. Let fromServer be true if reportingId’s source is bidding-and-auction-services, false otherwise.
  2. If winningBid is not null and reportingId is equal to winningBid’s reporting id:
    1. Assert that winningBid’s reporting id is not null.
    2. Collect a single forDebuggingOnly report with bidDebugReportInfo’s bidder debug win report url, bidDebugReportInfo’s interest group owner, fromServer, and auctionReportInfo’s debug win report urls.
    3. If bidDebugReportInfo’s component seller is null:
      1. Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug win report url, seller, fromServer, and auctionReportInfo’s debug win report urls.
    4. Otherwise:
      1. Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug win report url, bidDebugReportInfo’s component seller, fromServer, and auctionReportInfo’s debug win report urls.
      2. Collect a single forDebuggingOnly report with bidDebugReportInfo’s top level seller debug win report url, seller, fromServer, and auctionReportInfo’s debug win report urls.
  3. Otherwise:
    1. Collect a single forDebuggingOnly report with bidDebugReportInfo’s bidder debug loss report url, bidDebugReportInfo’s interest group owner, fromServer, and auctionReportInfo’s debug loss report urls.
    2. If bidDebugReportInfo’s component seller is null:
      1. Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug loss report url, seller, fromServer, and auctionReportInfo’s debug loss report urls.
    3. Otherwise:
      1. Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug loss report url, bidDebugReportInfo’s component seller, fromServer, auctionReportInfo’s debug loss report urls.
      2. Collect a single forDebuggingOnly report with bidDebugReportInfo’s top level seller debug loss report url, seller, fromServer, and auctionReportInfo’s debug loss report urls.
  4. For each invokingOrigin → debugURLs of bidDebugReportInfo’s server filtered debugging only reports:
    1. If debugURLs is empty:
      1. If the result of running is debugging only in cooldown or lockout with invokingOrigin is false, then update debug report cooldown with invokingOrigin.
      2. Continue.
      Note: An entry for invokingOrigin is still needed when debugURLs is empty. It could happen when forDebuggingOnly API is called but the bidding and auction server filtered the debug report URL out with the downsampling algorithm. In this case the client still needs to know that forDebuggingOnly API was called and update its cooldown information. This is different from forDebuggingOnly API not being called by one origin, in which case the list won’t have an entry for that origin.
    2. For each url of debugURLs:
      1. Collect a single forDebuggingOnly report with url, invokingOrigin, fromServer (true), and auctionReportInfo’s debug loss report urls.
        
        Note: For server filtered ones, post auction signals were filled on the server side, so it’s fine to collect them all to debug loss report urls without the need of getting post auction signals for debug win urls.
Return auctionReportInfo.

5.2.1. Downsampling

This first introductory paragraph is non-normative.

Implementations may define their own values for the below constants based on their privacy goal, however we supply the below values as a starting point, inspired by what the initial implementation of this specification uses:

sampling rate is 1/1000, which means only sending reports with a 1/1000 chance.
lockout period is 3 years.
long cooldown rate is 1/10, which means 10% of the time putting an adtech in a long cooldown period if the adtech calls the API.
long cooldown period is 1 year.
short cooldown period is 2 weeks.

Note: More details of how these numbers are determined can be found in comments here: (WICG/turtledove#632).

The design of downsampling forDebuggingOnly reports has three main goals:

Prevent sending debug reports very often to protect user privacy:
- Only sending debug reports with a sampling rate chance;
- if a report is sent, "lock-out" all adtechs out of sending a report for lockout period;
- if an adtech calls the API, put them in a "cool-down" period where calls to the API by that given adtech are not able to send reports.
Prevent one adtech from substantially compromising a different adtech’s access to debugging information. The "cool-down" period means that any particular adtech can only cause a very small fraction of people to send debug reports and be removed from the potential debugging pool.
Prevent adtechs who accidentally (e.g. due to a bug in their code) call the API repeatedly for all users, from locking themselves out of sending any more reports for years. This is accomplished by only long cooldown rate of the time putting that adtech in a long cooldown period, and rest of the time putting that adtech in a short cooldown period.

The user agent has a debug report lockout until, which is null or a moment, and a debug report cooldown, which is null or a map whose keys are origins and values are moments at which the cool down for the origin key expires.

To is debugging only in cooldown or lockout given an origin origin:

If user agent’s debug report lockout until is not null, and current coarsened wall time is less than user agent’s debug report lockout until, return true.
If user agent’s debug report cooldown is null, then return false.
If user agent’s debug report cooldown[origin] exists and current coarsened wall time is less than user agent’s debug report cooldown[origin], then return true.
Return false.

To sample a debug report given an origin origin and a boolean fromServer:

Note: forDebuggingOnly reports from server auction response were downsampled on trusted auction servers, so do not downsample them again on client.

Let canSendAfterSampled be false.
Let sampleRand be a random long, 0 ≤ sampleRand < 1000, so each possible long would be chosen with a probability equal to sampling rate.
If fromServer is true or sampleRand is 0:
1. Set canSendAfterSampled to true.
2. Set user agent’s debug report lockout until to current coarsened wall time plus lockout period.
Update debug report cooldown with origin.
Return canSendAfterSampled.

To update debug report cooldown given an origin origin:

Let cooldownRand be a random long ≥ 0 and < 10, which corresponds to long cooldown rate.
Let cooldownPeriod be long cooldown period if cooldownRand is 0, short cooldown period otherwise.
Set user agent’s debug report cooldown[origin] to current coarsened wall time plus cooldownPeriod.

5.3. `realTimeReporting`

This first introductory paragraph is non-normative.

The goal of real-time reporting is to get auction monitoring data to the buyer and seller as quickly as possible (e.g. < 5 mins). The primary use-case is rapid error detection i.e. detecting quickly whether there are major problems with unexpected behavior in generateBid(), scoreAd(), or fetching of bidding or scoring scripts or trusted signals.

Initial implementation of this specification defines

number of user buckets is 1024, which means buckets 0 to 1023 are supported by realTimeReporting API.
number of platform buckets is 4, which are buckets for errors that are not visible in either scoreAd() or generateBid().

Each real time report is a CBOR message using the following data structure:

{
  "version": 1,
  "histogram": {
    "buckets": [5, 32, 0, 1, ..., 129],  // 128 elements.
    "length": 1024    // 1024 buckets before bit packing.
  },
  "platformHistogram": {
    "buckets": [192],
    "length": 4  // 4 buckets before bit packing.
  }
}

To sample real time contributions given a list of real time reporting contributions contributions, perform the following steps. They return an integer or null:

If contributions is empty, then return null.
Let priorityWeightSum be 0.
For each contribution of contributions:
1. Increment priorityWeightSum by contribution’s priority weight.
Let sampleRand be a random double, 0 ≤ sampleRand < 1.
Set sampleRand to sampleRand multiplied by priorityWeightSum.
Set priorityWeightSum to 0.
Let selectedBucket be -1.
For each contribution of contributions:
1. Increment priorityWeightSum by contribution’s priority weight.
2. If priorityWeightSum ≥ sampleRand, then set selectedBucket to contribution’s bucket, and break;
Assert selectedBucket is not -1.
Return selectedBucket.

To bit pack a list of booleans input:

Let inputSize be input’s size.
Let packed be a new list of bytes.
Let currentByte be 0.
Let numBits be 0.
For each i in the range from 0 to inputSize, exclusive:
1. Set currentByte to currentByte * 2 + input[i].
2. Increment numBits by 1.
3. If numBits is 8, then:
  1. Append currentByte to packed.
  2. Set currentByte to 0 and numBits to 0.
4. Otherwise if i is inputSize - 1, then:
  1. While numBits < 8:
    1. Set currentByte to currentByte * 2.
    2. Increment numBits by 1.
  2. Append currentByte to packed.
Assert that packed’s size is (inputSize + 7) / 8.0.
Return packed.

To send a real time report given a URL url, a list of booleans histogram, and an environment settings object settings:

Let totalBuckets be the sum of number of user buckets and number of platform buckets.
Assert histogram’s size is totalBuckets.
Let userHistogram and platformHistogram be new lists of booleans.
For each i in the range 0 to totalBuckets, exclusive:
1. If i < userHistogram, then append histogram[i] to userHistogram.
2. Otherwise, append histogram[i] to platformHistogram.
Let body be a new ordered map of the following entries:

"version"

1

"histogram"

a new ordered map of the following entries:

"buckets"

the result of bit packing with userHistogram

"length"

number of user buckets

"platformHistogram"

a new ordered map of the following entries:

"buckets"

the result of bit packing with platformHistogram

"length"

number of platform buckets
Let request be a new request with the following properties:

URL

url

header list

«Content-Type: application/cbor»

method

POST

body

the byte sequence resulting from CBOR encoding body

client

null

origin

settings’s origin

mode

"no-cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

"none"

policy container

A new policy container whose IP address space is settings’s policy container’s IP address space

Stop using "no-cors" mode where possible (WICG/turtledove#667).
Fetch request with useParallelQueue set to true.

To send real time reports given a real time reporting contributions map contributionsMap and an environment settings object settings:

For each origin → contributions of contributionsMap:
1. Let maybeBucket be the result of sampling real time contributions with contributions.
2. Let histogram be the result of applying RAPPOR noise with maybeBucket.
3. Let reportUrl be a new URL with the following items:
  
  scheme
  
  origin’s scheme
  
  host
  
  origin’s host
  
  port
  
  origin’s port
  
  path
  
  « ".well-known", "interest-group", "real-time-report" »
4. Send a real time report with reportUrl, histogram and settings.
  
  TODO: Spec rate limiting. (WICG/turtledove#1215)

5.3.1. Platform contribution

This first introductory paragraph is non-normative.

There are some errors not visible in either scoreAd() or generateBid(), like failures to fetch the bidding or scoring script, trusted bidding or scoring signals. Certain buckets are used for these errors.

The initial implementation supports four platform contribution buckets starting from number of user buckets:

bidding script failure bucket: number of user buckets
scoring script failure bucket: number of user buckets plus 1
trusted bidding signals failure bucket: number of user buckets plus 2
trusted scoring signals failure bucket: number of user buckets plus 3

Platform contributions have a hardcoded platform contribution priority weight. The initial implementation uses a value of 1.

To add a platform contribution given a long bucket, a real time reporting contributions map realTimeContributionsMap, and an origin origin:

Assert bucket is one of platform contribution buckets.
Let contribution be a new real time reporting contribution with the following items:

bucket

bucket

priority weight

platform contribution priority weight
Insert entries to map given realTimeContributionsMap, origin, and « contribution » .

5.3.2. Apply noise (RAPPOR)

This first introductory paragraph is non-normative.

Basic RAPPOR noises each coordinate of the bit vector independently, and it is parameterized by epsilon, a measure of privacy loss. The initial implementation uses an epsilon value of 1, yielding a flipping probability of ~0.378.

To apply RAPPOR noise given an integer-or-null maybeBucket:

Let totalBuckets be the sum of number of user buckets and number of platform buckets.
Let histogram be a new list of booleans, whose size is totalBuckets.
If maybeBucket is not null:
1. Assert 0 ≤ maybeBucket < totalBuckets.
2. Set histogram[maybeBucket] to true.
Let f be 2.0/(1+e^epsilon/2.0).
For each i in the range from 0 to totalBuckets, exclusive:
1. Let rand be a random double, 0 ≤ rand < 1
2. If rand < f / 2.0, then:
  1. Let flipped be false if histogram[i] is true, otherwise true.
  2. Set histogram[i] to flipped.
Return histogram.

5.4. `privateAggregation`

This first introductory paragraph is non-normative.

For metrics that can be interpreted as histograms aggregated over the entire population, Protected Audience provides integration with the Private Aggregation API. In addition to its contributeToHistogram(contribution) method, the API is extended with contributeToHistogramOnEvent(event, contribution) which permits histogram contributions to be conditional and to incorporate values not accessible to the running script, like values of auction winning bids and various performance metrics.

5.4.1. Signal base value

A signal base value is one of the following:

"winning-bid"

The numeric value is the bid value of the winning bid.

"highest-scoring-other-bid"

The numeric value is the bid value of the highest scoring bid that did not win.

"script-run-time"

The numeric value is the number of milliseconds of CPU time the calling function (e.g. generateBid()) took to run.

"signals-fetch-time"

The numeric value is the number of milliseconds it took for the trusted bidding or scoring signals fetch to complete, when called from generateBid() or scoreAd(), respectively. In other functions it evaluates to 0.

"bid-reject-reason"

The numeric value is an integer representing the reason a bid was rejected.

Note: this mapping to an integer is defined in determine a signal’s numeric value.

"average-code-fetch-time"

The numeric value is the average time it took to fetch code resources (JavaScript or WebAssembly) for this particular worklet function, for this participant.

"participating-ig-count"

The numeric value is the number of interest groups for the buyer actually participating in the auction, after considering prioritization and capabilities. Interest groups included in this might not actually get to bid if the cumulative timeout expires, or the script fails to load, etc; or might decide not to bid, but they would have gotten a chance if nothing went wrong.

"percent-scripts-timeout"

The numeric value is percentage of executions of this script that hit their individual timeout, out of all executions that were expected to happen.

"regular-igs-count"

Number of regular interest groups for the given buyer. (0 if this is used by a seller).

"percent-regular-ig-count-quota-used"

Ratio of number of regular interest groups for the given buyer and Max regular interest groups per owner expressed as a percentage, capped to 110.

"negative-igs-count"

Number of negative interest groups for the given buyer. (0 if this is used by a seller).

"percent-negative-ig-count-quota-used"

Ratio of number of negative interest groups for the given buyer and Max negative interest groups per owner expressed as a percentage, capped to 110.

"ig-storage-used"

Bytes of storage used by the given buyer. (0 if this is used by a seller).

"percent-ig-storage-quota-used"

Percentage of max interest groups total size per owner used by the given buyer, capped to 110.

"cumulative-buyer-time"

Time spent by the buyer from their cumulative buyer timeout limit; if the limit has been exceeded returns the limit + 1000; if this is used by a seller, or no cumulative buyer timeout is configured, returns 0.

"percent-igs-cumulative-timeout"

Percentage of participating interest groups that did not get a chance to actually bid in the auction due to a cumulative buyer timeout occurring.

5.4.2. On event contribution entry

An on event contribution entry is a struct with the following items:

contribution: A PAExtendedHistogramContribution
batching scope: A batching scope or null
debug scope: A debug scope
debug details: A debug details or null (default null)
worklet function: A worklet function.
origin: The origin of the script that contributed the entry.

5.4.3. Worklet function

A worklet function is one of the following:

"generate-bid": The generateBid() function.
"score-ad": The scoreAd() function.
"report-result": The reportResult() function.
"report-win": The reportWin() function, or reportAdditionalBidWin() for additional bids.

To find corresponding bid and score phase function given a worklet function fn:

1.Switch on fn:

generate-bid: Return generate-bid.
score-ad: Return score-ad.
report-result: Return score-ad.
report-win: Return generate-bid.

5.4.4. Averager

An averager is a a struct with the following items:

count: A long, initially 0.
sum: A double, initially 0.

To add a sample to an averager given an averager averager, a double sample:

Increment averager’s count by 1.
Increment averager’s sum by sample.

To merge samples to an averager given averagers dest and source:

Set dest’s count to dest’s count + source’s count.
Set dest’s sum to dest’s sum + source’s sum.

To get the value to report from an averager given an averager averager:

If averager’s count is 0, return 0.
Return averager’s sum / count.

5.4.5. Metrics structures

An execution metrics is a struct with the following items, representing metrics collected from a single execution of a worklet function:

code fetch time averager: An averager.
script timed out: A boolean, initially false. This refers to the script hitting its own time out, and does not include the cumulative timeout affecting buyers.

A per participant metrics is a struct with the following items, representing metrics aggregated over a particular participant (e.g. bidder or seller). It has:

participating interest group count: A long, initially 0. See "participating-ig-count".
code fetch time averager: An averager. Used to compute "average-code-fetch-time".
script timeouts occurred: A long, initially 0. Used to compute "percent-scripts-timeout".
cumulative timeouts occurred: A long, initially 0. Number of interest groups affected by the cumulative timeout happening. Used to compute "percent-igs-cumulative-timeout".
cumulative buyer time: A duration in milliseconds, initially 0. See "cumulative-buyer-time".
script executions attempted: A long, initially 0. The denominator for computation of some percentage metrics, such as "percent-scripts-timeout" and "percent-igs-cumulative-timeout".
regular interest group count: A long, initially 0. See "regular-igs-count" and "percent-regular-ig-count-quota-used".
negative interest group count: A long, initially 0. See "negative-igs-count" and "percent-negative-ig-count-quota-used".
storage quota used: A long, initially 0. See "ig-storage-used" and "percent-ig-storage-quota-used".

5.4.6. Private Aggregation contributions

Private Aggregation contributions is a map from string to a list of on event contribution entries.

5.4.7. Algorithms

To prepare for private aggregation given a InterestGroupScriptRunnerGlobalScope global, a worklet function workletFunction, a reporting context reportingContext, and origins origin and aggregationCoordinator:

Let debugScope be a new debug scope.
Set global’s worklet function to workletFunction.
Set global’s origin to origin.
Set global’s private aggregation to a new PrivateAggregation with the following items:
allowed to use

reportingContext’s private aggregation allowed.

scoping details
a new scoping details with the items:
get batching scope steps
An algorithm that performs the following steps:

If aggregationCoordinator is null, set aggregationCoordinator to the default aggregation coordinator.

Return the result of running get or create a batching scope given origin, aggregationCoordinator and reportingContext.
get debug scope steps

An algorithm that returns debugScope.
should perform default contributeToHistogramOnEvent() processing

The algorithm determine whether to perform default contributeToHistogramOnEvent() processing.

To finalize private aggregation debug info given a InterestGroupScriptRunnerGlobalScope global:

Let debugScope be the result of running global’s privateAggregation’s scoping details’s get debug scope steps.
Let debugDetails be the result of get a debug details given debugScope.
Let onEventContributionMap be global’s on event contribution map.
For each event → entries of onEventContributionMap:
1. For each onEventEntry of entries:
  1. If onEventEntry’s debug scope is debugScope, set onEventEntry’s debug details to debugDetails.
Mark a debug scope complete given debugScope.

To extract private aggregation contributions given a InterestGroupScriptRunnerGlobalScope global:

Return global’s on event contribution map.

TODO: regular histograms need to work the same way, too, so they get discarded for k-anon runs; this method exists as an abstraction to help add that.

To commit private aggregation contributions given a Private Aggregation contributions onEventMap, a reporting bid key bidKey, and a reporting context reportingContext:

For each event → contributions of onEventMap:
1. Let key be (bidKey, event).
2. If reportingContext’s private aggregation on event contributions[key] does not exist, set it to a new list.
3. Extend reportingContext’s private aggregation on event contributions[key] with contributions.

To get or create a batching scope given an origin origin, an aggregation coordinator aggregationCoordinator and a reporting context reportingContext, perform the following steps. They return a batching scope.

Let batchingScopeMap be reportingContext’s private aggregation batching scope map.
Let tuple be (origin, aggregationCoordinator).
If batchingScopeMap[tuple] does not exist:
1. Set batchingScopeMap[tuple] to a new batching scope.
2. If aggregationCoordinator is not null, set the aggregation coordinator for a batching scope given aggregationCoordinator and batchingScopeMap[tuple].
Return batchingScopeMap[tuple].

To determine whether to perform default contributeToHistogramOnEvent() processing given a PrivateAggregation this, a DOMString event and a map (with DOMString keys) contribution, perform the following steps. They return a boolean (only false) or an exception.

Let global be this’s relevant global object.
Let function be global’s worklet function.
Let origin be global’s origin.
If this’s allowed to use is false, return a TypeError.
Set contribution to the result of converting contribution’s JavaScript value to the IDL type PAExtendedHistogramContribution, catching any exception that is thrown. If an exception is caught, return it.

Note: This returns a TypeError if contribution is not compatible.
Let scopingDetails be this’s scoping details
If event starts with "reserved." and « "reserved.always", "reserved.loss", "reserved.win", "reserved.once" » does not contain event, return false.

Note: No error is thrown to allow forward compatibility if additional reserved event types are added later.
If event is "reserved.once" and function is report-result or report-win, return a TypeError.
Let bucket be contribution["bucket"].
If bucket is a PASignalValue:
1. If bucket["baseValue"] is not a valid signal base value, return a TypeError.
2. If bucket["offset"] is not a bigint, return a TypeError.
Otherwise, if contribution["bucket"] is not contained in the range 0 to 2¹²⁸, exclusive, return a TypeError.

Make the error type consistent with contributeToHistogram(contribution).
Let value be contribution["value"].
If value is a PASignalValue:
1. If value["baseValue"] is not a valid signal base value, return a TypeError.
2. If value["offset"] is a bigint, return a TypeError.
Otherwise, if contribution["value"] is negative, return a TypeError.
If contribution["filteringId"] is not contained in the range 0 to 256^{default filtering ID max bytes}, exclusive, return a TypeError.

Make the error types on validation issues here and above consistent with contributeToHistogram(contribution).

Note: It is not currently possible to set a non-default filtering ID max bytes for Protected Audience.
If event does not start with "reserved.", and function is score-ad or report-result, return false.
Let batchingScope be null.
If event starts with "reserved.", set batchingScope to the result of running scopingDetails’ get batching scope steps.

Note: Each non-reserved event will have a different batching scope that is created later.
Let entry be a new on event contribution entry with the items:

contribution

contribution

batching scope

batchingScope

debug scope

The result of running scopingDetails’ get debug scope steps.

worklet function

function

origin

origin
Let onEventContributionMap be global’s on event contribution map.
If onEventContributionMap[event] does not exist, set onEventContributionMap[event] to a new list.
Append entry to onEventContributionMap[event].
Return false.

Note: This algorithm never returns true as the default processing is never used.

To process the Private Aggregation contributions given an auction config auctionConfig and a reporting context map reportingContextMap:

Process the Private Aggregation contributions for an auction given auctionConfig, reportingContextMap[auctionConfig].
For each componentAuction in auctionConfig’s component auctions:
1. Process the Private Aggregation contributions for an auction given componentAuction, reportingContextMap[componentAuction].

To process the Private Aggregation contributions for an auction given an auction config auctionConfig and a reporting context reportingContext:

If auctionConfig’s aborted is true, return.
Let winnerId be reportingContext’s winner reporting id
Let leadingBidInfo be reportingContext’s local leader info.
Let bidderOnceRep be null.
If reportingContext’s bidder participants is not empty, set bidderOnceRep to a random item of bidder participants.
Let sellerOnceRep be null.
If reportingContext’s seller participants is not empty, set sellerOnceRep to a random item of seller participants.
For each (bidId, event) → contributions of reportingContext’s private aggregation on event contributions:
1. For each onEventEntry of contributions:
  1. Continue if any of the following conditions hold:
    - event is "reserved.win" and bidId is not winnerId;
    - event does not start with "reserved." and bidId is not winnerId;
    - event is "reserved.loss" and bidId is winnerId.
  2. If event is "reserved.once":
    1. If onEventEntry’s worklet function is generate-bid:
      1. If bidId ≠ bidderOnceRep, continue.
    2. Otherwise:
      1. If bidId ≠ sellerOnceRep, continue.
  3. Let filledInContribution be the result of filling in the contribution given reportingContext, onEventEntry and leadingBidInfo.
    
    Once WICG/turtledove#627 is resolved, align 'filling in' logic with forDebuggingOnly.
  4. If event does not start with "reserved.":
    1. Store event, filledInContribution, onEventEntry’s debug details in the FencedFrameConfig as appropriate.
    Note: Each non-reserved event will have a different batching scope.
    
    Once WICG/turtledove#616 and any successors are landed, align integration and fill in fenced frame’s report a private aggregation event.
  5. Otherwise:
    1. Let entry be a new contribution cache entry with the items:
      
      contribution
      
      filledInContribution
      
      batching scope
      
      onEventEntry’s batching scope
      
      debug scope
      
      onEventEntry’s debug scope
      
      debug details
      
      onEventEntry’s debug details
    2. Append entry to the contribution cache.
Let sellerBatchingScope be the result of getting or creating a batching scope given auctionConfig’s seller, auctionConfig’s seller Private Aggregation coordinator, and reportingContext.
Let auctionReportBuyersDebugScope be a new debug scope.
For each reportType → reportBuyerConfig of auctionConfig’s auction report buyers:
1. For each buyerOrigin → buyerOffset of auctionConfig’s auction report buyer keys:
  1. Let bucket be the sum of buyerOffset and reportBuyerConfig’s bucket.
    
    Handle overflow here or in validation. See WICG/turtledove#1040.
  2. Let value be the result (a double) of switching on reportType:
    
    "interestGroupCount"
    
    The number of interest groups in the user agent’s interest group set whose owner is buyerOrigin.
    
    "bidCount"
    
    The number of valid bids generated by interest groups whose owner is buyerOrigin.
    
    "totalGenerateBidLatency"
    
    The sum of execution time in milliseconds for all generateBid() calls in the auction for interest groups whose owner is buyerOrigin.
    
    "totalSignalsFetchLatency"
    
    The total time spent fetching trusted buyer signals in milliseconds, or 0 if the interest group didn’t fetch any trusted signals.
    
    None of the above values
    
    Assert: false, as this enum value is validated in validate and convert auction ad config
    
    More formally spec the values here.
  3. Set value to the result of multiplying reportBuyerConfig’s scale with value.
  4. Set value to the maximum of 0.0 and value.
  5. Set value to the result of converting value to an integer by truncating its fractional part.
  6. Set value to the minimum of value and 2³¹−1.
  7. Let contribution be a new PAHistogramContribution with the items:
    
    bucket
    
    bucket
    
    value
    
    value
    
    filteringId
    
    0
    
    Consider allowing the filtering ID to be set here.
  8. For each ig of the user agent’s interest group set whose owner is buyerOrigin:
    1. If seller capabilities of ig don’t allow this reporting, continue.
      
      Align behavior with seller capabilities handling once WICG/turtledove#966 is resolved.
    2. Let entry be a new contribution cache entry with the items:
      
      contribution
      
      contribution
      
      batching scope
      
      sellerBatchingScope
      
      debug scope
      
      auctionReportBuyersDebugScope
    3. Append entry to the contribution cache.
Mark a debug scope complete given auctionReportBuyersDebugScope and auctionConfig’s auction report buyer debug details.
For each (origin, aggregationCoordinator) → batchingScope of reportingContext’s private aggregation batching scope map:
1. Process contributions for a batching scope given batchingScope, origin, "protected-audience" and null.

To fill in the contribution given a reporting context reportingContext, an on event contribution entry onEventEntry and a leading bid info leadingBidInfo, perform the following steps. They return a PAHistogramContribution:

Let contribution be onEventEntry’s contribution.
Let bucket be contribution["bucket"].
If bucket is a PASignalValue, set bucket to the result of filling in the signal value given reportingContext, onEventEntry, bucket, 2¹²⁸−1 and leadingBidInfo.
Let value be contribution["value"].
If value is a PASignalValue, set value to the result of filling in the signal value given reportingContext, onEventEntry, value, 2³¹−1 and leadingBidInfo.
Let filledInContribution be a new PAHistogramContribution with the items:

bucket

bucket

value

value

filteringId

contribution["filteringId"]
Return filledInContribution.

To fill in the signal value given a reporting context reportingContext, an on event contribution entry onEventEntry, a PASignalValue value, an integer maxAllowed and a leading bid info leadingBidInfo, perform the following steps. They return an integer.

Assert: value["baseValue"] is a valid signal base value.
Let returnValue be the result of determining a signal’s numeric value given reportingContext, onEventEntry, value["baseValue"] and leadingBidInfo.
If value["scale"] exists, set returnValue to the result of multiplying value["scale"] with returnValue.
Set returnValue to the result of converting returnValue to an integer by truncating its fractional part.
If value["offset"] exists, set returnValue to the result of adding returnValue to value["offset"].
Clamp returnValue to the range 0 to maxAllowed, inclusive, and return the result.

To determine a signal’s numeric value given a reporting context reportingContext, an on event contribution entry onEventEntry, a signal base value signalBaseValue and a leading bid info leadingBidInfo, perform the following steps. They return a double.

Let metrics be the result of access per-participant metrics given reportingContext, onEventEntry’s origin, worklet function.
Let bidAndScoreMetrics be the result of access per-participant metrics given reportingContext, onEventEntry’s origin, and the result of find corresponding bid and score phase function given worklet function.
If signalBaseValue is:
"winning-bid"
1. If leadingBidInfo’s leading bid is null, return 0.
2. Otherwise, return leadingBidInfo’s leading bid’s bid.
"highest-scoring-other-bid":
1. If leadingBidInfo’s highest scoring other bid is null, return 0.
2. Otherwise, return leadingBidInfo’s highest scoring other bid’s bid.
"script-run-time"

Return the number of milliseconds of CPU time that the calling function (e.g. generateBid()) took to run.

"signals-fetch-time"

Switch on the associated worklet function:

generate-bid

Return the number of milliseconds it took for the trusted bidding signals fetch to complete, or 0 if no fetch was made.

score-ad

Return the number of milliseconds it took for the trusted scoring signals fetch to complete or 0 if no fetch was made.

report-result
report-win

Return 0.

"bid-reject-reason"
1. If the bid did not succeed purely because it didn’t meet the required k-anonymity threshold, return 8.
2. Let bidRejectReason be "not-available".
3. If the seller provided a reject reason, set bidRejectReason to that value.
4. If bidRejectReason is:
  
  "not-available"
  
  Return 0.
  
  "invalid-bid"
  
  Return 1.
  
  "bid-below-auction-floor"
  
  Return 2.
  
  "pending-approval-by-exchange"
  
  Return 3.
  
  "disapproved-by-exchange"
  
  Return 4.
  
  "blocked-by-publisher"
  
  Return 5.
  
  "language-exclusions"
  
  Return 6.
  
  "category-exclusions"
  
  Return 7.
  
  None of the above values
  
  Assert: false
  
  Note: this enum value is validated in scoreAd().
  
  Verify this once WICG/turtledove#627 is resolved.
  
  There are some automatically generated values that are not described here.
  
  Verify handling when the bid was not rejected.
"average-code-fetch-time"

Return the result of getting the value to report from an averager given metrics’s code fetch time averager.

"participating-ig-count"

Return bidAndScoreMetrics’s participating interest group count.

"percent-scripts-timeout"

Return the result of computing a percentage metric given metrics’s script timeouts occurred and metrics’s script executions attempted.

"regular-igs-count"

Return bidAndScoreMetrics’s regular interest group count.

"percent-regular-ig-count-quota-used"

Return the result of computing a percentage metric given bidAndScoreMetrics’s regular interest group count and max regular interest groups per owner.

"negative-igs-count"

Return bidAndScoreMetrics’s negative interest group count.

"percent-negative-ig-count-quota-used"

Return the result of computing a percentage metric given bidAndScoreMetrics’s negative interest group count and max negative interest groups per owner.

"ig-storage-used"

Return bidAndScoreMetrics’s storage quota used.

"percent-ig-storage-quota-used"

Return the result of computing a percentage metric given bidAndScoreMetrics’s storage quota used and max interest groups total size per owner.

"cumulative-buyer-time"

Return bidAndScoreMetrics’s cumulative buyer time.

"percent-igs-cumulative-timeout"

Return the result of computing a percentage metric given bidAndScoreMetrics’s cumulative timeouts occurred and bidAndScoreMetrics’s script executions attempted.

To compute a percentage metric given longs numerator and denominator:

If denominator is 0, return 0.
Let result be 100.0 * numerator / denominator, performing the computation with doubles.
If result > 110.0, set result to 110.0

Note: Since Interest Group Storage Maintenance happens periodically, metrics measuring storage utilization may report values that exceed 100%. The 110% cap exists to make it easier to allocate histogram bucket space for those metrics, by providing a predictable upper bound.
Return result.

To update storage metrics given per participant metrics metrics and a list of interest groups igs:

For each ig of igs:
1. If additional bid key is null, increment metrics’s regular interest group count by 1.
2. Otherwise, increment metrics’s negative interest group count by 1.
3. Increment metrics’s storage quota used by ig’s estimated size

To update cumulative buyer time metrics given per participant metrics metrics and a cumulative timeout tracker tracker:

If tracker’s limit is null, return.
If tracker is expired, set metrics’s cumulative buyer time to tracker’s limit + 1000ms.
Otherwise, set metrics’s cumulative buyer time to tracker’s limit - tracker’s remaining.

5.5. Get storage interest groups for owner

This first introductory paragraph is non-normative.

The get storage interest groups for owner algorithm returns a Web IDL array of interest groups. This allows a Protected Audience buyer within a shared storage worklet to gain insights into their users and to send Private Aggregation reports.

dictionary StorageInterestGroup : AuctionAdInterestGroup {
  unsigned long long joinCount;
  unsigned long long bidCount;
  sequence<PreviousWin> prevWinsMs;
  USVString joiningOrigin;
  long long timeSinceGroupJoinedMs;
  long long lifetimeRemainingMs;
  long long timeSinceLastUpdateMs;
  long long timeUntilNextUpdateMs;
  unsigned long long estimatedSize;
};

To get storage interest groups for owner given an origin owner:

Let resultIgs be an empty list.
Let now be a moment equal to the current coarsened wall time.
For each ig of user agent’s interest group set:
1. If ig’s owner does not equal owner, then continue.
2. Let resultIg be an empty StorageInterestGroup dictionary.
3. Set resultIg["owner"] to the serialization of ig’s owner.
4. Set resultIg["name"] to ig’s name.
5. Set resultIg["enableBiddingSignalsPrioritization"] to ig’s enable bidding signals prioritization.
6. If ig’s priority vector is not null:
  1. Set resultIg["priorityVector"] to ig’s priority vector.
7. If ig’s seller capabilities is not null:
  1. Let resultSellerCapabilities be an ordered map.
  2. For each origin → originSellerCapabilities of ig’s seller capabilities:
    1. Let serializedOrigin be the serialization of origin.
    2. Set resultSellerCapabilities[serializedOrigin] to originSellerCapabilities.
  3. Set resultIg["sellerCapabilities"] to resultSellerCapabilities.
8. Set resultIg["executionMode"] to ig’s execution mode.
9. Set resultIg["biddingLogicURL"] to the serialization of ig’s bidding url.
10. Set resultIg["biddingWasmHelperURL"] to the serialization of ig’s bidding wasm helper url.
11. Set resultIg["updateURL"] to the serialization of ig’s update url.
12. Set resultIg["trustedBiddingSignalsURL"] to the serialization of ig’s trusted bidding signals url.
13. If ig’s trusted bidding signals keys is not null:
  1. Set resultIg["trustedBiddingSignalsKeys"] to ig’s trusted bidding signals keys.
14. Set resultIg["trustedBiddingSignalsSlotSizeMode"] to ig’s trusted bidding signals slot size mode.
15. Set resultIg["maxTrustedBiddingSignalsURLLength"] to ig’s max trusted bidding signals url length.
16. If ig’s user bidding signals is not null:
  1. Let parsedUserBiddingSignals be ig’s user bidding signals parsed to a JavaScript value.
  2. If an exception was thrown, then return failure.
  3. Set resultIg["userBiddingSignals"] to parsedUserBiddingSignals.
17. If ig’s ads is not null:
  1. Set resultIg["ads"] to ig’s ads converted to an AuctionAd sequence.
  2. If an exception was thrown, then return failure.
18. If ig’s ad components is not null:
  1. Set resultIg["adComponents"] to ig’s ad components converted to an AuctionAd sequence.
  2. If an exception was thrown, then return failure.
19. If ig’s ad sizes is not null:
  1. Let resultAdSizes be an ordered map.
  2. For each sizeName → adSize of ig’s ad sizes:
    1. Set resultAdSizes[sizeName] to adSize converted to a map.
  3. Set resultIg["adSizes"] to resultAdSizes.
20. If ig’s size groups is not null:
  1. Set resultIg["sizeGroups"] to ig’s size groups.
21. Set resultIg["priority"] to ig’s priority.
22. If ig’s priority signals overrides is not null:
  1. Set resultIg["prioritySignalsOverrides"] to ig’s priority signals overrides.
23. If ig’s additional bid key is not null:
  1. Let encoded be the result of running forgiving-base64 encode with ig’s additional bid key.
  2. If encoded is failure, then return failure.
  3. Set resultIg["additionalBidKey"] to the result of running forgiving-base64 encode with ig’s additional bid key.
24. Set resultIg["joinCount"] to the sum of ig’s join counts for all days within the last 30 days.
25. Set resultIg["bidCount"] to the sum of ig’s bid counts for all days within the last 30 days.
26. Let resultPrevWins be a new sequence<PreviousWin>.
27. For each prevWin of ig’s previous wins for all days within the the last 30 days:
  1. Let timeDelta be (now − prevWin’s time) in millseconds.
  2. Set timeDelta to 0 if timeDelta is negative, timeDelta’s nearest second (rounding down) otherwise.
  3. Let metadata be prevWin’s metadata parsed to a JavaScript value.
  4. If an exception was thrown, then return failure.
  5. Let prevWinAdIDL be a new AuctionAd with the following items:
    
    renderURL
    
    the serialization of prevWin’s render url
    
    metadata
    
    metadata.
    
    adRenderId
    
    prevWin’s ad render ID
  6. Let prevWinElement be the sequence<PreviousWinElement> «timeDelta, prevWinAdIDL».
  7. Append prevWinElement to resultPrevWins.
28. Set resultIg["prevWinsMs"] to resultPrevWins.
29. Set resultIg["joiningOrigin"] to the serialization of ig’s joining origin.
30. Set resultIg["timeSinceGroupJoinedMs"] to (now − ig’s join time) in millseconds.
31. Set resultIg["lifetimeRemainingMs"] to (ig’s expiry − now) in millseconds.
32. Set resultIg["timeSinceLastUpdateMs"] to (now − ig’s last updated) in millseconds.
33. Set resultIg["timeUntilNextUpdateMs"] to (ig’s next update after − now) in millseconds.
34. Set resultIg["estimatedSize"] to ig’s estimated size.
35. Append resultIg to resultIgs.
Return resultIgs.

6. Additional Bids and Negative Targeting

6.1. createAuctionNonce()

This first introductory paragraph is non-normative.

navigator.createAuctionNonce() creates an auction nonce, which is a one-time canonical string representation of a version 4 UUID that is uniquely associated with a single call to navigator.runAdAuction(). For multi-seller auctions, a distinct auction nonce can be uniquely associated with each of the componentAuctions. The auction nonce(s) will need to be passed back in via a subsequent call to navigator.runAdAuction() via the AuctionAdConfig. This is currently only needed for auctions that use additional bids, in which the auction nonce is combined with a seller nonce to construct a bid nonce that must be included in each additional bid. For backwards compatibility, additional bids may include an auction nonce directly in place of a bid nonce.

[SecureContext]
partial interface Navigator {
  Promise<DOMString> createAuctionNonce();
};

The createAuctionNonce() method steps are:

Let p be a new promise.
Run the following steps in parallel:
1. Let nonce be the string representation of a version 4 UUID.
Because we’re going in parallel:
- There is no guarantee that the promise will be resolved before other tasks get queued on the main thread;
- ...which gives browsers the freedom to generate this UUID in another process, and asynchronously send it back to the main thread at an arbitrary future time.
1. Queue a global task on DOM manipulation task source, given this’s relevant global object, to resolve p with nonce.
Return p.

6.2. Additional Bids

This first introductory paragraph is non-normative.

In addition to bids generated by interest groups, sellers can enable buyers to introduce bids generated outside of the auction, which are called additional bids. Additional bids are commonly triggered using contextual signals. Buyers compute the additional bids, likely as part of a contextual auction. Buyers need to package up each additional bid using a new data structure that encapsulates all of the information needed for the additional bid to compete against other bids in a Protected Audience auction.

Each additional bid is expressed using the following JSON data structure:

const additionalBid = {
  "bid": {
    "ad": 'ad-metadata',
    "adCost": 2.99,
    "bid": 1.99,
    "bidCurrency": "USD",
    "render": "https://www.example-dsp.com/ad/123.jpg",
    "adComponents": [adComponent1, adComponent2],
    "allowComponentAuction": true,
    "modelingSignals": 123,
  },
  "interestGroup": {
    "owner": "https://www.example-dsp.com"
    "name": "campaign123",
    "biddingLogicURL": "https://www.example-dsp.com/bid_logic.js"
  },
  "negativeInterestGroups": {
    joiningOrigin: "https://www.example-advertiser.com",
    interestGroupNames: [
      "example_advertiser_negative_interest_group_a",
      "example_advertiser_negative_interest_group_b",
    ]
  },
  "auctionNonce": "12345678-90ab-cdef-fedcba09876543210",
  "seller": "https://www.example-ssp.com",
  "topLevelSeller": "https://www.another-ssp.com"
}

To validate and convert additional bids given an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, a negative target info negativeTargetInfo, a reporting context map reportingContextMap, and a global object global:

Assert that these steps are running in parallel.
Assert that auctionConfig’s auction nonce is not null.
Let auctionNonce be the string representation of auctionConfig’s auction nonce.
Let capturedAdditionalBidsHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured ad auction additional bids headers.
Let additionalBids be a new list of decoded additional bids.
For each encodedSignedAdditionalBidWithMetadata of capturedAdditionalBidsHeaders[auctionNonce]:
1. Let signedAdditionalBid be the result of running forgiving-base64 decode with encodedSignedAdditionalBidWithMetadata’s signed additional bid.
2. If signedAdditionalBid is failure, then continue.
3. Let additionalBid be the result of running parse a signed additional bid given signedAdditionalBid, reportingContextMap, encodedSignedAdditionalBidWithMetadata’s seller nonce, auctionConfig, topLevelAuctionConfig, and negativeTargetInfo.
4. If additionalBid is not null:
  1. Append additionalBid to additionalBids.
  2. Let bidCopy be a clone of additionalBid.
  3. Set bidCopy’s for k-anon auction to false.
Return additionalBids.

To parse a signed additional bid given a byte sequence signedAdditionalBid, a reporting context map reportingContextMap, a string-or-null sellerNonce, an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, and a negative target info negativeTargetInfo:

Assert that these steps are running in parallel.
Let parsedSignedAdditionalBid be the result of running parse a JSON string to an infra value given signedAdditionalBid.
Return null if any of the following conditions hold:
- parsedSignedAdditionalBid is not a map;
- parsedSignedAdditionalBid["bid"] does not exist, or is not a string;
- parsedSignedAdditionalBid["signatures"] does not exist, or is not a list.
Let signatures be a new list of signed additional bid signatures.
Let decodeSignatureFailed be false.
For each sig of parsedSignedAdditionalBid["signatures"]:
1. Set decodeSignatureFailed to true and break if any of the following conditions hold:
  - sig is not a map;
  - sig["key"] does not exist, or is not a string;
  - sig["signature"] does not exist, or is not a string.
2. Let maybeKey be the result of running forgiving-base64 decode with sig["key"].
3. Let maybeSignature be the result of running forgiving-base64 decode with sig["signature"].
4. Set decodeSignatureFailed to true and break if any of the following conditions hold:
  - maybeKey is failure, or its length is not 32;
  - maybeSignature is failure, or its length is not 64;
5. Let signature be a signed additional bid signatures, whose key is maybeKey, and signature is maybeSignature.
6. Append signature to signatures.
If decodeSignatureFailed is true, then return null.
Let decodedAdditionalBid be the result of decode an additional bid json given parsedSignedAdditionalBid["bid"], reportingContextMap, auctionConfig, topLevelAuctionConfig, and sellerNonce.
Return null if any of the following conditions hold:
- decodedAdditionalBid is failure;
- The result of checking a currency tag with decodedAdditionalBid’s bid’s bid’s currency and the result of running look up per-buyer currency with auctionConfig.
Let verifiedSignatureKeys be a new set of byte sequences.
For each signature of signatures:
1. Let isSignatureValid be the result of running verify signature’s signature on message parsedSignedAdditionalBid["bid"] using signature’s key, with 0 for Ed25519ctx.
2. If isSignatureValid is true, then append signature’s key to verifiedSignatureKeys.
If the result of checking whether negative targeted given decodedAdditionalBid, verifiedSignatureKeys and negativeTargetInfo is true, then return null.
Return decodedAdditionalBid.

To decode an additional bid json given a string additionalBidJson, a reporting context map reportingContextMap, an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, and a string-or-null sellerNonce:

Assert that these steps are running in parallel.
Let parsedAdditionalBid be the result of parse a JSON string to an infra value given additionalBidJson.
If parsedAdditionalBid is not a map, then return failure.
Let result be a new decoded additional bid.
Return failure if any of the following conditions hold:
- parsedAdditionalBid["auctionNonce"] exists and parsedAdditionalBid["bidNonce"] exists;
- parsedAdditionalBid["auctionNonce"] does not exist and parsedAdditionalBid["bidNonce"] does not exist;
- parsedAdditionalBid["seller"] does not exist;
- The result of running the parse an https origin with parsedAdditionalBid["seller"] is failure, or not same origin with auctionConfig’s seller.
If sellerNonce is not null:
1. Return failure if any of the following conditions hold:
  1. parsedAdditionalBid["bidNonce"] does not exist;
  2. parsedAdditionalBid["bidNonce"] is not the result of calculate expected bid nonce given the string representation of auctionConfig’s auction nonce and sellerNonce.
Otherwise:
1. Return failure if any of the following conditions hold:
  - parsedAdditionalBid["auctionNonce"] does not exist;
  - parsedAdditionalBid["auctionNonce"] is not the string representation of auctionConfig’s auction nonce;
If topLevelAuctionConfig is null:
1. If parsedAdditionalBid["topLevelSeller"] exists, then return failure.
Otherwise:
1. If parsedAdditionalBid["topLevelSeller"] does not exist, then return failure.
2. Let bidTopLevelSeller be the result of running the parse an https origin with parsedAdditionalBid["topLevelSeller"].
3. If bidTopLevelSeller is failure, or bidTopLevelSeller is not same origin with topLevelAuctionConfig’s seller, then return failure.
If parsedAdditionalBid["interestGroup"] does not exist, then return failure.
Let igMap be parsedAdditionalBid["interestGroup"].
Return failure if any the following conditions hold:
- igMap is not a map;
- igMap["name"] does not exist, or is not a string;
- igMap["biddingLogicURL"] does not exist, or is not a string;
- igMap["owner"] does not exist, or is not a string;
Let igOwner be the result of running parse an https origin given igMap["owner"].
Let igName be igMap["name"].
Let igBiddingUrl be the result of running url parser on igMap["biddingLogicURL"].
Return failure if any of the following conditions hold:
- igOwner is failure;
- auctionConfig’s interest group buyers does not contain igOwner;
- igBiddingUrl is failure;
- igOwner is not same origin with igBiddingUrl.
Let ig be a new interest group with the following properties:

owner

igOwner

name

igName

bidding url

igBiddingUrl
If parsedAdditionalBid["bid"] does not exist, or is not a map, return failure.
Let bidMap be parsedAdditionalBid["bid"].
If bidMap["render"] does not exist or is not a string, then return failure.
Let renderUrl be the result of running URL parser on bidMap["render"].
If renderUrl is failure, then return failure.
Let ad be a new interest group ad whose render url is renderUrl.
Set ig’s ads to « ad ».
Let bidVal be bidMap["bid"] if it exists, otherwise return failure.
If bidVal is not a double, or is less than or equal to 0, then return failure.
Let adMetadata be "null".
If bidMap["ad"] exists:
1. Set adMetadata to the result of running serialize an Infra value to a JSON string with bidMap["ad"].
Let bidCurrency be null.
If bidMap["bidCurrency"] exists:
1. If bidMap["bidCurrency"] is not a string, or the result of checking whether a string is a valid currency tag is failure, then return failure.
2. Set bidCurrency to bidMap["bidCurrency"].
Let adCost be null.
If bidMap["adCost"] exists:
1. If bidMap["adCost"] is not a double, then return failure.
2. Set adCost to bidMap["adCost"].
Let modelingSignals be null.
If bidMap["modelingSignals"] exists:
1. If bidMap["modelingSignals"] is not a double, then return failure.
2. If bidMap["modelingSignals"] ≥ 0, and < 4096, then set modelingSignals to bidMap["modelingSignals"].
Let adComponents be a new list of ad descriptors.
If bidMap["adComponents"] exists:
1. If bidMap["adComponents"] is not a list, then return failure.
2. For each component of bidMap["adComponents"]:
  1. If component is not a string, then return failure.
  2. Let componentUrl be the result of running URL parser on component.
  3. If componentUrl is failure, then return failure.
  4. Let componentDescriptor be a new ad descriptor whose url is componentUrl.
  5. Append componentDescriptor to adComponents.
3. Set ig’s ad components to adComponents.
If parsedAdditionalBid["negativeInterestGroup"] exists:
1. If parsedAdditionalBid["negativeInterestGroups"] exists, or parsedAdditionalBid["negativeInterestGroup"] is not a string, then return failure.
2. Append parsedAdditionalBid["negativeInterestGroup"] to result’s negative target interest group names.
If parsedAdditionalBid["negativeInterestGroups"] exists:
1. Let multipleNegativeIg be parsedAdditionalBid["negativeInterestGroups"].
2. Return failure if any of the following conditions hold:
  - multipleNegativeIg is not a map;
  - multipleNegativeIg["joiningOrigin"] does not exist, or is not a string;
  - multipleNegativeIg["interestGroupNames"] does not exist, or is not a list.
3. Let joiningOrigin be the result of running parse an https origin with multipleNegativeIg["joiningOrigin"].
4. If joiningOrigin is failure, then return failure.
5. Set result’s negative target joining origin to joiningOrigin.
6. For each igName of multipleNegativeIg["interestGroupNames"]:
  1. If igName is not a string, then return failure.
  2. Append igName to result’s negative target interest group names.
Set result’s bid to a new generated bid with the following properties:

reporting id

A reporting bid key with the following items:

context

reportingContextMap[auctionConfig]

source

additional-bid

bidder origin

ig’s owner

bid identifier

A string representation of a new globably unique identifier. This is needed since igName may not be unique.

bid

A bid with currency whose value is bidVal, and currency is bidCurrency

ad

adMetadata

ad descriptor

An ad descriptor whose url is renderUrl

ad component descriptors

adComponents

ad cost

adCost

modeling signals

modelingSignals

interest group

ig

bid ad

A interest group ad whose render url is renderUrl, and metadata is adMetadata

provided as additional bid

true
Return result.

To calculate expected bid nonce given a string auctionNonce and a string sellerNonce:

Return the result of forgiving-base64 encoding the SHA-256 hash of the result of concatenating «auctionNonce, sellerNonce».

A signed additional bid signature is a struct with the following items:

key: A byte sequence of length 32.
signature: A byte sequence of length 64.

A decoded additional bid is a struct with the following items:

bid: A generated bid. Fields analogous to those returned by generateBid().
negative target interest group names: A list of strings.
negative target joining origin: Null or an origin. Required if there is more than one entry in negative target interest group names.

6.3. Negative Targeting

This first introductory paragraph is non-normative.

In online ad auctions for ad space, it’s sometimes useful to prevent showing an ad to certain audiences, a concept known as negative targeting. To facilitate negative targeting in Protected Audience auctions, each additional bid is allowed to identify one or more negative interest groups. If the user has been joined to any of the identified negative interest groups, the additional bid is dropped; otherwise it participates in the auction, competing alongside bids created by calls to generateBid(). An additional bid that specifies no negative interest groups is always accepted into the auction.

To check whether negative targeted given a decoded additional bid additionalBid, a set of byte sequences verifiedSignatureKeys, and a negative target info negativeTargetInfo:

Assert that these steps are running in parallel.
Let negativeTargeted be false.
Let additionalBidBuyer be additionalBid’s bid’s interest group’s owner.
For each igName of additionalBid’s negative target interest group names:
1. If negativeTargetInfo[(additionalBidBuyer, igName)] exists:
  1. Let (joiningOrigin, additionalBidKey) be negativeTargetInfo[(additionalBidBuyer, igName)].
  2. If verifiedSignatureKeys contains additionalBidKey:
    1. If joiningOrigin is not null:
      1. If joiningOrigin is not same origin with additionalBid’s negative target joining origin, then continue.
    2. Set negativeTargeted to true, and break.

Note: If the signature doesn’t verify successfully, the additional bid proceeds as if the negative interest group is not present. This ensures that only the owner of the negative interest group, who created the additionalBidKey, is allowed to negatively target the interest group, and that nobody else can learn whether the interest group set contains the interest group.

Return negativeTargeted.

A negative target info is a map. Its keys are tuples consisting of an origin for owner and a string for name. Its values are tuples consisting of an origin for joining origin and a byte sequence for additional bid key.

6.3.1. Negative Interest Groups

This section is non-normative.

Though negative interest groups are joined using the same joinAdInterestGroup() API as regular interest groups, they remain distinct from one another. Only negative interest groups’s additional bid key can be non-null, while only regular interest groups’s ads can be non-null. Because the subset of fields used by a negative interest group cannot be meaningfully updated, a negative interest group’s update url must be null, otherwise a TypeError will be thrown by joinAdInterestGroup() API.

Additional bids specify the negative interest groups they’re negatively targeting against using at most one of the following two fields in their JSON data structure:

negativeInterestGroup, for a single negative interest group;
negativeInterestGroups, for more than one negative interest groups.

If an additional bid needs to specify more than one negative interest groups, all of those negative interest groups must be joined from the same origin, and that origin must be identified ahead of time in the additional bid’s joiningOrigin field. Any negative interest group that wasn’t joined from that identified origin is ignored for negative targeting.

Use negativeInterestGroup in additional bid’s JSON:

const additionalBid = {
  ...
  "negativeInterestGroup": "example_advertiser_negative_interest_group",
  ...
}

Use negativeInterestGroups in additional bid’s JSON:

const additionalBid = {
  ...
  "negativeInterestGroups": {
    joiningOrigin: "https://example-advertiser.com",
    interestGroupNames: [
      "example_advertiser_negative_interest_group_a",
      "example_advertiser_negative_interest_group_b",
    ]
  },
  ...
}

7. K-anonymity

Two goals of this specification rely on applying k-anonymity thresholds:

To prevent cross-site leaks: Inputs to event-level reporting functions, reportWin() and reportResult(), only contain limited cross-site information. As described in § 16 Privacy Considerations, part of this limiting is done by applying k-anonymity requirements to the ad URLs.
To ensure that the same ad or ad component is being shown to at least some minimum number of people: The browser applies k-anonymity requirements on the ad URLs.

The browser enforces these k-anonymity requirements by maintaining counts of how many times each ad and ad component has been shown to users. These counts are maintained across users, so the counting must be done on a central k-anonymity server. This specification relies on two operations to query and increment the counts: query k-anonymity count and increment k-anonymity count.

The details of how the k-anonymity server is operated and accessed are implementation-defined but it should be done in a way that prevents the server operator from joining the identity of two query or increment requests. One way to help prevent this is by making accesses to the server go through an HTTP proxy that prevents the server from seeing the browsers' IP addresses.

The browser should choose a k-anonymity threshold, otherwise known as the value for "k", and a k-anonymity duration depending on the projected sizes of interest groups and the browser’s privacy goals. For example an implementation might choose to require a k-anonymity threshold of fifty users over a seven day period. The server will maintain the count over the chosen duration and compare the count to the chosen k-anonymity threshold when responding to query k-anonymity count.

The user agent must maintain a k-anonymity cache as a map whose keys are SHA-256 hashes of the k-anonymity keys for all of the ads and ad components in the user agent’s interest group set and whose values are k-anonymity records. This allows the browser to rerun portions of an auction without incurring the delay (and added side channels) from querying the server during an auction.

To create a k-anon restricted deep copy of the interest group given an interest group ig:

Let kAnonRestrictedIG be a deep copy of ig.
If ig’s ads is not null:
1. Set kAnonRestrictedIG’s ads to an empty list of interest group ad.
2. For each igAd of ig’s ads:
  1. Let adHashCode be the result of running compute the key hash of ad given ig and igAd.
  2. If query k-anonymity cache for ig’s owner, ig’s name, andadHashCode returns true:
    1. If igAd’s selectable buyer and seller reporting IDs is not null:
      1. Let kAnonRestrictedSelectableReportingIds be a new empty list of strings.
      2. For each selectableReportingId in igAd’s selectable buyer and seller reporting IDs:
        
        Let reportingHashCode be the result of query reporting ID k-anonymity count given ig, igAd, and selectableReportingId.
        
        If query k-anonymity cache for ig’s owner, ig’s name, andreportingHashCode returns true, then append selectableReportingId to kAnonRestrictedSelectableReportingIds.
      3. Set igAd’s selectable buyer and seller reporting IDs to kAnonRestrictedSelectableReportingIds.
    2. Append igAd to kAnonRestrictedIG’s ads.
If ig’s ad components is not null:
1. Set kAnonRestrictedIG’s ad components to an empty list of interest group ad.
2. For each igAdComponent of ig’s ad components:
  1. Let adComponentHashCode be the result of running compute the key hash of component ad given ig and igAdComponent.
  2. If query k-anonymity cache for ig’s owner, ig’s name, and adComponentHashCode returns true:
    1. Append igAdComponent to kAnonRestrictedIG’s ad components.
Return kAnonRestrictedIG.

To query k-anonymity count given a SHA-256 hashCode:

If the k-anonymity server has recorded at least k-anonymity threshold users seeing hashCode over the last k-anonymity duration, return true. Otherwise, return false.
Return true if it is above the threshold, otherwise return false.

To check a k-anonymity record given a k-anonymity record record:

If the difference between current coarsened wall time and record’s timestamp is more than 7 days then return false.
Return record’s is k-anonymous.

To query k-anonymity cache given an origin owner, string name, and SHA-256 hashCode:

If the user agent’s k-anonymity overrides contains the tuple (owner,name):
1. If the user agent’s k-anonymity overrides[(owner,name)] does not contain hashCode, then return false.
2. Let record be the user agent’s k-anonymity overrides[(owner,name)][hashCode].
3. Return the result of checking a k-anonymity record with record.
Otherwise:
1. If the user agent’s k-anonymity cache does not contain hashCode, then return false.
2. Let record be the user agent’s k-anonymity cache[hashCode].
3. Return the result of checking a k-anonymity record with record.

To compute the key hash of ad given an interest group ig and an interest group ad igAd:

Let keyString be the k-anonymity key formed from the concatenation of the following strings separated with U+000A LF:
- "AdBid"
- the serialization of ig’s owner
- the serialization of ig’s bidding url
- the serialization of igAd’s render url.
Return the SHA-256 hash of the ASCII encoding of keyString.

To compute the key part for one of multiple reporting ids given string-or-null reportingId:

If reportingId is null, then return the concatenation of the following:
- U+0000 (NUL)
- U+0000 (NUL)
- U+0000 (NUL)
- U+0000 (NUL)
- U+0000 (NUL)
Otherwise, return the concatenation of the following:
- U+0001 (SOH)
- The size of reportingId, interpreted as four 8-bit big-endian numbers, appended as bytes.
- reportingId

To compute the key hash of reporting ID given an interest group ig and an interest group ad igAd, and a string-or-null selectedReportingId:

Let middle be the concatenation of the following strings separated with U+000A (LF):
- the serialization of ig’s owner
- the serialization of ig’s bidding url
- the serialization of igAd’s render url
Let keyString be an empty string.
If selectedReportingId is not null, then set the keyString to be the concatenation of the following strings separated with U+000A (LF):
- "SelectedBuyerAndSellerReportId"
- middle
- The result of compute the key part for one of multiple reporting ids given selectedReportingId
- The result of compute the key part for one of multiple reporting ids given igAd’s buyer and seller reporting ID
- The result of compute the key part for one of multiple reporting ids given igAd’s buyer reporting ID
Otherwise:
1. If igAd’s buyer and seller reporting ID is not null, set keyString to be the concatenation of the following strings separated with U+000A (LF):
  - "BuyerAndSellerReportId"
  - middle
  - igAd’s buyer and seller reporting ID
2. Otherwise if igAd’s buyer reporting ID is not null, set keyString to be the concatenation of the following strings separated with U+000A (LF):
  - "BuyerReportId"
  - middle
  - igAd’s buyer reporting ID
3. Otherwise set keyString to be the concatenation of the following strings separated with U+000A (LF):
  - "NameReport"
  - middle
  - igAd’s name
Return the SHA-256 hash of the ASCII encoding of keyString.

To compute the key hash of component ad given an interest group ad igAd:

Let keyString be the concatenation of the following strings separated with U+000A LF:
- "ComponentBid"
- the serialization of igAd.
Return the SHA-256 hash of the ASCII encoding of keyString.

To query generated bid k-anonymity count given a generated bid bid:

Let ig be the bid’s interest group.
Compute the adHashCode following compute the key hash of ad with ig and bid’s ad descriptor.
If query k-anonymity cache for ig’s owner, ig’s name, and adHashCode returns false, return false.
If bid’s ad component descriptors is not null:
1. For each adComponentDescriptor in bid’s ad component descriptors:
  1. Compute the componentAdHashCode by getting the result of compute the key hash of component ad with adComponentDescriptor’s url.
  2. If query k-anonymity cache for ig’s owner, ig’s name, and componentAdHashCode returns false, return false.
If bid’s selected buyer and seller reporting ID is not null:
1. Let isKAnon the result of running query reporting ID k-anonymity count with ig, bid’s ad, and bid’s selected buyer and seller reporting ID.
2. If isKAnon is false, return false.
Return true.

To query reporting ID k-anonymity count given an interest group ig, an interest group ad igAd, and a string-or-null selectedReportingId:

Let keyHash be the result of computing the key hash of reporting ID given ig, igAd, and selectedReportingId.
Return the result of query k-anonymity cache given ig’s owner, ig’s name, and keyHash.

To update k-anonymity cache for key given a SHA-256 hashCode:

Assert that these steps are running in parallel.
Let record be a new k-anonymity record.
Set record’s timestamp field to the current coarsened wall time.
Set record’s is k-anonymous field to the result of executing query k-anonymity count for hashCode.
Set record[hashCode] to record.

To update k-anonymity cache for interest group given an interest group ig:

Assert that these steps are running in parallel.
For each igAd of ig’s ads:
1. Let adHashCode be the result of running compute the key hash of ad given ig and igAd.
2. Run update k-anonymity cache for key on adHashCode.
3. Let adReportingHashCode be the result of computing the key hash of reporting ID given ig, igAd, and null.
4. Run update k-anonymity cache for key on adReportingHashCode.
5. If igAd’s selectable buyer and seller reporting IDs is not null:
  1. For each selectableReportingId in igAd’s selectable buyer and seller reporting IDs:
    1. Set adReportingHashCode be the result of computing the key hash of reporting ID given ig, igAd, and selectableReportingId.
    2. Run update k-anonymity cache for key on adReportingHashCode.
For each componentAd of ig’s ad components:
1. Let componentAdHashCode be the result of running compute the key hash of component ad given componentAd.
2. Run update k-anonymity cache for key on componentAdHashCode.

To increment k-anonymity count given a hashCode:

Ask the k-anonymity server to record that this user agent has seen hashCode.

To increment ad k-anonymity count given an interest group ig and a URL ad:

Let keyString be the concatenation of the following strings separated with U+000A LF:
1. "AdBid"
2. the serialization of ig’s owner
3. the serialization of ig’s bidding url
4. the serialization of ad.
Let keyHash be the SHA-256 hash of the ASCII encoding of keyString.
Increment k-anonymity count given keyHash.

To increment component ad k-anonymity count given a URL ad:

Let keyString be the concatenation of the following strings separated with U+000A LF:
1. "ComponentBid"
2. the serialization of ad.
Let keyHash be the SHA-256 hash of the ASCII encoding of keyString.
Increment k-anonymity count given keyHash.

To increment reporting ID k-anonymity count given an interest group ig and a URL ad:

Let igAd be the interest group ad from ig’s ads whose render url is ad.
Let keyHash be the result of computing the key hash of reporting ID given ig and igAd.
Increment k-anonymity count given keyHash.

To increment a winning bid’s k-anonymity count given a generated bid winner:

Increment ad k-anonymity count given winner’s interest group and winner’s ad descriptor’s url.
If winner’s ad component descriptors is not null:
1. For each adComponentDescriptor in winner’s ad component descriptors:
  1. Increment component ad k-anonymity count given adComponentDescriptor’s url.
Increment reporting ID k-anonymity count given winner’s interest group and winner’s ad descriptor’s url.

8. Script Runners

This introduction sub-section is non-normative.

This specification defines a new type of script execution environment called a script runner. On the surface, these are similar to Worklets in that they too are used for running scripts independent of the main execution environment with a flexible implementation model.

However, some key differences from traditional Worklets motivate us to create a new kind of script execution environment. In particular, they:

Are not scoped to a particular Document, but are rather scoped to a user agent, as they are spun up by interest groups in the user agent’s interest group set.
Consequently have a different, more flexible agent cluster allocation model —specifically, they need not execute in the same agent cluster as any Document, and for privacy reasons implementations may be motivated to enjoy this flexibility.
Do not have any other WebIDL interfaces exposed to their global besides the ones defined in this specification, unlike other Worklet types.
Have a restricted set of ECMAScript APIs exposed to them; for example Date is not exposed in these environments.
Are not module scripts, and are instead evaluated as if they were classic scripts.
Are not scripts in the [HTML] sense, and as such:
- Their agent does not have an event loop
- Their realm does not have a settings object, and therefore functions inside them are not run with the familiar [WebIDL] invocation mechanism.
- They do not perform a microtask checkpoints.

8.1. Realm and agent

To create a new script runner agent, run these steps:

Let signifier be a new unique internal value.
Let candidateExecution be a new candidate execution.
Return a new agent whose [[CanBlock]] is false, [[Signifier]] is signifier, [[CandidateExecution]] is candidateExecution, and [[IsLockFree1]], [[IsLockFree2]], and [[LittleEndian]] are set at the implementation’s discretion.

Note: This algorithm is almost identical to [HTML]’s create an agent algorithm, with the exception that we do not give the returned agent a new event loop, since it does not process tasks within task sources in the usual way.

To obtain a script runner agent, run these steps:

Let agentCluster be a new agent cluster.
Let agent be the result of creating a new script runner agent.
Add agent to agentCluster.
Return agent.

To create a new script runner realm with a global type globalType, run these steps:

Assert that these steps are running in parallel.
Let agent be the result of obtaining a script runner agent given null, true, and false. Run the rest of these steps in agent.

This exclusively creates a new agent cluster for a given script to run in, but we should make this work with execution mode somehow.
Let realmExecutionContext be the result of creating a new realm given agent and the following customizations:
- For the global object, create a new object of type globalType.
Let realm be realmExecutionContext’s Realm component.
Let global be realm’s global object, and run these steps:
1. Perform !global.[[Delete]]("Date").
2. If !global.[[HasProperty]]("Temporal") is true, then perform !global.[[Delete]]("Temporal").
This is not the best way to perform such API neutering (see tc39/ecma262#1357), but at the moment it’s the way that host environments do this.

Note: Removing time-referencing APIs from the global object is imperative for privacy, as a script might otherwise be able to more easily exfiltrate data by using more accurate time measurements.
Return realm.

8.2. Script evaluation

Concretely, a script runner is a JavaScript execution environment instantiated with one of the following global objects:

InterestGroupBiddingScriptRunnerGlobalScope
InterestGroupScoringScriptRunnerGlobalScope
InterestGroupReportingScriptRunnerGlobalScope

To evaluate a bidding script given a string script, an unsigned short multiBidLimit, an interest group ig, a reporting context reportingContext, an execution metrics executionMetrics, a currency tag expectedCurrency, a GenerateBidInterestGroup igGenerateBid, a string-or-null auctionSignals, a string-or-null perBuyerSignals, an ordered map-or-null sameOriginTrustedBiddingSignals, an ordered map-or-null crossOriginTrustedBiddingSignals, a BiddingBrowserSignals browserSignals, a DirectFromSellerSignalsForBuyer directFromSellerSignalsForBuyer, and an integer millisecond duration timeout, perform the following steps. They return a tuple (list of generated bids, bid debug reporting info, list of real time reporting contributions, Private Aggregation contributions, execution metrics).

Let realm be the result of creating a new script runner realm given InterestGroupBiddingScriptRunnerGlobalScope.
Let global be realm’s global object.
Let settings be realm’s settings object.

WICG/turtledove#676 needs to be fixed in order to get realm’s settings object.
Set global’s group has ad components to true if ig’s ad components is not null, or false otherwise.
Set global’s expected currency to expectedCurrency.
Prepare for private aggregation given global, generate-bid, reportingContext, ig’s owner and ig’s Private Aggregation coordinator.
Let isComponentAuction be true if browserSignals["topLevelSeller"] is not null, or false otherwise.
Set global’s is component auction to isComponentAuction.
Set global’s multi-bid limit to multiBidLimit.
Set global’s interest group to ig.
Let igJS be the result of converting to ECMAScript values given igGenerateBid.
Let auctionSignalsJS be the result of parsing a JSON string to a JavaScript value given auctionSignals if auctionSignals is not null, otherwise undefined.
Let perBuyerSignalsJS be the result of parsing a JSON string to a JavaScript value given perBuyerSignals if perBuyerSignals is not null, otherwise undefined.
Let sameOriginTrustedBiddingSignalsJS be sameOriginTrustedBiddingSignals converted to ECMAScript values.
Let browserSignalsJS be browserSignals converted to ECMAScript values.
Let directFromSellerSignalsJS be directFromSellerSignalsForBuyer converted to ECMAScript values.
Let crossOriginTrustedBiddingSignalsJS be crossOriginTrustedBiddingSignals converted to ECMAScript values.
Let startTime be settings’s current monotonic time.
Let (result, executionMetrics’s script timed out) be the result of evaluating a script with realm, script, "generateBid", « igJS, auctionSignalsJS, perBuyerSignalsJS, sameOriginTrustedBiddingSignalsJS, browserSignalsJS, directFromSellerSignalsJS, crossOriginTrustedBiddingSignalsJS », and timeout.
Let duration be settings’s current monotonic time minus startTime in milliseconds.
If global’s priority is not null and not failure:
1. Set ig’s priority to global’s priority.
2. Replace the interest group that has ig’s owner and name in the user agent’s interest group set with ig.
If global’s priority signals is not empty:
1. For each k → v of global’s priority signals:
  1. If v is null, remove ig’s priority signals overrides[k].
  2. Otherwise, set ig’s priority signals overrides[k] to v.
2. Replace the interest group that has ig’s owner and name in the user agent’s interest group set with ig.
Let generatedBids be global’s bids.
If result is a normal completion:
1. Let generatedBidIDL be the result of converting result’s [[Value]] to a (GenerateBidOutput or sequence<GenerateBidOutput>).
2. If no exception was thrown in the previous step, set generatedBids to the result of converting one or many GenerateBidOutputs to a list of generated bids with generatedBidIDL, multiBidLimit, ig, expectedCurrency, isComponentAuction, and global’s group has ad components.
3. Otherwise, set generatedBids to failure.
If generatedBids is not a list of generated bids, set generatedBids to a new list of generated bids.
Let bidDebugReportInfo be a new bid debug reporting info.
Set bidDebugReportInfo’s interest group owner to ig’s owner.
Let debugLossReportUrl be global’s debug loss report url if it’s not failure, null otherwise.
Set bidDebugReportInfo’s bidder debug loss report url to debugLossReportUrl.
If generatedBids is not empty:
1. Let debugWinReportUrl be global’s debug win report url if it’s not failure, null otherwise.
2. Set bidDebugReportInfo’s bidder debug win report url to debugWinReportUrl.
3. For each generatedBid in generatedBids:
  1. Set generatedBid’s bid duration to duration, interest group to ig.
Let realTimeContributions be a new list of real time reporting contributions.
For each contribution of global’s real time reporting contributions:
1. If contribution’s latency threshold is not null, and ≥ duration, then continue.
2. Append contribution to realTimeContributions.
Finalize private aggregation debug info given global.
Let paContributions be the result of extracting private aggregation contributions given global.
Return a tuple (generatedBids, bidDebugReportInfo, realTimeContributions, paContributions, executionMetrics).

To evaluate a scoring script given a string script, a string adMetadata, a double bidValue, an auction config auctionConfig, a reporting context reportingContext, an ordered map-or-null sameOriginTrustedScoringSignals, an ordered map-or-null crossOriginTrustedScoringSignals, ScoringBrowserSignals browserSignals, a DirectFromSellerSignalsForSeller directFromSellerSignalsForSeller, and an integer millisecond duration timeout:

Let realm be the result of creating a new script runner realm given InterestGroupScoringScriptRunnerGlobalScope.
Let global be realm’s global object.
Let settings be realm’s settings object.
Prepare for private aggregation given global, score-ad, reportingContext, auctionConfig’s seller and auctionConfig’s seller Private Aggregation coordinator.
Let browserSignalsJS be browserSignals converted to ECMAScript values.
Let auctionConfigJS be auctionConfig’s config idl converted to ECMAScript values.
Let sameOriginTrustedScoringSignalsJS be sameOriginTrustedScoringSignals converted to ECMAScript values.
Let crossOriginTrustedScoringSignalsJS be crossOriginTrustedScoringSignals converted to ECMAScript values.
Let directFromSellerSignalsJs be directFromSellerSignalsForSeller converted to ECMAScript values.
Let startTime be settings’s current monotonic time.
Let executionMetrics be a new execution metrics.
Let (scoreAdResult, executionMetrics’s script timed out) be the result of evaluating a script with realm, script, "scoreAd", «adMetadata, bidValue, auctionConfigJS, sameOriginTrustedScoringSignalsJS, browserSignalsJS, directFromSellerSignalsJs, crossOriginTrustedScoringSignalsJS», and timeout.
Let duration be settings’s current monotonic time minus startTime in milliseconds.
Let debugWinReportUrl be global’s debug win report url if it’s not failure, null otherwise.
Let debugLossReportUrl be global’s debug loss report url if it’s not failure, null otherwise.
Let realTimeContributions be a new list of real time reporting contributions.
For each contribution of global’s real time reporting contributions:
1. If contribution’s latency threshold is not null, and ≥ duration, then continue.
2. Append contribution to realTimeContributions.
Finalize private aggregation debug info given global.
Let paContributions be the result of extracting private aggregation contributions given global.
Return « scoreAdResult, debugWinReportUrl, debugLossReportUrl, realTimeContributions, paContributions, executionMetrics ».

To evaluate a reporting script given a string script, a string functionName, a reporting context reportingContext, an origin origin, an origin privateAggregationCoordinator, an integer millisecond duration timeout, and a list of arguments arguments:

Let realm be the result of creating a new script runner realm given InterestGroupReportingScriptRunnerGlobalScope.
Let global be realm’s global object.
Let function be report-win
If functionName is "reportResult", set function to report-result.
Prepare for private aggregation given global, function, reportingContext, origin, and privateAggregationCoordinator.
Let argumentsJS be the result of converting arguments to an ECMAScript arguments list. If this throws an exception, return « "null", null, null, null, a new Private Aggregation Contributions, executionMetrics ».
Let executionMetrics be a new execution metrics.
Let (result, executionMetrics’s script timed out) be the result of evaluating a script with realm, script, functionName, argumentsJS, and timeout.
If result is an abrupt completion, return « "null", null, null, null ».
Let resultJSON be "null".
If functionName is "reportResult", then set resultJSON to the result of serializing a JavaScript value to a JSON string given result.

Note: Consider a return value that can’t be converted to JSON a valid result, so if an exception was thrown in the previous step, keep resultJSON as "null".
Let reportURL be global’s report url
If reportURL is failure, set reportURL to null.
Let macroMap be global’s reporting macro map if functionName is "reportWin" or "reportAdditionalBidWin", null otherwise.
Finalize private aggregation debug info given global.
Let paContributions be the result of extracting private aggregation contributions given global.
Return « resultJSON, reportURL, global’s reporting beacon map, macroMap, paContributions, executionMetrics ».

To evaluate a script with a realm realm, string script, string functionName, a list arguments, and an integer millisecond duration timeout, run these steps. They return a tuple of a Completion Record, which is either an abrupt completion (in the case of a parse failure or execution error), or a normal completion populated with the ECMAScript language value result of invoking functionName, and a boolean stating whether the script was interrupted due to reaching timeout.

Assert that these steps are running in parallel.
If timeout ≤ 0, return (new throw completion given null, true).
Let timedOut be false.
Let global be realm’s global object, and run these steps in realm’s agent:
Let result be ParseScript(script, realm, empty).

Note: The resulting Script Record will have no [[HostDefined]] component, unlike traditional scripts on the web platform.
If result is a list of errors, return (Completion { [[Type]]: throw, [[Value]]: result, [[Target]]: empty }, false).
Assert: result is a Script Record.
Prepare to run script: Push realmExecutionContext onto the JavaScript execution context stack; it is now the running JavaScript execution context.
Let evaluationStatus be the result of ScriptEvaluation(result).

In timeout milliseconds, if the invocation of ScriptEvaluation has not completed, immediately interrupt the execution, set finalCompletion to a new throw completion given null, set timedOut to true, and jump to the step labeled return.
If evaluationStatus is an abrupt completion, jump to the step labeled return.
Let F be Get(global, functionName). If that returns a throw completion, set finalCompletion to F and jump to the step labeled return.
Set finalCompletion be Completion(Call(F, undefined, arguments)).

In timeout milliseconds minus the execution time of ScriptEvaluation, if the invocation of Call has not completed, immediately interrupt the execution, set finalCompletion to a new throw completion given null, and set timedOut to true.
Return: at this point finalCompletion will be set to a Completion Record.
1. Clean up after script: Assert realmExecutionContext is the running JavaScript execution context, and remove it from the JavaScript execution context stack.
2. Return (finalCompletion, timedOut).

8.3. Global scopes

An additional requirement to the interest group script runner globals defined in this specification is that they must not expose any interfaces from other specifications whose own exposure set is the special value "*". The only interfaces that can be exposed inside of the globals defined in this specification are those that explicitly list the global names provided here.

[Exposed=InterestGroupScriptRunnerGlobalScope]
interface InterestGroupScriptRunnerGlobalScope {
  readonly attribute PrivateAggregation? privateAggregation;
  readonly attribute ProtectedAudienceUtilities protectedAudience;
};

dictionary PASignalValue {
  required DOMString baseValue;
  double scale;
  (bigint or long) offset;
};

dictionary PAExtendedHistogramContribution {
  required (PASignalValue or bigint) bucket;
  required (PASignalValue or long) value;
  bigint filteringId = 0;
};

[Exposed=InterestGroupScriptRunnerGlobalScope]
interface ProtectedAudienceUtilities {
  Uint8Array encodeUtf8(USVString input);
  USVString decodeUtf8(Uint8Array bytes);
};

Each InterestGroupScriptRunnerGlobalScope has a

private aggregation: Null, or a PrivateAggregation. Initially null.
protected audience utilities: Initially a ProtectedAudienceUtilities.
on event contribution map: A map from string to a list of on event contribution entries.
worklet function: A worklet function. Affects some Private Aggregation API functionality.
origin: The origin of the script being executed.

The privateAggregation getter steps are:

Return this’s relevant global object’s private aggregation.

The protectedAudience getter steps are:

Return this’s relevant global object’s protected audience utilities.

The encodeUtf8(USVString input) method steps are:

Follow the steps of TextEncoder.encode(input).

The decodeUtf8(Uint8Array bytes) method steps are a simplified version of TextDecoder.decode(bytes), with a UTF-8 decoder and ignoreBOM set to true:

Let decoder be a new instance of UTF-8’s decoder.
Let ioQueue be an I/O queue of bytes « end-of-queue ».
Push bytes to ioQueue.
Let output be an I/O queue of bytes « end-of-queue ».
While true:
1. Let item be the result of reading from ioQueue.
2. Let result be the result of processing an item with item, decoder, ioQueue, output, and "replacement".
3. Assert that result is not an error.
4. If result is finished, break.
Let serializationSettings be a new TextDecoderCommon with following fields:

encoding
UTF-8
ignore BOM
true
decoder
decoder
Return the result of running serialize I/O queue with serializationSettings and output.

[Exposed=InterestGroupBiddingAndScoringScriptRunnerGlobalScope]
interface ForDebuggingOnly {
  undefined reportAdAuctionWin(USVString url);
  undefined reportAdAuctionLoss(USVString url);
};

[Exposed=InterestGroupBiddingAndScoringScriptRunnerGlobalScope]
interface RealTimeReporting {
  undefined contributeToHistogram(RealTimeContribution contribution);
};

dictionary RealTimeContribution {
  required long bucket;
  required double priorityWeight;
  long latencyThreshold;
};

[Exposed=InterestGroupBiddingAndScoringScriptRunnerGlobalScope,
 Global=InterestGroupBiddingAndScoringScriptRunnerGlobalScope]
interface InterestGroupBiddingAndScoringScriptRunnerGlobalScope : InterestGroupScriptRunnerGlobalScope {
  readonly attribute ForDebuggingOnly forDebuggingOnly;
  readonly attribute RealTimeReporting realTimeReporting;
};

Each InterestGroupBiddingAndScoringScriptRunnerGlobalScope has an associated ForDebuggingOnly instance forDebuggingOnly, and an associated RealTimeReporting instance realTimeReporting, which are created alongside the InterestGroupBiddingAndScoringScriptRunnerGlobalScope.

The forDebuggingOnly getter steps are:

Return this’s relevant global object’s forDebuggingOnly.

Each InterestGroupBiddingAndScoringScriptRunnerGlobalScope has a

debug win report url: Null, failure, or a URL whose scheme is "https". Initially null.
debug loss report url: Null, failure, or a URL whose scheme is "https". Initially null.

The reportAdAuctionWin(url) method steps are:

Let global be this’s relevant global object.
Let parsedUrl be the result of running the URL parser on url.
If parsedUrl is failure, or parsedUrl’s scheme is not "https", then set global’s debug win report url to failure.
Optionally, return.

Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the parsedUrl’s site not being enrolled.
Set global’s debug win report url to parsedUrl.

The reportAdAuctionLoss(url) method steps are:

Let global be this’s relevant global object.
Let parsedUrl be the result of running the URL parser on url.
If parsedUrl is failure, or parsedUrl’s scheme is not "https", then set global’s debug loss report url to failure.
Optionally, return.

Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the parsedUrl’s site not being enrolled.
Set global’s debug loss report url to parsedUrl.

The realTimeReporting getter steps are:

Return this’s relevant global object’s realTimeReporting.

Each InterestGroupBiddingAndScoringScriptRunnerGlobalScope has a

real time reporting contributions: A list of real time reporting contributions.

The contributeToHistogram(RealTimeContribution contribution) method steps are:

Let global be this’s relevant global object.
If contribution["bucket"] ≥ number of user buckets or is negative, then return;

Note: For forward compatibility with new values, don’t throw.
If contribution["priorityWeight"] ≤ 0, then throw a TypeError.
Let contributionEntry be a new real time reporting contribution with the following items:

bucket

contribution["bucket"]

priority weight

contribution["priorityWeight"]

latency threshold

contribution["latencyThreshold"] if it exists, null otherwise
Append contributionEntry to global’s real time reporting contributions.

8.3.1. InterestGroupBiddingScriptRunnerGlobalScope

[Exposed=InterestGroupBiddingScriptRunnerGlobalScope,
 Global=(InterestGroupScriptRunnerGlobalScope,
         InterestGroupBiddingScriptRunnerGlobalScope)]
interface InterestGroupBiddingScriptRunnerGlobalScope
        : InterestGroupBiddingAndScoringScriptRunnerGlobalScope {
  boolean setBid(optional (GenerateBidOutput or sequence<GenerateBidOutput>) oneOrManyBids = []);
  undefined setPriority(double priority);
  undefined setPrioritySignalsOverride(DOMString key, optional double? priority);
};

dictionary AdRender {
  required DOMString url;
  DOMString width;
  DOMString height;
};

dictionary GenerateBidOutput {
  double bid = -1;
  DOMString bidCurrency;
  (DOMString or AdRender) render;
  any ad;
  USVString selectedBuyerAndSellerReportingId;
  sequence<(DOMString or AdRender)> adComponents;
  double adCost;
  unrestricted double modelingSignals;
  boolean allowComponentAuction = false;
  unsigned long targetNumAdComponents;
  unsigned long numMandatoryAdComponents = 0;
};

Each InterestGroupBiddingScriptRunnerGlobalScope has a

bids: A list of generated bids, initially empty.
priority: Null, failure, or a double, initially null.
priority signals: An ordered map whose keys are strings and whose values are double or null.
interest group: An interest group
expected currency: A currency tag
is component auction: A boolean
group has ad components: A boolean
multi-bid limit: An unsigned short.

To convert one or many GenerateBidOutputs to a list of generated bids given a (GenerateBidOutput or sequence<GenerateBidOutput>) oneOrManyBids, an unsigned short multiBidLimit, an interest group ig, a currency tag expectedCurrency, a boolean isComponentAuction and a boolean groupHasAdComponents:

Let bidSequence be sequence<GenerateBidOutput>.
If the specific type of oneOrManyBids is GenerateBidOutput, then set bidSequence to « oneOrManyBids ».
Otherwise, set bidSequence to oneOrManyBids.
If bidSequence’s size > multiBidLimit, then return failure.
Let bids be a new list of generated bids.
for each bidOutput of bidSequence:
1. Let bid be the result of converting GenerateBidOutput to generated bid given bidOutput, ig, expectedCurrency, isComponentAuction, groupHasAdComponents.
2. If bid is failure, return failure.
3. If bid is null, continue.
4. Append bid to bids.
Return bids.

To convert GenerateBidOutput to generated bid given a GenerateBidOutput generateBidOutput, an interest group ig, a currency tag expectedCurrency, a boolean isComponentAuction and a boolean groupHasAdComponents:

If generateBidOutput["bid"] ≤ 0, then return null.
Let bid be a new generated bid.
If generateBidOutput["render"] does not exist, return failure.
If isComponentAuction is true, and generateBidOutput["allowComponentAuction"] is false, then return failure.
Let bidCurrency be null.
If generateBidOutput["bidCurrency"] is specified:
1. If the result of checking whether a string is a valid currency tag on generateBidOutput["bidCurrency"] is true, then set bidCurrency to generateBidOutput["bidCurrency"], otherwise return failure.
If the result of checking a currency tag with expectedCurrency and bidCurrency is false, return failure.
Set bid’s bid to a bid with currency with value generateBidOutput["bid"] and currency bidCurrency.
If generateBidOutput["ad"] exists:
1. Let adJSON be the result of serializing a JavaScript value to a JSON string, given generateBidOutput["ad"].
2. If adJSON is failure, return failure.
3. Set bid’s ad to adJSON.
Let adDescriptor be a new ad descriptor.
If generateBidOutput["render"] is a DOMString:
1. Let adUrl be the result of running the URL parser on generateBidOutput["render"].
2. If adUrl is failure, return failure.
3. Set adDescriptor’s url to adUrl.
Otherwise:
1. Set adDescriptor to the result of converting an ad render given generateBidOutput["render"].
2. If adDescriptor is failure, return failure.
Let bidAd be the result of finding matching ad given adDescriptor, ig, and false.
If bidAd is null, return failure.
Set bid’s ad descriptor to adDescriptor.
Set bid’s bid ad to bidAd.
If generateBidOutput["selectedBuyerAndSellerReportingId"] exists:
1. If bidAd’s selectable buyer and seller reporting IDs is null, or does not contain generateBidOutput["selectedBuyerAndSellerReportingId"], return failure.
2. Set bid’s selected buyer and seller reporting ID to generateBidOutput["selectedBuyerAndSellerReportingId"].
If generateBidOutput["adComponents"] exists:
1. Let adComponents be generateBidOutput["adComponents"].
2. Return failure if any of the following conditions hold:
  - groupHasAdComponents is false;
  - adComponents’s size is greater than 40 and generateBidOutput["targetNumAdComponents"] does not exist.
3. Let adComponentDescriptors be a new list of ad descriptors.
4. For component in adComponents:
  1. Let componentDescriptor be a new ad descriptor.
  2. If component is DOMString:
    1. Let componentUrl be the result of running the URL parser on component.
    2. If componentUrl is failure, return failure.
    3. Set componentDescriptor’s url to componentUrl.
  3. Otherwise:
    1. Set componentDescriptor to the result of converting an ad render given component.
    2. If componentDescriptor is failure, return failure.
  4. Let bidComponentAd be result of finding matching ad given componentUrl, ig, and true.
  5. If bidComponentAd is null, return failure.
  6. Append bidComponentAd to bid’s bid ad components.
  7. Append componentDescriptor to adComponentDescriptors.
5. Set bid’s ad component descriptors to adComponentDescriptors.
If generateBidOutput["targetNumAdComponents"] exists:
1. If generateBidOutput["targetNumAdComponents"] is equal to 0 or greater than 40, then return failure.
2. If bid’s ad component descriptors is null, or bid’s ad component descriptors’s size < generateBidOutput["targetNumAdComponents"], return failure.
3. If generateBidOutput["targetNumAdComponents"] < generateBidOutput["numMandatoryAdComponents"], return failure.
4. Set bid’s target number of ad components to generateBidOutput["targetNumAdComponents"].
5. Set bid’s number of mandatory ad components to generateBidOutput["numMandatoryAdComponents"].
If generateBidOutput["adCost"] exists, then set bid’s ad cost to generateBidOutput["adCost"].
If generateBidOutput["modelingSignals"] exists:
1. Let modelingSignals be generateBidOutput["modelingSignals"].
2. If modelingSignals ≥ 0 and modelingSignals < 4096, then set bid’s modeling signals to the result of converting the ECMAScript value represented by modelingSignals to an unsigned short.
Return bid.

To parse an AdRender dimension value given a string input:

Let position be a position variable, initially pointing at the start of input.
Strip leading and trailing ASCII whitespace from input.
If input starts with "0" but is not "0" and does not start with "0.", then return null as the dimension and the empty string as the dimension unit.
Collect a sequence of code points that are ASCII digits or U+002E (.), given position. Let that be dimensionString.
If dimensionString is the empty string, then return null as the dimension and the empty string as the dimension unit.
Let dimension be the result of parsing dimensionString using the rules for parsing floating-point number values.
If dimension is an error, then return null as the dimension and the empty string as the dimension unit.
If dimension is less than 0, then return null as the dimension and the empty string as the dimension unit.
Collect a sequence of code points that are ASCII lower alpha, given position. Let that be dimensionUnit.
If position is not past the end of input, then return null as the dimension and the empty string as the dimension unit.
If dimensionUnit is the empty string, then set dimensionUnit to "px".
If dimensionUnit is not "px", "sh", or "sw", then return null as the dimension and the empty string as the dimension unit.
Return dimension as the dimension and dimensionUnit as the dimension unit.

To convert an ad render given an AdRender adRender:

Let adUrl be the result of running the URL parser on adRender["url"].
If adUrl is failure, return failure.
Let adDescriptor be a new ad descriptor.
Set adDescriptor’s url to adUrl.
If adRender["width"] exists:
1. If adRender["height"] does not exist, return failure.
2. Let width and widthUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adRender["width"], respectively.
3. If width is null, return failure.
4. Let height and heightUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adRender["height"], respectively.
5. If height is null, return failure.
6. Let adSize be a new ad size.
7. Set adSize’s width to width, width units to widthUnit, height to height, height units to heightUnit.
8. Set adDescriptor’s size to adSize.
Return adDescriptor.

To find matching ad given an ad descriptor adDescriptor, an interest group ig, and a boolean isComponent:

Let adUrl be adDescriptor’s url.
If adUrl’s scheme is not "https", return null.
Let maybeMatchingAd be an interest group ad-or null, set to null.
Let adSize be adDescriptor’s size.
Let adList be ig’s ad components if isComponent, otherwise ig’s ads.
For each ad in adList:
1. If ad’s render url does not equal adUrl, continue.
2. If ad’s size group is null and adSize is null, set maybeMatchingAd to ad, and break.
3. If one of ad’s size group OR adSize is null, set maybeMatchingAd to ad, and break.
  
  Note: When only one of the two ads has a size specification, they are considered matching. The caller is responsible for discarding the extraneous size information.
4. For each igSize in (ig’s size groups)[ad’s size group]:
  1. If igSize equals adSize, set maybeMatchingAd to ad, and break.
Return null.

The setBid(oneOrManyBids) method steps are:

Let global be this’s relevant global object.
Set global’s bids to an empty list.
Let ig be global’s interest group.
Let expectedCurrency be global’s expected currency.
Let bidsToSet be the result of converting one or many GenerateBidOutputs to a list of generated bids with oneOrManyBids, global’s multi-bid limit, ig, expectedCurrency, global’s is component auction, and global’s group has ad components.
If bidsToSet is failure, throw a TypeError.
Set global’s bids to bidsToSet.

The setPriority(priority) method steps are:

Let global be this’s relevant global object.
If global’s priority is not null, then set global’s priority to failure, and throw a TypeError.
Set global’s priority to priority.

The setPrioritySignalsOverride(key, priority) method steps are:

Set this’s relevant global object’s priority signals[key] to priority.

8.3.2. InterestGroupScoringScriptRunnerGlobalScope

[Exposed=InterestGroupScoringScriptRunnerGlobalScope,
 Global=(InterestGroupScriptRunnerGlobalScope,
         InterestGroupScoringScriptRunnerGlobalScope)]
interface InterestGroupScoringScriptRunnerGlobalScope
        : InterestGroupBiddingAndScoringScriptRunnerGlobalScope {
};

8.3.3. InterestGroupReportingScriptRunnerGlobalScope

[Exposed=InterestGroupReportingScriptRunnerGlobalScope,
 Global=(InterestGroupScriptRunnerGlobalScope,
         InterestGroupReportingScriptRunnerGlobalScope)]
interface InterestGroupReportingScriptRunnerGlobalScope
        : InterestGroupScriptRunnerGlobalScope {
  undefined sendReportTo(DOMString url);
  undefined registerAdBeacon(record<DOMString, USVString> map);
  undefined registerAdMacro(DOMString name, USVString value);
};

Note: registerAdMacro(name, value) is only available in report win, but not report result.

Each InterestGroupReportingScriptRunnerGlobalScope has a

report url: Null, failure, or a URL whose scheme is "https". Initially null.
reporting beacon map: Null or an ordered map whose keys are strings and whose values are URLs whose schemes are "https". Initially null.
reporting macro map: Null or an ordered map whose keys are strings and whose values are strings. Initially null.

The sendReportTo(url) method steps are:

Let global be this’s relevant global object.
If global’s report url is not null, then set global’s report url to failure, and throw a TypeError.
Let parsedUrl be the result of running the URL parser on url.
If parsedUrl is failure, or parsedUrl’s scheme is not "https", set global’s report url to failure, and throw a TypeError.
Optionally, return.

Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the parsedUrl’s site not being enrolled.
Set global’s report url to parsedUrl.

The registerAdBeacon(map) method steps are:

If this’s relevant global object’s reporting beacon map is not null, then Throw a TypeError.
For each type → url of map:
1. If type starts with "reserved." and type does not match one of the automatic beacon event type values, throw a TypeError.
2. Let parsedURL be the result of running URL parser on url.
3. Throw a TypeError if any of the following conditions hold:
  - parsedURL is failure;
  - parsedURL’s scheme is not "https".
Set this’s relevant global object’s reporting beacon map to map.

The registerAdMacro(name, value) method steps are:

For each code unit c in name:
1. Throw a TypeError if both of the following conditions hold:
  - c is not an unreserved percent encoding character;
  - c is not "%".
For each code unit c in value:
1. Throw a TypeError if both of the following conditions hold:
  - c is not an unreserved percent encoding character;
  - c is not "%".
Set this’s relevant global object’s reporting macro map[name] to value.

9. Interest Group Updates

This first introductory paragraph is non-normative.

Interest groups have an update url field that allows updating the interest group definition stored on disk with information periodically retrieved from the update url. The interest group update steps are triggered during runAdAuction() and by calls to updateAdInterestGroups() API:

[SecureContext]
partial interface Navigator {
  undefined updateAdInterestGroups();
};

The updateAdInterestGroups() method steps are:

Let settings be this’s relevant settings object.
In parallel, run interest group update with « settings’s top-level origin », and settings’s policy container.

To update interest groups given a list of origins owners, and a policy container policyContainer:

Implementations can consider aborting all updating if updating has been running for too long. This can avoid continuing to reveal coarse IP location information to update servers long after navigating to another page. Some implementations, such as Chromium, have chosen a 10 minute limit.

For each owner of owners:

For each originalInterestGroup of the user agent’s interest group set whose owner is owner and next update after is before the current coarsened wall time and whose update url is not null:

Note: Implementations can consider loading only a portion of these interest groups at a time to avoid issuing too many requests at once.

Let ig be a deep copy of originalInterestGroup.
Let request be a new request with the following properties:

URL

ig’s update url

header list

«Accept: application/json»

client

null

origin

owner

mode

"no-cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

"none"

policy container

A new policy container whose IP address space is policyContainer’s IP address space

Stop using "no-cors" mode where possible (WICG/turtledove#667).
Let update be null.
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
1. If validate fetching response with response, responseBody and "application/json" returns false, set update to failure and return.
2. Set update to responseBody.
Wait for update to be set.
If update is failure, continue.
Let parsedUpdate be the result of parsing JSON bytes to an Infra value, given update.
If parsedUpdate is failure, continue.
If parsedUpdate is not an ordered map, continue.
If parsedUpdate["name"] exists and doesn’t match ig’s name, continue.
If parsedUpdate["owner"] exists and doesn’t match ig’s owner, continue.

For each key → value of parsedUpdate:

Switch on key:

"priority"

If value is a double, set ig’s priority to value.
Otherwise, jump to the step labeled Abort update.

"enableBiddingSignalsPrioritization"

If value is a boolean, set ig’s enable bidding signals prioritization to value.
Otherwise, jump to the step labeled Abort update.

"priorityVector"

If value is null or an ordered map whose keys are strings and whose values are double, set ig’s priority vector to value.
Otherwise, jump to the step labeled Abort update.

"prioritySignalsOverrides"

If value is an ordered map whose keys are strings and whose values are double or null:
1. For each pvKey → pvValue of value:
  1. If pvValue is null, remove ig’s priority signals overrides[pvKey].
  2. Otherwise, set ig’s priority signals overrides[pvKey] to pvValue.
Otherwise, jump to the step labeled Abort update.

"privateAggregationConfig"

If value is not a map whose keys are strings, jump to the step labeled Abort update.
If value["aggregationCoordinatorOrigin"] exists:
1. If value["aggregationCoordinatorOrigin"] is not a string, jump to the step labeled Abort update.
2. Let aggregationCoordinator be the result of obtaining the Private Aggregation coordinator given value["aggregationCoordinatorOrigin"].
3. If aggregationCoordinator is a DOMException, jump to the step labeled Abort update.
4. Otherwise, set ig’s Private Aggregation coordinator to aggregationCoordinator.

"sellerCapabilities"

If value is an ordered map whose keys are strings and whose values are lists of strings, for each sellerString → capabilities of value:
1. Let sellerCapabilities be a new set of seller capabilities.
2. For each capabilityString of capabilities:
  1. If capabilityString is "interest-group-counts" or "latency-stats", then append capabilityString to sellerCapabilities.
    
    Note: For forward compatibility with new values, don’t throw.
3. If sellerString is "*", then set ig’s all sellers capabilities to sellerCapabilities.
4. Otherwise:
  1. If ig’s seller capabilities is null, then set ig’s seller capabilities to a new ordered map whose keys are origins and whose values are sets of seller capabilities.
  2. Let sellerUrl be the result of running the URL parser on sellerString.
  3. If sellerUrl is not failure:
    1. Let seller be sellerUrl’s origin.
    2. If ig’s seller capabilities does not contain seller, then set ig’s seller capabilities[seller] to sellerCapabilities.
Otherwise, jump to the step labeled Abort update.

"executionMode"

If value is "compatibility", "frozen-context", or "group-by-origin", then set ig’s execution mode to value.
Otherwise, set ig’s execution mode to "compatibility".

"biddingLogicURL"

"biddingWasmHelperURL"

"updateURL"

For each groupMember and interestGroupField, in the following table

Group member	Interest group field
"`biddingLogicURL`"	bidding url
"`biddingWasmHelperURL`"	bidding wasm helper url
"`updateURL`"	update url

If key is not groupMember, continue.
If value is a string:
1. Let parsedURL be the result of parse and verify a bidding code or update URL on value and ig’s owner.
2. If parsedURL is failure, jump to the step labeled Abort update
3. Set ig’s interestGroupField to parsedURL.

"trustedBiddingSignalsURL"

If value is a string:
1. Let parsedURL be the result of parse and verify a trusted signals URL on value.
2. If parsedURL is failure, jump to the step labeled Abort update
3. Set ig’s trusted bidding signals url to parsedURL.

"trustedBiddingSignalsKeys"

If value is a list of strings, set ig’s trusted bidding signals keys to value.
Otherwise, jump to the step labeled Abort update.

"trustedBiddingSignalsSlotSizeMode"

If value is one of "none", "slot-size", or "all-slots-requested-sizes", set ig’s trusted bidding signals slot size mode to value.
Otherwise, set trusted bidding signals slot size mode to "none".

"maxTrustedBiddingSignalsURLLength"

If value is a Number:
1. Let convertedValue be the result of converting value to a long.
2. If convertedValue ≥ 0, then set ig’s max trusted bidding signals url length to convertedValue.
Otherwise, jump to the step labeled Abort update.

"trustedBiddingSignalsCoordinator"

If value is null:
1. Set ig’s trusted bidding signals coordinator to null.
If value is a string:
1. Let parsedCoordinator be the result of parsing an https origin on value.
2. If parsedCoordinator is a failure, jump to the step labeled Abort update.
3. Set ig’s trusted bidding signals coordinator to parsedCoordinator.

"userBiddingSignals"

Set ig’s user bidding signals to the result of serialize an Infra value to JSON bytes given value.
Otherwise, jump to the step labeled Abort update.

Serializing an Infra value to JSON bytes expects to be called within a valid ES realm. See infra/625

"adSizes"

Let adSizes be a new map whose keys are strings and values are ad sizes.
For each sizeName → size of value:
1. If sizeName is "", jump to the step labeled Abort update.
2. Let adSize be the result from running parse an AdRender ad size with size.
3. If adSize is null, jump to the step labeled Abort update.
4. Set adSizes[sizeName] to adSize.
Set ig’s ad sizes to adSizes.

"sizeGroups"

Let adSizes be ig’s ad sizes.
Let sizeGroups be a new map whose keys are strings and values are strings.
For each sizeGroupName → sizeList of value:
1. If sizeGroupName is "", jump to the step labeled Abort update.
2. For each sizeName of sizeList:
  1. If sizeName is "" or adSizes[sizeName] does not exist, jump to the step labeled Abort update.
3. Set sizeGroups[sizeGroupName] to sizeList.
Set ig’s size groups to sizeGroups.

"ads"

"adComponents"

For each groupMember and interestGroupField in the following table

Group member	Interest group field
"`ads`"	ads
"`adComponents`"	ad components

If key is not groupMember, continue.
If value is not a list of AuctionAd, jump to the step labeled Abort update.
Let igAds be a new list of interest group ads.
For each ad of value:
1. Let igAd be a new interest group ad.
2. Let renderURL be the result of running the URL parser on ad["renderURL"].
3. Jump to the step labeled Abort update if any of the following conditions hold:
  - renderURL is failure;
  - renderURL scheme is not "https";
  - renderURL includes credentials.
4. Set igAd’s render url to renderURL.
5. If ad["sizeGroup"] exists:
  1. Let sizeGroup be ad["sizeGroup}].
  2. Jump to the step labeled Abort update if none of the following conditions hold:
    - adSizes[sizeGroup] exists.
    - sizeGroups[sizeGroup] exists.
  3. Set igAd’s size group to sizeGroup.
6. If ad["metadata"] exists, then let igAd’s metadata be the result of serializing a JavaScript value to a JSON string, given ad["metadata"]. If this throws, jump to the step labeled Abort update.
7. If ad["creativeScanningMetadata"] exists, then set igAd’s creative scanning metadata to it.
8. If groupMember is "ads":
  1. If ad["buyerReportingId"] exists then set igAd’s buyer reporting ID to it.
  2. If ad["buyerAndSellerReportingId"] exists then set igAd’s buyer and seller reporting ID to it.
  3. If ad["selectableBuyerAndSellerReportingIds"] exists then set igAd’s selectable buyer and seller reporting IDs to it.
9. Append igAd to igAds.
If igAds is not is empty:
1. Set ig’s interestGroupField to igAds.

"additionalBidKey"

Let decodedKey be the result of running forgiving-base64 decode with value.
Jump to the step labeled Abort update if any of the following conditions hold:
- decodedKey is a failure;
- decodedKey’s length is not 32;
Set ig’s additional bid key to decodedKey.

Jump to the step labeled Abort update if any of the following conditions hold:
- ig’s ads is not null, and ig’s additional bid key is not null;
- ig’s estimated size is greater than 1048576 bytes.
Set ig’s next update after to the current coarsened wall time plus 24 hours.
Set ig’s last updated to the current coarsened wall time.
Replace the interest group that has ig’s owner and name in the user agent’s interest group set with ig.
Run update k-anonymity cache for interest group for ig.
Abort update: We jump here if some part of the interest group update failed. Continue to the next interest group update.

To process updateIfOlderThanMs given an origin buyer, and an ordered map perInterestGroupData whose keys are name strings and whose values are bidding signals per interest group data:

For each igName → perIgData of perInterestGroupData, the following steps should be done:
1. If perIgData’s update if older than ms is null, continue.
2. Let updateIfOlderThan be a duration of perIgData’s update if older than ms milliseconds.
3. Let ig be the interest group of the user agent’s interest group set whose owner is buyer and whose name is igName, or null if interest group set does not have such an interest group.
4. If ig is not null and the current coarsened wall time − ig’s last updated ≥ updateIfOlderThan:
  1. Set ig’s next update after to current coarsened wall time + updateIfOlderThan.
  2. Replace the interest group that has ig’s owner and name in the user agent’s interest group set with ig.

10. Feature Detection

The queryFeatureSupport() method permits checking what functionality is available in the current implementation, in order to help deploy new features. The return values specified in this specification are for an implementation that fully implements it.

[SecureContext]
partial interface Navigator {
  [SameObject] readonly attribute ProtectedAudience protectedAudience;
};

[SecureContext, Exposed=Window]
interface ProtectedAudience {
  any queryFeatureSupport(DOMString feature);
};

The queryFeatureSupport(feature) method steps are:

Let featuresTable be an ordered map whose keys are DOMStrings and whose values are booleans or longs, with the following entries:

"adComponentsLimit"

40

"deprecatedRenderURLReplacements"

true

"permitCrossOriginTrustedSignals"

true

"realTimeReporting"

true

"reportingTimeout"

true

"trustedSignalsKVv2"

true
If feature is "*", then return featuresTable.
If featuresTable[feature] exists, then return featuresTable[feature].
Return undefined.

11. Common Algorithms

The following algorithms are some helper algorithms used in this specification.

The estimated size of an interest group ig is the sum of:

The length of the serialization of ig’s owner.
The length of ig’s name.
8, which is the size of ig’s priority.
4, which is the size of ig’s execution mode.

Note: Each of execution mode’s value represents a long integer, so 4 bytes.
2, which is the size of ig’s enable bidding signals prioritization.
If ig’s priority vector is not null, for each key → value of priority vector:
1. The length of key.
2. 8, which is the size of value.
If ig’s priority signals overrides is not null, for each key → value of priority signals overrides:
1. The length of key.
2. 8, which is the size of value.
The length of the serialization of ig’s Private Aggregation coordinator if the field is not null.
If ig’s seller capabilities is not null, then for each seller → capabilities of ig’s seller capabilities:
1. The length of the serialization of seller.
2. 4, which is capabilities’s underlying number of enum bytes.
The length of the serialization of ig’s bidding url, if the field is not null.
The length of the serialization of ig’s bidding wasm helper url, if the field is not null.
The length of the serialization of ig’s update url, if the field is not null.
The length of the serialization of ig’s trusted bidding signals url, if the field is not null.
4, which is the size of ig’s trusted bidding signals slot size mode.

Note: Each of trusted bidding signals slot size mode’s value represents a long integer, so 4 bytes.
If ig’s trusted bidding signals keys is not null, for each key of it:
1. The length of key.
If ig’s max trusted bidding signals url length is not null:
1. 4, which is the size of ig’s max trusted bidding signals url length.
If ig’s trusted bidding signals coordinator is not null:
1. The length of the serialization of ig’s trusted bidding signals coordinator.
The length of ig’s user bidding signals.
If ig’s ads is not null, for each ad of it:
1. The length of the serialization of ad’s render url.
2. The length of ad’s size group if the field is not null.
3. The length of ad’s metadata if the field is not null.
4. The length of ad’s buyer reporting ID if the field is not null.
5. The length of ad’s buyer and seller reporting ID if the field is not null.
6. If ad’s selectable buyer and seller reporting IDs is not null, for each id of it:
  1. The length of id.
7. If ad’s allowed reporting origins is not null, for each origin of it:
  1. The length of the serialization of origin.
8. The length of ad’s creative scanning metadata if the field is not null.
If ig’s ad components is not null, for each ad of it:
1. The length of the serialization of ad’s render url.
2. The length of ad’s size group if the field is not null.
3. The length of ad’s metadata if the field is not null.
4. The length of ad’s creative scanning metadata if the field is not null.
If ig’s ad sizes is not null, for each sizeName → size of it:
1. The sum of the length of sizeName and 18 (representing the fixed length of size).
Note: 10 represents the size of 2 doubles for width and height (each 8 bytes), and 2 bytes for enums for width units and height units (each 1 byte).
If ig’s size groups is not null, for each sizeGroupName → sizeList of it:
1. The sum of the length of sizeGroupName and the following:
2. For each sizeName of sizeList:
  1. The length of sizeName.
If ig’s additional bid key is not null:
1. 32, which is its size (number of bytes).

To parse an https origin given a string input:

Let url be the result of running the URL parser on input.
If url is failure, or its scheme is not "https", then return failure.
Return url’s origin.

To serialize a URL given a URL-or-null url:

If url is null, then return undefined.
Return the serialization of url.

To parse and verify a bidding code or update URL given a string input and an origin igOwner:

Let parsedUrl be the result of running the URL parser on input.
Return failure if any of the following conditions hold:
- parsedUrl is failure;
- parsedUrl’s origin is not same origin with igOwner;
- parsedUrl includes credentials;
- parsedUrl’s fragment is not null.
Assert: parsedUrl’s scheme is "https".
Return parsedUrl.

To parse and verify a trusted signals URL given a string input:

Let parsedUrl be the result of running the URL parser on input.
Return failure if any of the following conditions hold:
- parsedUrl is failure;
- parsedUrl’s scheme is not "https";
- parsedUrl includes credentials;
- parsedUrl’s fragment is not null;
- parsedUrl’s query is not null.
Return parsedUrl.

To round a value given a double value:

If value is not a valid floating-point number, return value.
Let valueExp be value’s IEEE 754 biased exponent field minus 1023.
Let normValue be value multiplied by 2^{(−1 × valueExp)}.
If valueExp < −128:
1. If value < 0, return −0.
2. Otherwise, return 0.
If valueExp > 127:
1. If value < 0, return −∞.
2. Otherwise, return ∞.
Let precisionScaledValue be normValue multiplied by 256.
Let noisyScaledValue be precisionScaledValue plus a random double value greater than or equal to 0 but less than 1.
Let truncatedScaledValue be the largest integer not greater than noisyScaledValue.
Return truncatedScaledValue multiplied by 2^{(valueExp − 8)}.

To serialize an integer, represent it as a string of the shortest possible decimal number.

This would ideally be replaced by a more descriptive algorithm in Infra. See infra/201

To get uuid from string given a string input:

If input’s length is not 36, return an empty string.
Let uuidStr be an empty string.
For each i in the range from 1 to 36, inclusive:
1. Let unit be input’s ith code unit.
2. If « 8, 13, 18, 23 » contains i:
  1. If unit is not 0x002D (-), then return an empty string.
3. Otherwise:
  1. If unit is not an ASCII lower hex digit, then return an empty string.
  2. Append unit to the end of uuidStr.
Return ASCII encoded uuidStr.

To insert entries to map given an ordered map map, a key which is in same type as map’s key, and a list entries which is in same type as map’s value:

If map[key] exists, then extend map[key] with entries.
Otherwise, set map[key] to entries.

12. Permissions Policy Integration

This specification defines two policy-controlled features identified by the strings "join-ad-interest-group", and "run-ad-auction". Their default allowlists are "*".

Move from "*" to "self" (WICG/turtledove#522).

To check interest group permissions given an origin ownerOrigin, an environment settings object settings, and an enum joinOrLeave which is "join" or "leave":

If ownerOrigin is same origin with frameOrigin, then return true.
Let encodedFrameOrigin be the result of UTF-8 percent-encoding the serialized frameOrigin using component percent-encode set.
Let permissionsUrl be a new URL with the following items:

scheme

ownerOrigin’s scheme

host

ownerOrigin’s host

port

ownerOrigin’s port

path

« ".well-known", "interest-group", "permissions" »

query

The result of concatenating « "origin=", encodedFrameOrigin »
Let request be a new request with the following properties:

URL

permissionsUrl

header list

«Accept: application/json»

client

settings

origin

"client"

mode

"cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

none

policy container

"client"
Let resource be null.
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
1. If responseBody is null or failure, set resource to failure and return.
2. Let headers be response’s header list.
3. Let mimeType be the result of extracting a MIME type from headers.
4. If mimeType is failure or is not a JSON MIME Type, set resource to failure and return.
5. Set resource to responseBody.
Wait for resource to be set.
If resource is failure, then return false.
Let permissions be the result of parsing JSON bytes to an Infra value with resource, returning false on failure.
If permissions is not an ordered map, then return false.
If joinOrLeave is "join" and permissions["joinAdInterestGroup"] exists, then return permissions["joinAdInterestGroup"].
If joinOrLeave is "leave" and permissions["leaveAdInterestGroup"] exists, then return permissions["leaveAdInterestGroup"].
Return false.

The browser may cache requests for permissionsUrl within a network partition.

In order to prevent leaking data, the browser must request permissionsUrl regardless of whether the user is a member of the ad interest group. This prevents a leak of the user’s ad interest group membership to the server.

13. Fetch Patch for Auction Headers

This section specifies a manner by which some data, including additional bids and direct from seller signals, may be provided to auctions such that the data is only used within their intended auction.

Any Document in a traversable navigable may run a Protected Audience auction (with navigator.runAdAuction()) whose script runners functions receive signal objects derived from JSON from an `Ad-Auction-Signals` header, or additional bids derived from an `Ad-Auction-Additional-Bid` header, or response blob’s base64url encoded SHA-256 hash derived from an `Ad-Auction-Result` header, captured by a fetch() call (using the adAuctionHeaders option) initiated by any other Document in the same traversable navigable, or from an iframe navigation request (using the adauctionheaders content attribute on the iframe element).

Modify [FETCH]’s Fetch § 2 Infrastructure to add a new section called "Per Traversable Navigable Structures", with the following content:

Each traversable navigable has a captured ad auction signals headers, which is a map whose keys are direct from seller signals keys and whose values are direct from seller signals.

NOTE: This is only captured during a request whose initiator type is "fetch", made with the adAuctionHeaders option set to true, or during an iframe navigation request with the adauctionheaders content attribute set to true, as described in the `Ad-Auction-Signals` header description.

Each traversable navigable has a captured ad auction additional bids headers, which is a map whose keys are auction nonces and whose values are lists of signed additional bid with metadata.

Each traversable navigable has a saved Bidding and Auction request context, which is a map. The map’s keys are tuples consisting of the seller (origin) and the request ID (string representation of a version 4 UUID). The map’s values are server auction request contexts.

Each traversable navigable has a captured ad auction result headers, which is a map whose keys are origins and values are strings.

Each traversable navigable has a captured ad auction result nonce headers, which is a map whose keys are origins and values are strings.

Modify the definition of a request:

A request has an associated boolean capture-ad-auction-headers. Unless stated otherwise it is false.

Modify [FETCH]’s RequestInit dictionary to add an adAuctionHeaders attribute:

partial dictionary RequestInit {
  boolean adAuctionHeaders;
};

The following step will be added to the new Request (input, init) constructor steps, before step "Set this’s request to request":

If init["adAuctionHeaders"] exists, then set request’s capture-ad-auction-headers to it.

Modify the iframe element to add a adauctionheaders content attribute. The IDL attribute adAuctionHeaders reflects the adauctionheaders content attribute.

partial interface HTMLIFrameElement {
  [CEReactions] attribute boolean adAuctionHeaders;
};

The following step will be added to the steps after step "Let request be a new request, with ...":

If navigable’s container is an iframe element, and if it has a adauctionheaders content attribute, then set request’s capture-ad-auction-headers to true.

The following step will be added to the HTTP-network-or-cache fetch algorithm, before step "Modify httpRequest’s header list per HTTP. ...":

If request’s capture-ad-auction-headers is true, then set a structured field value given «`Sec-Ad-Auction-Fetch`, the boolean ?1» in httpRequest’s header list.

The following will be added to Fetch § 3 HTTP extensions:

13.1. The ``Sec-Ad-Auction-Fetch`` HTTP request header

The `Sec-Ad-Auction-Fetch` request header is an optional structured header with of type boolean. `Sec-Ad-Auction-Fetch` will only be set on a request whose initiator type is "fetch", made with the adAuctionHeaders option set to true, or on an iframe navigation request with the adauctionheaders content attribute set to true. If `Sec-Ad-Auction-Fetch` is equal to ?1, the user agent will remove any `Ad-Auction-Signals` or `Ad-Auction-Additional-Bid` from the returned response -- the `Ad-Auction-Signals` or `Ad-Auction-Additional-Bid` value will instead only be used in Protected Audiences auctions.

13.2. The ``Ad-Auction-Signals`` HTTP response header

The `Ad-Auction-Signals` response header provides value of a JSON array of dictionaries, each with an adSlot key. Protected Audience non-component, component, and top-level auctions may specify which signals to load by the adSlot key.

13.3. The ``Ad-Auction-Additional-Bid`` HTTP response header.

The `Ad-Auction-Additional-Bid` response header provides value of a string in the format of <auction nonce>:<seller nonce>:<base64-encoding of the signed additional bid>, or the legacy format of <auction nonce>:<base64-encoding of the signed additional bid>, either of which corresponds to a single additional bid. In the format that provides a seller nonce, the seller nonce must be as described in seller nonce. The response may include more than one additional bid by specifying multiple instances of the `Ad-Auction-Additional-Bid` response header.

13.4. The ``Ad-Auction-Result`` HTTP response header.

The `Ad-Auction-Result` response header provides the base64url encoded SHA-256 hash of the response blob. Multiple hashes can be included in a response by either repeating the header or by specifying multiple hashes separated by a "," character.

Ad-Auction-Result: ungWv48Bz-pBQUDeXa4iI7ADYaOWF3qctBD_YfIAFa0=,9UTB-u-WshX66Xqz5DNCpEK9z-x5oCS5SXvgyeoRB1k=

is equivalent to

Ad-Auction-Result: ungWv48Bz-pBQUDeXa4iI7ADYaOWF3qctBD_YfIAFa0=
Ad-Auction-Result: 9UTB-u-WshX66Xqz5DNCpEK9z-x5oCS5SXvgyeoRB1k=

13.5. The ``Ad-Auction-Result-Nonce`` HTTP response header.

The `Ad-Auction-Result-Nonce` response header provides the canonical string representation of a version 4 UUID serving as a nonce. Multiple nonces can be included in a response by either repeating the header or by specifying multiple nonces separated by a "," character.

Ad-Auction-Result-Nonce: 7d444840-9dc0-11d1-b245-5ffdce74fad2,e902893a-9d22-3c7e-a7b8-d6e313b71d9f

is equivalent to

Ad-Auction-Result-Nonce: 7d444840-9dc0-11d1-b245-5ffdce74fad2
Ad-Auction-Result-Nonce: e902893a-9d22-3c7e-a7b8-d6e313b71d9f

The following steps will be added to the HTTP fetch algorithm, immediately under the step "If internalResponse’s status is a redirect status:"

Delete "`Ad-Auction-Signals`" from response’s header list.
Delete "`Ad-Auction-Additional-Bid`" from response’s header list.

The following step will be added to the HTTP fetch algorithm, before step "Return response.":

If response is not null, response’s status is not a redirect status, fetchParams’s task destination is a global object that’s a Window object, and request’s capture-ad-auction-headers is true:
1. Let navigable be fetchParams’s task destination’s associated Document’s node navigable’s traversable navigable.
2. Run update captured headers with navigable’s captured ad auction signals headers, navigable’s captured ad auction additional bids headers, navigable’s captured ad auction result headers, navigable’s captured ad auction result nonce headers, response’s header list, and request’s URL’s origin.

The following algorithm will be added to the Fetch § 4 Fetching section:

To update captured headers with a captured ad auction signals headers storedSignalsHeaders, captured ad auction additional bids headers storedAdditionalBidsHeaders, captured ad auction result headers storedAuctionResultHeaders, captured ad auction result nonce headers storedAuctionResultNonceHeaders, header list responseHeaders, and origin requestOrigin:

Let adAuctionSignals be the result of getting `Ad-Auction-Signals` from responseHeaders.
If adAuctionSignals is not null:
1. Delete "`Ad-Auction-Signals`" from responseHeaders.
  
  NOTE: This step prevents the header value from being used outside the intended auctions —that is, scripts making the fetch() request aren’t able to load the header value.
2. Handle ad auction signals header value given adAuctionSignals, storedSignalsHeaders and requestOrigin.
Let additionalBids be the result of getting, decoding, and splitting `Ad-Auction-Additional-Bid` from responseHeaders.
If additionalBids is not null:
1. Delete "`Ad-Auction-Additional-Bid`" from responseHeaders.
  
  NOTE: This step prevents the header value from being used outside the intended auctions —that is, scripts making the fetch() request aren’t able to load the header value.
2. For each bid of additionalBids:
  1. Let parts be the result of strictly splitting bid on U+003A (:).
  2. Let bidWithMetadata be a new signed additional bid with metadata.
  3. If parts’s size is 3:
    1. Let auctionNonce be parts[0].
    2. If auctionNonce’s length is not 36, then continue.
    3. Let sellerNonce be parts[1].
    4. If sellerNonce’s length is not 36, then continue.
    5. Let bidWithMetadata’s seller nonce be sellerNonce.
    6. Let bidWithMetadata’s signed additional bid be parts[2].
    7. Append bidWithMetadata to storedAdditionalBidsHeaders[auctionNonce].
  4. Otherwise, if parts’s size is 2:
    1. Let auctionNonce be parts[0].
    2. If auctionNonce’s length is not 36, then continue.
    3. Let bidWithMetadata’s signed additional bid be parts[1].
    4. Append bidWithMetadata to storedAdditionalBidsHeaders[auctionNonce].
Let adAuctionResults be the result of getting, decoding, and splitting `Ad-Auction-Result` from responseHeaders.
If adAuctionResults is not null, for each result of adAuctionResults:
1. Strip leading and trailing ASCII whitespace from result.
2. If result is "", or contains code points U+002B (+) or U+002F (/), then continue.
3. Replace every U+2212 (-) code point in result with U+002B (+).
4. Replace every U+005F(_) code point in result with U+002F (/).
5. Let hash be the result of running forgiving-base64 decode with result.
6. If hash is not failure, and hash’s length is 32:
  1. If storedAuctionResultHeaders[requestOrigin] exists, then append hash to storedAuctionResultHeaders.
  2. Otherwise, set storedAuctionResultHeaders[requestOrigin] to « hash ».
Let adAuctionResultNonces be the result of getting, decoding, and splitting `Ad-Auction-Result-Nonce` from responseHeaders.
Delete "`Ad-Auction-Result-Nonce`" from responseHeaders.

NOTE: This step prevents the header value from being used outside the intended auctions —that is, scripts making the fetch() request aren’t able to load the header value.
If adAuctionResultNonces is not null, for each result of adAuctionResultNonces:
1. Strip leading and trailing ASCII whitespace from result.
2. Let nonce be the result of getting uuid from string on result.
3. If nonce is "", then continue.
4. Let nonceString be the string representation of nonce.
5. If storedAuctionResultNonceHeaders[requestOrigin] exists, then append nonceString to storedAuctionResultNonceHeaders.
6. Otherwise, set storedAuctionResultNonceHeaders[requestOrigin] to « nonceString ».

To handle ad auction signals header value given a byte sequence adAuctionSignals, captured ad auction signals headers storedSignalsHeaders, and origin requestOrigin:

Let parsedSignals be the result of parsing JSON bytes to an Infra value, given adAuctionSignals.
If parsedSignals is failure or not a list, return.
Let headerAdSlots be a new ordered set.
For each signal of parsedSignals:
1. If signal is not an ordered map, continue.
2. If signal["adSlot"] doesn’t exist, continue.
3. If headerAdSlots contains signal["adSlot"], continue. Optionally, report a warning to the console with a diagnostic error message indicating that a duplicate `Ad-Auction-Signals` adSlot dictionary was ignored.
4. Append signal["adSlot"] to headerAdSlots.
5. Let signalsKey be a new direct from seller signals key, with its seller set to requestOrigin and its ad slot set to signal["adSlot"].
6. Let processedSignals be a new direct from seller signals.
7. Remove signal["adSlot"].
8. For each key → value of signal:
  1. Switch on key:
    "sellerSignals"
    Set processedSignals’s seller signals to the result of serializing an Infra value to a JSON string, given value.
    "auctionSignals"
    Set processedSignals’s auction signals to the result of serializing an Infra value to a JSON string, given value.
    "perBuyerSignals"
    If value is not an ordered map, continue.
    
    For each buyer → buyerSignals of value:
    
    Let buyerOrigin be the result of parsing an https origin on buyer.
    
    If buyerOrigin is failure, continue.
    
    Let buyerSignalsString be the result of serializing an Infra value to a JSON string, given buyerSignals.
    
    Set processedSignals’s per buyer signals[buyerOrigin] to buyerSignalsString.
9. Set storedSignalsHeaders[signalsKey] to processedSignals.

14. Structures

typedef (long long or AuctionAd) PreviousWinElement;
typedef sequence<PreviousWinElement> PreviousWin;

dictionary BiddingBrowserSignals {
  required DOMString topWindowHostname;
  required USVString seller;
  required long joinCount;
  required long bidCount;
  required long recency;
  required long adComponentsLimit;
  required unsigned short multiBidLimit;

  record<DOMString, DOMString> requestedSize;
  USVString topLevelSeller;
  sequence<PreviousWin> prevWinsMs;
  object wasmHelper;
  unsigned long dataVersion;
  unsigned long crossOriginDataVersion;
  boolean forDebuggingOnlyInCooldownOrLockout = false;
};

dictionary ScoringBrowserSignals {
  required DOMString topWindowHostname;
  required USVString interestGroupOwner;
  required USVString renderURL;
  required unsigned long biddingDurationMsec;
  required DOMString bidCurrency;

  record<DOMString, DOMString> renderSize;
  unsigned long dataVersion;
  unsigned long crossOriginDataVersion;
  sequence<USVString> adComponents;
  boolean forDebuggingOnlyInCooldownOrLockout = false;
  USVString creativeScanningMetadata;
  sequence<USVString?> adComponentsCreativeScanningMetadata;
};

To convert an ad size to a map given an ad size adSize:

Let dict be a new empty map.
Let jsWidth be adSize’s width, converted to an ECMAScript value.
Set dict["width"] to the result of concatenating « ToString(jsWidth), adSize’s width units ».
Let jsHeight be adSize’s height, converted to an ECMAScript value.
Set dict["height"] to the result of concatenating « ToString(jsHeight), adSize’s height units ».
Return dict.

Note: ScoringBrowserSignals’s adComponents is undefined when ad component descriptors is null or an empty list. It cannot be an empty list.

dictionary ReportingBrowserSignals {
  required DOMString topWindowHostname;
  required USVString interestGroupOwner;
  required USVString renderURL;
  required double bid;
  required double highestScoringOtherBid;

  DOMString bidCurrency;
  DOMString highestScoringOtherBidCurrency;
  USVString topLevelSeller;
  USVString componentSeller;

  USVString buyerAndSellerReportingId;
  USVString selectedBuyerAndSellerReportingId;
};

ReportingBrowserSignals includes browser signals both reportResult() and reportWin() get.

topWindowHostname

Top-level origin’s host

interestGroupOwner

The winning interest group’s owner.

renderURL

The render URL returned by "generateBid()". It is k-anonymous

bid

Stochastically rounded winning bid. This is always in the bidder’s own currency

highestScoringOtherBid

The stochastically rounded value of the bid that got the second highest score, or 0 if it’s not available. 0 for top-level auctions with components

bidCurrency

The currency the bid is in

highestScoringOtherBidCurrency

The currency the highestScoringOtherBid is in

topLevelSeller

Copied from top level seller

componentSeller

Copied from component seller

buyerAndSellerReportingId

There are two scenerios in which this can be set:

Set if the winning ad had a buyer and seller reporting ID and the winning bid did not have selected buyer and seller reporting ID set, and that value was jointly k-anonymous combined with interest group owner, bidding script URL, ad creative URL, and null.
Set if the wining bid had a selected buyer and seller reporting ID and the winning ad had a buyer and seller reporting ID set in its listing in the interest group, and that value was jointly k-anonymous combined with interest group owner, bidding script URL, ad creative URL, the and winning bid’s selected buyer and seller reporting ID.

selectedBuyerAndSellerReportingId

A selected reporting id returned by "generateBid()". Set if the winning bid had a selected buyer and seller reporting ID set, and that value was jointly k-anonymous combined with buyer and seller reporting ID, interest group owner, bidding script URL, and ad creative URL.

dictionary ReportResultBrowserSignals : ReportingBrowserSignals {
  required double desirability;

  DOMString topLevelSellerSignals;
  double modifiedBid;
  unsigned long dataVersion;
};

desirability: The stochastically rounded value of the score returned by "scoreAd()" for the winning bid
topLevelSellerSignals: Metadata returned by the top-level seller’s "reportResult()", as JSON
modifiedBid: The stochastically rounded value of the bid value returned by the component seller’s "scoreAd()" method
dataVersion: Set to the value of the `Data-Version` header from the trusted scoring signals server, if any.

dictionary ReportWinBrowserSignals : ReportingBrowserSignals {
  double adCost;
  USVString seller;
  boolean madeHighestScoringOtherBid;
  DOMString interestGroupName;
  DOMString buyerReportingId;
  unsigned short modelingSignals;
  unsigned long dataVersion;
  KAnonStatus kAnonStatus;
};

enum KAnonStatus { "passedAndEnforced", "passedNotEnforced", "belowThreshold", "notCalculated" };

adCost

Stochastically rounded winner’s ad cost.

seller

The origin of the seller running the ad auction

madeHighestScoringOtherBid

True if the interest group owner was the only bidder that made bids with the second highest score

interestGroupName

Only set if all of the following are true:

The combination of the owner, name, bidding url, ad creative URL, and null are jointly k-anonymous.
The winning ad’s buyer and seller reporting ID and buyer reporting ID are null.
The winning bid’s selected buyer and seller reporting ID is null.

buyerReportingId

There are two scenerios in which this can be set:

Set if the winning ad had a buyer reporting ID but not a buyer and seller reporting ID set in its listing in the interest group, and the winning bid did not have selected buyer and seller reporting ID set, and that value was jointly k-anonymous combined with interest group owner, bidding script URL, ad creative URL, and null.
Set if the wining bid had a selected buyer and seller reporting ID and the winning ad had a buyer reporting ID set in its listing in the interest group, and that value was jointly k-anonymous combined with interest group owner, bidding script URL, ad creative URL, buyer and seller reporting ID, and selected buyer and seller reporting ID.

modelingSignals

A 0-4095 integer (12-bits) passed to reportWin(), with noising

dataVersion

Only set if the Data-Version header was provided in the response headers from the trusted bidding signals server

kAnonStatus

Indicate the k-anonymity status of the ad with the following KAnonStatus enums:

passedAndEnforced: The ad was k-anonymous and k-anonymity was required to win the auction.
passedNotEnforced: The ad was k-anonymous though k-anonymity was not required to win the auction.
belowThreshold: The ad was not k-anonymous but k-anonymity was not required to win the auction.
notCalculated: The browser did not calculate the k-anonymity status of the ad, and k-anonymity was not required to win the auction.

From a long-term perspective, the status will always be set to passedAndEnforced after k-anonymity is enforced. However, as a temporary solution, current implementations may set kAnonStatus to one of the other three statuses to allow API users to assess the future impact of enforcing that ads are k-anonymous.

dictionary DirectFromSellerSignalsForBuyer {
  any auctionSignals = null;
  any perBuyerSignals = null;
};

dictionary DirectFromSellerSignalsForSeller {
  any auctionSignals = null;
  any sellerSignals = null;
};

14.1. Interest group

An interest group is a struct with the following items:

expiry

A moment at which the browser will forget about this interest group.

owner

An origin. Frames that join interest groups owned by owner must either be served from owner, or another origin delegated by owner (See checking interest group permissions for details). The scheme must be "https".

name

A string. The (owner, name) tuple is a key that uniquely defines each interest group.

priority

A double, initially 0.0. Used to select which interest groups participate in an auction when the number of interest groups are limited by perBuyerGroupLimits. See applying interest groups limits to prioritized list.

enable bidding signals prioritization

A boolean, initially false. Being true if the interest group’s priority should be calculated using vectors from bidding signals fetch.

priority vector

Null or an ordered map whose keys are strings and whose values are double. Its dot product with the perBuyerPrioritySignals will be used in place of priority, if set.

priority signals overrides

Null or an ordered map whose keys are strings and whose values are double. Overrides the AuctionAdConfig’s corresponding priority signals.

seller capabilities

Null or an ordered map whose keys are origins and whose values are sets of seller capabilities. The seller capabilities this interest group grants to each seller.

all sellers capabilities

Null or a set of seller capabilities. The default seller capabilities granted to sellers not listed in seller capabilities.

Private Aggregation coordinator

An aggregation coordinator or null; where null specifies the default aggregation coordinator.

execution mode

One of three possible values: "compatibility", "frozen-context", or "group-by-origin". Initially "compatibility". Each value reprensents a long integer. TODO: Define spec for these execution modes, link to it from here and explain these modes.

bidding url

Null or a URL. The URL to fetch the buyer’s JavaScript from.

When non-null, the bidding url’s origin will always be same origin with owner.

bidding wasm helper url

Null or a URL. Lets the bidder provide computationally-expensive subroutines in WebAssembly, in addition to JavaScript, to be driven from the JavaScript function provided by bidding url.

When non-null, the bidding wasm helper url’s origin will always be same origin with owner.

update url

Null or a URL. Provides a mechanism for the group’s owner to periodically update the attributes of the interest group. See § 9 Interest Group Updates. Must be null if additional bid key is not null.

When non-null, the update url’s origin will always be same origin with owner.

trusted bidding signals url

Null or a URL. Provide a mechanism for making real-time data available for use at bidding time. See building trusted bidding signals url.

trusted bidding signals keys

Null or a list of strings. See building trusted bidding signals url.

trusted bidding signals slot size mode

"none", "slot-size" or "all-slots-requested-sizes". Initially "none". Each value reprensents a long integer. See calculate the ad slot size query param.

max trusted bidding signals url length

A long integer, initially 0. Indicates the maximum trusted bidding signals fetch url length for the interest group. 0 means no limit.

trusted bidding signals coordinator

Null or an origin, initially null. This is used to specify where to obtain the public key used for encryption and decryption in communication with a trusted bidding signal server running in a Trust Execution Environment (TEE). When this field is specified, the request will be sent to a trusted bidding signals server running in a TEE, and the value of max trusted bidding signals url length is ignored.

user bidding signals

Null or a string. Additional metadata that the owner can use during on-device bidding.

ads

Null or a list of interest group ad. Contains various ads that the interest group might show. Must be null if additional bid key is not null.

ad components

Null or a list of interest group ad. Contains various ad components (or "products") that can be used to construct ads composed of multiple pieces — a top-level ad template "container" which includes some slots that can be filled in with specific "products".

ad sizes

Null or a map whose keys are strings and values are ad sizes. Contains named sizes (width and height) that can be bound to ads to specify their render size.

size groups

Null or a map whose keys are strings and values are lists of strings. Contains named collections of ad sizes that can be used to declare a bundle of possible sizes which all apply to one ad url.

additional bid key

Null or a byte sequence of length 32. Must be null if ads or update url is not null. The Ed25519 public key (a 256-bit EdDSA public key) used to guarantee that this interest group, if used by an additional bid for a negative targeting, can only be used by its owner.

joining origin

An origin. The top level page origin from where the interest group was joined.

join counts

A list containing tuples of the day and per day join count. The day is calculated based on UTC time. The join count is a count of the number of times joinAdInterestGroup() was called for this interest group on the corresponding day.

join time

A moment at which the browser joined this interest group, updated upon each join and re-join.

bid counts

A list containing tuples of the day and per day bid count. The day is calculated based on UTC time. The bid count is a count of the number of times the bid calculated during runAdAuction() was greater than 0.

previous wins

A list of previous wins.

last updated

A moment when the interest group was last joined or successfully updated, whichever came later.

next update after

A moment at which the browser will permit updating this interest group. See interest group updates.

A regular interest group is an interest group whose additional bid key is null.

A negative interest group is an interest group whose additional bid key is not null.

An interest group ad is a struct with the following items:

render url: A URL. If this ad wins the auction, this URL (or a urn uuid that maps to this URL) will be returned by runAdAuction(). This URL is intended to be loaded into an ad iframe (or a fencedframe).
size group: Null or a string, initially null. The name of the size group (collection of render sizes) bound to this ad.
metadata: Null or a string. Extra arbitary information about this ad, passed to generateBid().
buyer reporting ID: Null or a string. Will be passed in place of interest group name to report win, or alongside the selected buyer and seller reporting ID, subject to k-anonymity checks. Only meaningful in ads, but ignored in ad components.
buyer and seller reporting ID: Null or a string. Will be passed in place of interest group name or buyer reporting ID, or alongside the selected buyer and seller reporting ID, to report win and report result, subject to k-anonymity checks. Also passed alongside selected buyer and seller reporting ID to scoreAd() if selected buyer and seller reporting ID is present. Only meaningful in ads, but ignored in ad components.
selectable buyer and seller reporting IDs: Null or a list of strings. A list of reporting ids which will be sent to generateBid(), in order to allow generateBid() to return a selected buyer and seller reporting ID. Only meaningful in ads, but ignored in ad components.
allowed reporting origins: Null or a list of origins. A list of up to 10 reporting origins that can receive reports with registered macros. Each origin’s scheme must be "https" and each origin must be enrolled. Only meaningful in ads, but ignored in ad components.
ad render ID: A string containing up to 12 ASCII bytes uniquely identifying this ad. Sent instead of the full interest group ad for auctions executed on a server.
creative scanning metadata: Null or a string, initially null. Sent with trusted scoring signals requests if send creative scanning metadata is true, and the basic HTTP GET based protocol, rather than encrypted one for TEE, is used.

A previous win is the interest group’s auction win history, to allow on-device frequency capping. It’s a struct with the following items:

time: A moment. Approximate time the interest group won an auction.
ad: An interest group ad. The ad that won the auction. Items except render url, metadata and ad render ID are excluded.

A seller capability is a permission granted by an interest group to sellers. It’s "interest-group-counts" or "latency-stats". Each value represents a single bit in a 4-byte byte sequence. The 4-byte byte sequence can store no more than 32 capabilities.

Note: More than 2 values, but probably not more than 32 values are planned, at least for a while. This way, there is not need to reserve more space for a while.

14.2. Currency tag

A currency tag is a string containing exactly 3 upper-case ASCII letters, or null. The null value is used to denote that the currency is unspecified.

To serialize a currency tag given a currency tag currency:

If currency is null, return "???".
Return currency.

To check whether a string is a valid currency tag given string currencyString:

If length of currencyString is not 3, return false.
If currencyString[0] is not a ASCII upper alpha code point, return false.
If currencyString[1] is not a ASCII upper alpha code point, return false.
If currencyString[2] is not a ASCII upper alpha code point, return false.
Return true.

To check a currency tag given the currency tags expected and actual:

If expected is null, return true.
If actual is null, return true.
If actual is equal to expected, return true.
Return false.

14.3. Auction config

An auction config is a struct with the following items:

seller

An origin. The origin of the seller running the ad auction. The scheme must be "https".

decision logic url

Null or a URL. The URL to fetch the seller’s JavaScript from. May be null when a server response is specified, otherwise is required.

The decision logic url’s origin will always be same origin with seller.

trusted scoring signals url

Null or a URL. Provide a mechanism for making real-time data (information about a specific ad creative) available for use at scoring time, e.g. the results of some ad scanning system.

max trusted scoring signals url length

A long integer, initially 0. Indicates the maximum trusted scoring signals fetch url length for the auction config. 0 means no limit.

trusted scoring signals coordinator

Null or an origin, initially null. This is used to specify where to obtain the public key used for encryption and decryption in communication with a trusted scoring signal server running in a Trust Execution Environment (TEE). When this field is specified, the request will be sent to a trusted scoring signals server running in a TEE, and the value of max trusted scoring signals url length is ignored.

send creative scanning metadata

A boolean, initially false. This controls whether additional fields used for creative scanning are passed with trusted scoring signals requests as query parameters (when the basic HTTP GET based protocol, rather than encrypted one for TEE, is used)

interest group buyers

Null or a list of origins. Owners of interest groups allowed to participate in the auction. Each origin’s scheme must be "https".

auction signals

Null, a string, a Promise, or failure. Opaque JSON data passed to both sellers' and buyers' script runners.

requested size

Null or an ad size, initially null. The size of the frame for the ad being selected by the auction.

all slots requested sizes

Null or a non-empty ordered set of ad sizes, initially null. The sizes of all frames for ads being selected by any auction in the frame.

seller signals

Null, a string, a Promise, or failure. Opaque JSON data passed to the seller’s script runner.

seller timeout

A duration in milliseconds, initially 50 milliseconds. Restricts the runtime of the seller’s scoreAd() script. If scoring does not complete before the timeout, the bid being scored is not considered further.

per buyer signals

Null, a Promise, failure, or an ordered map whose keys are origins and whose values are strings. Keys are buyers whose schemes must be "https". Values are opaque JSON data passed to corresponding buyer’s script runner.

per buyer timeouts

Null, a Promise, failure, or an ordered map whose keys are origins and whose values are durations in milliseconds. Keys are buyers whose schemes must be "https". Values restrict the runtime of corresponding buyer’s generateBid() script. If the timeout expires, only the bid submitted via setBid() is considered.

all buyers timeout

A duration in milliseconds, initially 50 milliseconds. Restricts the generateBid() script’s runtime for all buyers without a timeout specified in per buyer timeouts. If the timeout expires, only the bid submitted via setBid() is considered.

per buyer cumulative timeouts

Null, a Promise, failure, or an ordered map whose keys are origins and whose values are durations in milliseconds. Keys are buyers whose schemes must be "https". Values are collective timeouts for all interest groups of the buyer represented by the key. Includes the time of loading scripts and signals, and running the generateBid() functions. Once the timer expires, the affected buyer’s interest groups may no longer generate any bids. All bids generated before the timeout will continue to participate in the auction. Implementations should attempt, on a best-effort basis, to generate bids for each buyer in priority order, so lower priority interest groups are the ones more likely to be timed out. If Promises are passed in to the auction config for fields that support them, wait until configuration input promises resolve before starting the timer.

all buyers cumulative timeout

Null or a duration in milliseconds, initially null. Restricts a buyer’s cumulative timeout for all buyers without one specified in per buyer cumulative timeouts.

per buyer group limits

Null or an ordered map whose keys are origins and whose values are unsigned shorts. Keys are buyers whose schemes must be "https". Values restrict the number of bidding interest groups for a particular buyer that can participate in an auction.

all buyers group limit

An unsigned short, initially 65535. Limit on the number of bidding interest groups for all buyers without a limit specified in per buyer group limits.

per buyer priority signals

Null or an ordered map whose keys are origins and whose values are ordered maps, whose keys are strings and whose values are double. Per-buyer sparse vector whose dot product with priority vector is used to calculate interest group priorities. No signal’s key starts with "browserSignals.", which is reserved for values coming from the browser.

all buyers priority signals

Null or an ordered map whose keys are strings and whose values are double. Merged with per buyer priority signals before calculating per-interest group priorities. In the case both have entries with the same key, the entry in per_buyer_priority_signals takes precedence. No signals key start with "browserSignals.", which is reserved for values coming from the browser.

seller Private Aggregation coordinator

An aggregation coordinator, initially the default aggregation coordinator.

required seller capabilities

A set of seller capabilities. The seller capabilities that each interest group must declare to participate in the auction. Interest groups that don’t declare all these capabilities will not participate in the auction.

auction report buyer keys

A map from buyer origins to bigints. For buyer metrics delegated to be reported to the seller via the Private Aggregation API, this determines the base bucket number used for a particular buyer’s information.

auction report buyers

A map from strings to AuctionReportBuyersConfigs. For buyer metrics delegated to be reported to the seller via the Private Aggregation API, this determines how each metric bucket is chosen inside the buyer’s space, and how to scale it.

auction report buyer debug details

A debug details, initially a new one. Configures Private Aggregation debugging functionality for buyer metrics delegated to be reported to the seller.

component auctions

A list of auction configs. Nested auctions whose results will also participate in a top level auction. Only the top level auction config can have component auctions.

deprecated render url replacements

Null, a Promise, failure, or a list of ad keyword replacements, each containing a single match and replacement. Render url replacements can only happen within a single seller auction config or within the component auction configs.

seller experiment group id

Null or an unsigned short, initially null. Optional identifier for an experiment group to support coordinated experiments with the seller’s trusted server.

per buyer experiment group ids

An ordered map whose keys are origins and whose values are unsigned shorts. Keys are buyers whose schemes must be "https". Values are identifiers for experiment groups, to support coordinated experiments with buyers' trusted servers.

all buyer experiment group id

Null or an unsigned short, initially null. Optional identifier for an experiment group to support coordinated experiments with buyers' trusted servers for buyers without a specified experiment group.

pending promise count

An integer, initially 0. The number of things that are pending that are needed to score everything. It includes waiting for Promises auction signals, per buyer signals, per buyer currencies, per buyer timeouts, direct from seller signals header ad slot, seller signals, or additionalBids whose Promises are not yet resolved.

config idl

AuctionAdConfig.

resolve to config

A boolean or a Promise, initially false. Whether the ad should be returned as a FencedFrameConfig, or otherwise as a urn uuid.

seller currency

A currency tag. Specifies the currency bids returned by scoreAd() are expected to use, and which reporting for this auction will agree on.

per buyer currencies

A Promise or failure or an ordered map whose keys are origins and whose values are currency tags. Specifies the currency bids returned by generateBid() or scoreAd() in component auctions are expected to use. The initial value is an empty map.

all buyers currency

A currency tag. Specifies the currency bids returned by generateBid() or scoreAd() in component auctions are expected to use if per buyer currencies does not specify a particular value.

per buyer multi-bid limits

An ordered map who keys keys are origins and whose values are unsigned shorts.

Specifies how many bids generateBid() is permitted to return at once for a particular buyer origin. The initial value is an empty map.

all buyers multi-bid limit

An unsigned short. Initially 1. Specifies how many bids generateBid() is permitted to return at once for buyers without a value in per buyer multi-bid limits.

direct from seller signals header ad slot

Null, a string, a Promise, or failure. Initially null.

auction nonce

Null or a version 4 UUID, initially null. A unique identifier associated with this and only this invocation of navigator.runAdAuction(). For multi-seller auctions, this ID is uniquely associated with all componentAuctions. This must come from a prior call to navigator.createAuctionNonce(). This is only required for auctions that provide additional bids, and each of those additional bids must include the bid nonce derived from that auction nonce as computed by calculate expected bid nonce to ensure that each additional bid was intended for this and only this auction. For backwards compatibility, an additional bid may include the auction nonce directly in place of a bid nonce.

expects additional bids

A boolean or failure, initially false. Specifies whether some bids will be provided as signed exchanges. Sets to failure if the additionalBids Promise is rejected.

seller real time reporting config

Null, or a string, initially null. Seller’s real time reporting type. Currently the only supported type is "default-local-reporting" indicating local differential privacy. If not null, the seller opted in to receive real time reports.

per buyer real time reporting config

An ordered map, whose keys are origins, and whose values are strings. Each buyer’s real time reporting type. Currently the only supported type is "default-local-reporting" indicating local differential privacy. All buyers in the map opted in to receive real time reports.

server response

Null or a Promise or a Uint8Array containing an encrypted response from the trusted auction server.

server response id

Null or a version 4 UUID A UUID used to match a request from navigator.getInterestGroupAdAuctionData() to the encrypted response stored in auction config’s server response field. Must be null when auction config’s server response is null, and non-null otherwise.

aborted

A boolean indicating whether the auction has been aborted, initially false.

abort reason

any.

To wait until configuration input promises resolve given an auction config auctionConfig:

Wait until either auctionConfig’s pending promise count is 0 or auctionConfig’s aborted is true.
If auctionConfig’s aborted is true, return failure.
Assert auctionConfig’s auction signals, seller signals, per buyer signals, per buyer currencies, per buyer timeouts, per buyer cumulative timeouts, deprecated render url replacements, and direct from seller signals header ad slot are not Promises, and expects additional bids is false.
If auctionConfig’s auction signals, seller signals, per buyer signals, per buyer currencies, per buyer timeouts, per buyer cumulative timeouts, deprecated render url replacements, or direct from seller signals header ad slot is failure, return failure.
Return.

To recursively wait until configuration input promises resolve given an auction config auctionConfig:

For each componentAuctionConfig in auctionConfig’s component auctions:
1. If the result of waiting until configuration input promises resolve given componentAuctionConfig is failure, return failure.
Return the result of waiting until configuration input promises resolve given auctionConfig.

To handle an input promise in configuration given an auction config auctionConfig, a Promise p, and two sequences of steps, covering the parsing of the value and error-handling:

Increment auctionConfig’s pending promise count.
Let resolvedAndTypeChecked be the promise representing performing the following steps upon fulfillment of p with result:
1. Execute the steps to be run for parsing of the value given result.
2. If no exception was thrown in the previous step, then decrement auctionConfig’s pending promise count.
Upon rejection of resolvedAndTypeChecked:
1. Execute the steps for error-handling.
2. Decrement auctionConfig’s pending promise count.

To wait until server response promise resolves given an auction config auctionConfig:

Wait until either auctionConfig’s server response is not a Promise, or auctionConfig’s aborted is true.
If auctionConfig’s aborted is true, return failure.
If auctionConfig’s server response is failure, return failure.
Return.

To look up per-buyer currency given an auction config auctionConfig, and an origin buyer:

Let perBuyerCurrency be auctionConfig’s all buyers currency
Assert that auctionConfig’s per buyer currencies is an ordered map.
If auctionConfig’s per buyer currencies[buyer] exists, then set perBuyerCurrency to auctionConfig’s per buyer currencies[buyer].
Return perBuyerCurrency

To look up per-buyer multi-bid limit given an auction config auctionConfig, and an origin buyer:

Let multiBidLimit be auctionConfig’s all buyers multi-bid limit.
If auctionConfig’s per buyer multi-bid limits[buyer] exists, then set multiBidLimit to auctionConfig’s per buyer multi-bid limits[buyer].
If multiBidLimit < 1, set multiBidLimit to 1.
Return multiBidLimit.

14.4. Bid generator

A per buyer bid generator is an ordered map whose keys are URLs or null representing trusted bidding signals urls, and whose values are per signals url bid generators. The key of null is used for interest groups that do not specify a trusted bidding signals url.

A per signals url bid generator is an ordered map whose keys are origins representing joining origins, and whose values are lists of interest groups.

14.5. Script fetcher

A script fetcher helps manage asynchronous fetching of scripts and handling of their headers. It’s a struct with the following items:

script body: A byte sequence, null, or failure. Initially null. The body of the script.
origins authorized for cross origin trusted signals: A list of origins or null. Initially null. Parsed value of `Ad-Auction-Allow-Trusted-Scoring-Signals-From`.
fetch duration: A duration in milliseconds, denoting how long it took the fetch to complete.

To create a new script fetcher given a URL url and an environment settings object settings:

Let fetcher be a new script fetcher.
Let queue be the result of starting a new parallel queue.
Enqueue the following steps to queue:
1. Fetch script given url, settings and fetcher.
Return fetcher.

To wait for script body from a fetcher given a script fetcher fetcher:

Wait until fetcher’s script body is not null.
Return fetcher’s script body.

To wait for cross origin trusted scoring signals authorization from a fetcher given a script fetcher fetcher:

Wait until fetcher’s origins authorized for cross origin trusted signals is not null.
Return fetcher’s origins authorized for cross origin trusted signals.

The Ad-Auction-Allow-Trusted-Scoring-Signals-From HTTP response header is a structured header whose value must be a list of strings.

To parse allowed trusted scoring signals origins given a header list headerList:

Let parsedHeader be the result of getting a structured field value given `Ad-Auction-Allow-Trusted-Scoring-Signals-From` and "list" from headerList.
If parsedHeader is null, return an empty list.
Let result be a new list of origins.
For each entry in parsedHeader:
1. If entry is not a string, return an empty list.
2. Let parsedEntry be the result of parsing an https origin on entry.
3. If parsedEntry is failure, return an empty list.
4. Append parsedEntry to result.
Return result.

To fetch script given a URL url, an environment settings object settings, and a script fetcher fetcher:

Let request be a new request with the following properties:

URL

url

header list

«Accept: text/javascript»

client

null

origin

settings’s origin

mode

"no-cors"

referrer

"no-referrer"

credentials mode

"omit"

redirect mode

"error"

service-workers mode

"none"

policy container

A new policy container whose IP address space is settings’s policy container’s IP address space

Stop using "no-cors" mode where possible (WICG/turtledove#667).
Let fetchStart be settings’s current monotonic time.
Let fetchController be the result of fetching request with useParallelQueue set to true, and processResponse set to the following steps given a response response:
1. If the result of validating fetching response headers given response is false:
  1. Abort fetchController.
  2. Set fetcher’s origins authorized for cross origin trusted signals to an empty list of origins.
  3. Set fetcher’s fetch duration to the duration from fetchStart to settings’s current monotonic time, in milliseconds.
  4. Set fetcher’s script body to failure.
  5. Return.
2. Set fetcher’s origins authorized for cross origin trusted signals to the result of parsing allowed trusted scoring signals origins given response’s header list.
3. Let bodyStream be response’s body’s stream.
4. Let bodyReader be result of getting a reader from bodyStream.
5. Let successSteps be a set of steps that take a byte sequence responseBody, and perform the following:
  1. Set fetcher’s fetch duration to the duration from fetchStart to settings’s current monotonic time, in milliseconds.
  2. If validate fetching response mime and body with response, responseBody and "text/javascript" returns false, set fetcher’s script body to failure.
  3. Otherwise, set fetcher’s script body to responseBody.
6. Let failureSteps be a set of steps that take an exception e, and perform the following:
  1. Set fetcher’s script body to failure.
7. Read all bytes from bodyReader, given successSteps and failureSteps.

14.6. Trusted bidding signals batcher

A trusted bidding signals batcher helps manage merging multiple trusted bidding signals into smaller number of fetches. It’s a struct with the following items:

all trusted bidding signals: An ordered map whose keys are strings, and values are strings. Contains all trusted bidding signals collected thus far.
all per interest group data: An ordered map whose keys are name strings and whose values are bidding signals per interest group data.
no signals flags: An ordered map whose keys are name strings and whose values are enums "no-fetch" or "fetch-failed". This is set to "not-fetched" if given interest group did not request any trusted bidding signals keys, or "fetch-failed" if its trusted signals fetch failed.
data versions: An ordered map who keys are name strings and values are unsigned long or null. This contains data version returned by a fetch that provided the values for a given interest group name.
keys: An ordered set of strings. Describes the keys collected to be fetched in the current batch thus far.
ig names: An ordered set of strings. Describes the interest group names to be fetched in the current batch thus far.
length limit: A long, initially 2147483647 (the maximum value that it can hold). Describes the URL length limit the current batch is limited to, the smallest of the limits of the interest groups included.
key value interest groups: An ordered map whose keys are tuples of (an origin for joining origin, an origin for owner) and whose values are sets of interest groups.

A bidding signals per interest group data is a struct with the following items:

update if older than ms: Null or a double. If non-null, it is the duration in milliseconds after which the interest group is eligible for an update, if it hasn’t been joined or updated within that duration. When eligible, the update is performed either following a call to runAdAuction(), for each of the passed interestGroupBuyers, or explicitly by the updateAdInterestGroups() method.

A bidding compression group is a collection of bidding partitions that can be compressed together in the signals response. It’s a struct with the following items:

compression group id: An integer indicates the index of this compression group.
partitions: A list of bidding partition. Contains all the bidding partitions belong to this compression group.

A bidding partition is a collection of keys and ig names that can be processed together by the service without any potential privacy leakage. It’s a struct with the following items:

id: An integer indicates the index of this partition.
namespace: A map, whose keys are strings and values are list of strings. A namespace contains all names and trusted bidding signals keys in the partition.
metadata: A map, whose keys and values are strings.

To append to a bidding signals per-interest group data map given an ordered map sourceMap, an ordered set igNames, and an ordered map destinationMap:

For each sourceKey → sourceValue of sourceMap:
1. If igNames does not contain sourceKey, continue.
2. Let perGroupData be a new bidding signals per interest group data.
3. handle priority vector (WICG/turtledove#1144).
4. If sourceValue is not an ordered map, continue.
5. If sourceValue["updateIfOlderThanMs"] is a double:
  1. Let updateIfOlderThanMs be sourceValue["updateIfOlderThanMs"].
  2. If updateIfOlderThanMs < 600,000, set updateIfOlderThanMs to 600,000.
    
    Note: 600,000 milliseconds is 10 minutes.
  3. Set perGroupData’s update if older than ms to updateIfOlderThanMs.
6. If perGroupData’s update if older than ms is not null, then set destinationMap[sourceKey] to perGroupData.

To build trusted bidding signals url given a URL signalsUrl, an ordered set of strings keys, an ordered set of strings igNames, an unsigned short-or-null experimentGroupId, an origin topLevelOrigin, and a string slotSizeQueryParam:

Let queryParamsList be a new empty list.

Note: These steps create a query of the form "&<name>=<values in comma-delimited list>". E.g., "hostname=publisher1.com&keys=key1,key2&interestGroupNames=ad+platform,name2&experimentGroupId=1234".

These steps don’t use the application/x-www-form-urlencoded serializer to construct the query string because it repeats a key if it has multiple values instead of a comma-demilited list (e.g., "keys=key1&keys=key2", instead of "keys=key1,key2"), and it also uses a different percent encode set from the Chrome implementation.
Append "hostname=" to queryParamsList.
Append the result of UTF-8 percent-encoding the serialized topLevelOrigin using component percent-encode set to queryParamsList.
If keys is not empty:
1. Append "&keys=" to queryParamsList.
2. Append to queryParamsList the result of encode trusted signals keys with keys.
If igNames is not empty:
1. Append "&interestGroupNames=" to queryParamsList.
2. Append to queryParamsList the result of encode trusted signals keys with igNames.
If experimentGroupId is not null:
1. Append "&experimentGroupId=" to queryParamsList.
2. Append serialized experimentGroupId to queryParamsList.
Append slotSizeQueryParam to queryParamsList.
Let fullSignalsUrl be signalsUrl.
Set fullSignalsUrl’s query to the result of concatenating queryParamsList.
Return fullSignalsUrl.

To fetch the current outstanding trusted signals batch given a trusted bidding signals batcher trustedBiddingSignalsBatcher, a URL signalsUrl, an origin scriptOrigin, an unsigned short-or-null experimentGroupId, an origin topLevelOrigin, a string slotSizeQueryParam, and a policy container policyContainer:

If signalsUrl is null, return.
Let biddingSignalsUrl be the result of building trusted bidding signals url with signalsUrl, trustedBiddingSignalsBatcher’s keys, trustedBiddingSignalsBatcher’s ig names, experimentGroupId, topLevelOrigin, and slotSizeQueryParam.
Let « partialTrustedBiddingSignals, partialPerInterestGroupData, dataVersion » be the result of fetching trusted signals with biddingSignalsUrl, scriptOrigin, policyContainer and true.
If partialTrustedBiddingSignals is not null:
1. For each key → value in partialTrustedBiddingSignals, set trustedBiddingSignalsBatcher’s all trusted bidding signals[key] to value.
2. For each igName of trustedBiddingSignalsBatcher’s ig names, set trustedBiddingSignalsBatcher’s data versions[igName] to dataVersion.
3. Append to a bidding signals per-interest group data map with partialPerInterestGroupData, trustedBiddingSignalsBatcher’s ig names, and trustedBiddingSignalsBatcher’s all per interest group data.
Otherwise, for each igName of trustedBiddingSignalsBatcher’s ig names:
1. Set trustedBiddingSignalsBatcher’s no signals flags[igName] to "fetch-failed".

To batch or fetch trusted bidding signals given a trusted bidding signals batcher trustedBiddingSignalsBatcher, interest group ig, a URL signalsUrl, an origin scriptOrigin, an unsigned short-or-null experimentGroupId, an origin topLevelOrigin, a string slotSizeQueryParam, and a policy container policyContainer:

Let igName be ig’s name.
If signalsUrl is null:
1. Set trustedBiddingSignalsBatcher’s no signals flags [igName] to "no-fetch".
2. Return.
Set trustedBiddingSignalsBatcher’s no signals flags[igName] to "no-fetch" if ig’s trusted bidding signals keys is null or is empty.

Note: An interest group with no trusted signals keys requests would still fetch and process per-interest group data like priorityVector and update if older than ms, but it will get null passed in to its bidding function.
If ig’s trusted bidding signals coordinator is null:
1. Let putativeKeys be a clone of trustedBiddingSignalsBatcher’s keys.
2. Let putativeIgNames be a clone of trustedBiddingSignalsBatcher’s ig names.
3. Let putativeLengthLimit be ig’s max trusted bidding signals url length.
4. If ig’s max trusted bidding signals url length is 0 or > trustedBiddingSignalsBatcher’s length limit, then set putativeLengthLimit to trustedBiddingSignalsBatcher’s length limit.
5. If ig’s trusted bidding signals keys is not null, extend putativeKeys with ig’s trusted bidding signals keys.
6. Append igName to putativeIgNames.
7. Let biddingSignalsUrl be the result of building trusted bidding signals url with signalsUrl, putativeKeys, putativeIgNames, experimentGroupId, topLevelOrigin, and slotSizeQueryParam.
8. If serialized biddingSignalsUrl’s length ≤ putativeLengthLimit:
  1. Set trustedBiddingSignalsBatcher’s keys to putativeKeys.
  2. Set trustedBiddingSignalsBatcher’s ig names to putativeIgNames.
  3. Set trustedBiddingSignalsBatcher’s length limit to putativeLengthLimit.
9. Otherwise:
  1. Fetch the current outstanding trusted signals batch given trustedBiddingSignalsBatcher, signalsUrl, scriptOrigin, experimentGroupId, topLevelOrigin, slotSizeQueryParam, and policyContainer.
  2. If ig’s trusted bidding signals keys is not null, set trustedBiddingSignalsBatcher’s keys to a clone of ig’s trusted bidding signals keys.
  3. Otherwise, set trustedBiddingSignalsBatcher’s keys to a new list.
  4. Set trustedBiddingSignalsBatcher’s ig names to « igName ».
  5. Set trustedBiddingSignalsBatcher’s length limit to ig’s max trusted bidding signals url length.
Otherwise:
1. Let keyValueInterestGroups be trustedBiddingSignalsBatcher’s key value interest groups.
2. Let key be tuple of (ig’s joining origin, ig’s owner).
3. If keyValueInterestGroups contains key, append ig to keyValueInterestGroups[key].
4. Otherwise, set keyValueInterestGroups[key] to a set « ig ».

To build trusted key value bidding signals request body given a set interestGroups, an unsigned short-or-null experimentGroupId, an origin topLevelOrigin, a string slotSizeQueryParam, an origin coordinator, and an origin owner:

Let compressionGroups be an empty list, whose items are bidding compression groups.
Let compressionGroupMap be an empty map, where the keys are integers as compression group id, and the values are maps with integers as keys for id, and bidding partitions as their values.
Let compressionIdMap be an empty map, whose keys are origins and values are integers.
Let interestGroupIdMap be an empty map, whose keys are strings and values are tuples of (integer, integer).
Let slotSizeParams be the result of strictly splitting slotSizeQueryParam on U+003D (=).
Let nextCompressionGroupId be 0.
For each group of interestGroups:
1. Let joiningOrigin be group’s joining origin.
2. If compressionIdMap does not contain joiningOrigin:
  1. Set compressionIdMap[joiningOrigin] to nextCompressionGroupId.
  2. Increment nextCompressionGroupId by 1.
3. Let compressionGroupId be compressionIdMap[joiningOrigin].
4. If compressionGroupMap does not contain compressionGroupId:
  1. Set compressionGroupMap[compressionGroupId] to an empty map, whose keys are integers and values are maps.
5. Let partitionId be 0.
6. If group’s execution mode is not "group-by-origin":
  1. If compressionGroupMap[compressionGroupId] contains 0, set partitionId to size of compressionGroupMap[compressionGroupId].
  2. Otherwise, set partitionId to size of compressionGroupMap[joiningOrigin] plus 1.
7. Set interestGroupIdMap[group’s name] to tuple of (compressionGroupId, partitionId).
8. If compressionGroupMap[compressionGroupId] does not contain partitionId, set compressionGroupMap[compressionGroupId][partitionId] to a bidding partition with the following items:
  
  id
  
  partitionId
  
  namespace
  
  The ordered map «[ "interestGroupNames" → « group’s name », "biddingKeys" → group’s trusted bidding signals keys ]»
  
  metadata
  
  The ordered map «[ "experimentGroupId" → experimentGroupId, slotSizeParams[0] → slotSizeParams[1] ]»
9. Otherwise:
  1. Append group’s name into compressionGroupMap[compressionGroupId] [partitionId]["interest_group_names"].
  2. Append group’s trusted bidding signals keys into compressionGroupMap[compressionGroupId][partitionId]["bidding_keys"].
For each id → group in compressionGroupMap:
1. Let compressionGroup be a bidding compression group, whose compression group id is id, and partition is an empty list.
2. For each partition in group’s values:
  1. Append partition to compressionGroup’s partition.
3. Append compressionGroup to compressionGroups.
Let metadata be an empty map, whose keys and values are strings.
Let hostname be the result of UTF-8 percent-encoding the serialized topLevelOrigin using component percent-encode set.
Set metadata["hostname"] to hostname.
Let keyInfo be the result of looking up the server encryption key with owner and coordinator.
If keyInfo is failure, then return « null, null, null ».
Let (requestBlob, context) be the result of generating request with keyInfo, metadata and compressionGroups. The generation method may follow that described in Section 2.2.4 of the Protected Audience Key Value Services.
Return « requestBlob, interestGroupIdMap, context ».

To fetch the trusted key value signals batch given a trusted bidding signals batcher trustedBiddingSignalsBatcher, a URL signalsUrl, an origin scriptOrigin, an unsigned short-or-null experimentGroupId, an origin topLevelOrigin, a string slotSizeQueryParam, and a policy container policyContainer:

If signalsUrl is null, return.
For each (joiningOrigin, owner) → interestGroups of key value interest groups:
1. Let « requestBody, interestGroupIdMap, context » be the result of building trusted key value bidding signals request body with interestGroups, experimentGroupId, topLevelOrigin, slotSizeQueryParam, joiningOrigin and owner.
2. If requestBody is not null:
  1. Let « partialTrustedBiddingSignals, partialPerInterestGroupData, dataVersion » be the result of fetching trusted key value signals with signalsUrl, requestBody, context, scriptOrigin, policyContainer, interestGroupIdMap and true.
3. If partialTrustedBiddingSignals is not null:
  1. For each key → value in partialTrustedBiddingSignals, set trustedBiddingSignalsBatcher’s all trusted bidding signals[key] to value.
  2. Let igNames be interestGroupIdMap’s keys.
  3. For each igName of igNames, set trustedBiddingSignalsBatcher’s data versions[igName] to dataVersion[igName].
  4. Append to a bidding signals per-interest group data map with partialPerInterestGroupData, igNames, and trustedBiddingSignalsBatcher’s all per interest group data.
4. Otherwise, for each igName of igNames:
  1. Set trustedBiddingSignalsBatcher’s no signals flags[igName] to "fetch-failed".

14.7. Trusted scoring signals batcher

A trusted scoring signals batcher helps manage merging multiple trusted scoring signals requests into smaller number of fetches. It’s a struct with the following items:

request queue: A list of trusted scoring signals requests that hasn’t yet been organized to aid batching.
request map: A map from a tuple of script fetcher, a URL representing the trusted signals base URL, unsigned short or null for experiment ID, origin or null for coordinator, and origin, representing the top frame’s origin, and a boolean representing whether to send creative scanning info, to a list of trusted scoring signals requests. This organizes fetches that can possibly be merged together.
url length limit: A long denoting a user-configured limit which should not be exceeded due to combining of fetches. 0 denotes no limit, and is the initial value.

A creative info is a struct with the following items:

ad descriptor: An ad descriptor.
creative scanning metadata: A string, initially empty.
interest group owner: origin, or null.
buyer or seller reporting id: A string, initially empty.

To fill in creative info given a boolean sendCreativeScanningMetadata, an ad descriptor adDescriptor, an origin ownerOrigin, and an interest group ad bidAd:

Let result be a new creative info.
If sendCreativeScanningMetadata is true:
1. Set result’s ad descriptor to adDescriptor.
2. If bidAd’s creative scanning metadata is not null, set result’s creative scanning metadata to it.
3. Set result’s interest group owner to ownerOrigin.
4. If bidAd’s buyer and seller reporting ID is not null, set result’s buyer or seller reporting id to it.
Otherwise:
1. Set result’s ad descriptor to a new ad descriptor whose url to adDescriptor’s url.
Return result.

A trusted scoring signals request is a struct with the following items, representing all information needed to produce a trusted scoring signals fetch for a single scoring invocation:

send creative scanning metadata: A boolean, to determine whether creative scanning metadata should be added to requests using the basic HTTP GET based protocol (rather than encrypted one for TEE).
seller: An origin of the seller the fetch is on behalf of.
seller script fetcher.: A script fetcher for the seller’s decision logic script.
base url: A URL, the base URL for trusted seller signals to fetch.
seller experiment group id: Null or an unsigned short, initially null.
top level origin: An origin. The origin of top-level frame in the hierarchy containing the document running the auction.
ad: The creative info for main ad to pass with the fetch.
ad components: A set of creative info, information about component ads to pass with the fetch.
policy container: A policy container to use for the network fetch.
signal coordinator: An origin to use for the public key fetch.
owner origin: An origin of the owner on behalf of the initial interest group.
joining origin: An origin of the owner’s joining origin on behalf of the initial interest group.
reply: A trusted scoring signals reply, null, or failure. Initially null. Set to a non-null value when the fetch has been completed.

A trusted scoring signals reply is a struct with the following items

all trusted scoring signals: A ordered map or failure.
data version: An unsigned long or null.

A scoring compression group is a collection of scoring partitions that can be compressed together in the signals response. It’s a struct with the following items:

compression group id: An integer indicates the index of this compression group.
partitions: A list of scoring partition. Contains all the scoring partitions belong to this compression group.

A scoring partition is a collection of ad and ad component render URLs that can be processed together by the service without any potential privacy leakage. It’s a struct with the following items:

id: An integer indicates the index of this partition.
namespace: A map, whose keys are strings and values are list of strings. A namespace contains all URLs of ads and component ads in the partition.
metadata: A map, whose keys and values are strings.

To create a trusted scoring signals batcher given a long urlLengthLimit:

Let batcher be a new trusted scoring signals batcher.
Set batcher’s url length limit to urlLengthLimit.
Let queue be the result of starting a new parallel queue.
Enqueue the following steps to queue:
1. Batch and fetch trusted scoring signals given batcher.
Return batcher.

To fetch trusted scoring signals with batching given a trusted scoring signals batcher batcher and a trusted scoring signals request request:

Append request to batcher’s request queue.
Wait until request’s reply is non-null.
Return request’s reply.

To extract URLs from creative info given an ordered set of creative info creativeInfoSet:

Let result be a new list of strings.
For each creativeInfo in creativeInfoSet:
1. Append serialized creativeInfo’s ad descriptor’s url to result.
Return result.

To extract creative scanning metadata given an ordered set of creative info creativeInfoSet:

Let result be a new list of strings.
For each creativeInfo in creativeInfoSet:
1. Append creativeInfo’s creative scanning metadata to result.
Return result.

To extract buyers given an ordered set of creative info creativeInfoSet:

Let result be a new list of strings.
For each creativeInfo in creativeInfoSet:
1. Append the serialization of creativeInfo’s interest group owner to result.
Return result.

To extract buyer and seller reporting ids given an ordered set of creative info creativeInfoSet:

Let result be a new list of strings.
For each creativeInfo in creativeInfoSet:
1. Append creativeInfo’s buyer or seller reporting id to result.
Return result.

To add trusted signals param if needed given a string param, a list of strings input and a list of strings queryParamsList:

If input is not empty:
1. Append param to queryParamsList.
2. Append the result of encode trusted signals keys of input to queryParamsList.

To add trusted signals size param if needed given a string param, a list of creative info input and a list of strings queryParamsList:

If input is not empty:
1. Append param to queryParamsList.
2. Let sizes be an empty list of strings.
3. For each creative of input:
  1. If creative’s ad descriptor’s size is null, append "," to sizes.
  2. Otherwise, append the result of converting an ad size to a string given creative’s ad descriptor’s size to sizes.
4. Append the result of concatenating sizes with separator set to "," to queryParamsList.
Note: this works differently from other query parameters since it has a comma that we do not want to escape, and none of the other characters used to represent the width and height of each ad need to be escaped either.

To build trusted scoring signals url given a boolean sendCreativeScanningMetadata, a URL signalsUrl, an ordered set of creative info ads, an ordered set of creative info componentAds, an unsigned short experimentGroupId, and an origin topLevelOrigin:

Note: When trusted scoring signals fetches are not batched, ads’s size is 1.

Let queryParamsList be a new empty list.
Append "hostname=" to queryParamsList.
Append the result of UTF-8 percent-encoding topLevelOrigin using component percent-encode set to queryParamsList.
Let renderURLs be the result of extracting URLs from creative info given ads.
Add trusted signals param if needed given "&renderURLs=", renderURLs, queryParamsList.
Let adComponentRenderURLs be the result of extracting URLs from creative info given componentAds.
If adComponentRenderURLs is not empty:
Add trusted signals param if needed given "&adComponentRenderURLs=", adComponentRenderURLs, queryParamsList.
If experimentGroupId is not null:
1. Append "&experimentGroupId=" to queryParamsList.
2. Append serialized experimentGroupId to queryParamsList.
If sendCreativeScanningMetadata is true:
1. Add trusted signals param if needed given "&adCreativeScanningMetadata=", the result of extracting creative scanning metadata given ads, queryParamsList.
2. Add trusted signals param if needed given "&adComponentCreativeScanningMetadata=", the result of extracting creative scanning metadata given componentAds, queryParamsList.
3. Add trusted signals size param if needed given "&adSizes=", ads, queryParamsList.
4. Add trusted signals size param if needed given "&adComponentSizes=", componentAds, queryParamsList.
5. Add trusted signals param if needed given "&adBuyer=", the result of extracting buyers given ads, queryParamsList.
6. Add trusted signals param if needed given "&adComponentBuyer=", the result of extracting buyers given componentAds, queryParamsList.
7. Add trusted signals param if needed given "&adBuyerAndSellerReportingIds=", the result of extracting buyer and seller reporting ids given ads, queryParamsList.
Set signalsUrl’s query to the result of concatenating queryParamsList.
Return signalsUrl.

To build batched trusted scoring signals url given a non-empty list of trusted scoring signals requests entriesToBatch:

Let firstEntry be entriesToBatch[0].
Let ads be an empty ordered set of creative info.
Let componentAds be an empty ordered set of creative info.
For each entry of entriesToBatch:
1. Assert that entry’s base URL is equal to firstEntry’s base URL.
2. Assert that entry’s seller experiment group id is equal to firstEntry’s seller experiment group id.
3. Assert that entry’s top level origin is equal to firstEntry’s top level origin.
4. Assert that entry’s seller script fetcher is equal to firstEntry’s seller script fetcher.
5. Assert that entry’s policy container is equal to firstEntry’s policy container.
6. Assert that entry’s send creative scanning metadata is equal to firstEntry’s send creative scanning metadata.
7. Append entry’s ad to ads.
8. Extend componentAds with entry’s ad components.
Return the result of building trusted scoring signals url with firstEntry’s send creative scanning metadata, firstEntry’s base URL, ads, componentAds, firstEntry’s seller experiment group id, firstEntry’s top level origin.

To check if trusted scoring signals batch honors URL length limit given a trusted scoring signals batcher batcher and a non-empty list of trusted scoring signals requests entriesToBatch:

If the size of entriesToBatch is 1, return true.
If batcher’s url length limit is 0, return true.
Return whether the length of the result of building batched trusted scoring signals url for entriesToBatch ≤ batcher’s url length limit.

To build trusted key value scoring signals request body given a non-empty list of trusted scoring signals requests entriesToBatch:

Let firstRequest be entriesToBatch[0].
Let compressionGroups be an empty list, whose items are scoring compression groups.
Let compressionGroupMap be an empty map, where the keys are integers as compression group id, and the values are maps with integers as keys for id, and scoring partitions as their values.
Let compressionIdMap be an empty map, whose keys are tuples of (origin, origin) and values are integers.
Let renderUrlIdMap be an empty map, whose keys are URLs and values are tuples of (interger, integer).
Let nextCompressionGroupId be 0.
For each request of entriesToBatch:
1. Let mapKey be a tuple of (request’s owner origin, request’s joining origin).
2. If compressionIdMap does not contain mapKey:
  1. Set compressionIdMap[mapKey] to nextCompressionGroupId.
  2. Increment nextCompressionGroupId by 1.
3. Let compressionGroupId be compressionIdMap[mapKey].
4. If compressionGroupMap does not contain compressionGroupId, then set compressionGroupMap[compressionGroupId] to an empty map, whose keys are integers.
5. Let partitionId be size of compressionGroupMap[compressionGroupId].
6. Let renderURL be request’s ad’s ad descriptor’s url.
7. Let adComponentRenderURLs be the result of extracting URLs from creative info given request’s ad components.
8. Set renderUrlIdMap[renderURL] to tuple of (compressionGroupId, partitionId).
9. Set compressionGroupMap[compressionGroupId][partitionId] to a scoring partition with the following items:
  
  id
  
  partitionId
  
  namespace
  
  The ordered map «[ "renderUrls" → « renderURL », "adComponentRenderUrls" → adComponentRenderURLs ]»
  
  metadata
  
  The ordered map «[ "experimentGroupId" → firstRequest’s seller experiment group id ]»
For each id → group in compressionGroupMap:
1. Let compressionGroup be an scoring compression group whose compression group id is id and partition is an empty list.
2. For each partition in group’s values:
  1. Append partition to compressionGroup’s partitions.
3. Append compressionGroup to compressionGroups.
Let metadata be an empty map, whose keys and values are strings.
Let hostname be the result of UTF-8 percent-encoding the serialized firstRequest’s top level origin using component percent-encode set.
Set metadata["hostname"] to hostname.
Let keyInfo be the result of looking up the server encryption key with firstRequest’s seller and firstRequest’s signal coordinator.
If keyInfo is failure, then return « null, null, null ».
Let (requestBlob, context) be the result of generating request with keyInfo, metadata and compressionGroups. The generation method may follow that described in Section 2.2.4 of the Protected Audience Key Value Services.
Return « requestBlob, renderUrlIdMap and context ».

To build batched trusted key value scoring signals request body given a non-empty list of trusted scoring signals requests entriesToBatch:

Let firstEntry be entriesToBatch[0].
For each entry of entriesToBatch:
1. Assert that entry’s base URL is equal to firstEntry’s base URL.
2. Assert that entry’s seller is equal to firstEntry’s seller.
3. Assert that entry’s seller experiment group id is equal to firstEntry’s seller experiment group id.
4. Assert that entry’s top level origin is equal to firstEntry’s top level origin.
5. Assert that entry’s seller script fetcher is equal to firstEntry’s seller script fetcher.
6. Assert that entry’s policy container is equal to firstEntry’s policy container.
Return the result of building trusted key value scoring signals request body with entriesToBatch.

To batch and fetch trusted scoring signals given a trusted scoring signals batcher batcher:

Assert that these steps are running in parallel.
Until batcher is no longer needed:
1. Wait until at least one of the following is true:
  - batcher’s request queue is not empty.
  - batcher’s request map is not empty and some heuristically chosen amount of time has passed.
2. Atomically do:
  1. Let incomingRequests be a clone of batcher’s request queue.
  2. Empty batcher’s request queue.
  Note: the result of atomicity is that any concurrent attempts to modify batcher’s request queue while these steps are running will not result in different items being removed by the Empty operation than were cloned into incomingRequests.
3. For each request in incomingRequests:
  1. Let key be (request’s seller script fetcher, request’s base url, request’s seller experiment group id, request’s top level origin, request’s signal coordinator, request’s send creative scanning metadata).
  2. If batcher’s request map[key] does not exist, then set batcher’s request map[key] to an empty list.
  3. Append request to batcher’s request map[key].
4. Some number of times, heuristically, select a key from batcher’s request map:
  1. If key’s signal coordinator is null:
    1. Select a non-empty subset of batcher’s request map[key], called entriesToBatch, such that checking if trusted scoring signals batch honors URL length limit on batcher and entriesToBatch returns true:
      
      Note: implementations are free to wait to collect more requests to merge (by leaving things in the batcher’s request map), or send them individually, but need to take into account the configured URL length limit if they do combine requests. All entries need to be handled eventually.
      1. Remove entriesToBatch from batcher’s request map[key].
      2. If batcher’s request map[key] is empty, then remove key from batcher’s request map.
      3. Let fullSignalsUrl be the result of building batched trusted scoring signals url for entriesToBatch.
      4. Let seller be entriesToBatch[0]'s seller.
      5. Let scriptFetcher be entriesToBatch[0]'s seller script fetcher.
      6. If fullSignalsUrl’s origin is not same origin with seller then:
        
        Let allowCrossOriginTrustedScoringSignalsFrom be the result of wait for cross origin trusted scoring signals authorization from a fetcher given scriptFetcher.
        
        If allowCrossOriginTrustedScoringSignalsFrom does not contain fullSignalsUrl’s origin, set fullSignalsUrl to null.
      7. Let result be failure.
      8. If fullSignalsUrl is not null:
        
        Let «allTrustedScoringSignals, ignored, scoringDataVersion» be the result of fetching trusted signals with fullSignalsUrl, seller, entriesToBatch[0]'s policy container, and false.
        
        If allTrustedScoringSignals is an ordered map:
        
        Set result to a new trusted scoring signals reply
        
        Set result’s all trusted scoring signals to allTrustedScoringSignals.
        
        Set result’s data version to scoringDataVersion.
      9. For each entry in entriesToBatch:
        
        Set entry’s reply to result.
  2. Otherwise:
    1. Select a non-empty subset of batcher’s request map[key], called entriesToBatch.
    2. Remove key from batcher’s request map.
    3. Let « requestBody, renderUrlIdMap, context » be the result of building batched trusted key value scoring signals request body for entriesToBatch.
    4. Let baseUrl be entriesToBatch[0]'s base url.
    5. Let seller be entriesToBatch[0]'s seller.
    6. Let scriptFetcher be entriesToBatch[0]'s seller script fetcher.
    7. If baseUrl’s origin is not same origin with seller then:
      1. Let allowCrossOriginTrustedScoringSignalsFrom be the result of wait for cross origin trusted scoring signals authorization from a fetcher given scriptFetcher.
      2. If allowCrossOriginTrustedScoringSignalsFrom does not contain baseUrl’s origin, set baseUrl to null.
    8. Let allTrustedScoringSignals be failure.
    9. If baseUrl and requestBody are not null, let «allTrustedScoringSignals, ignored, scoringDataVersionMap» be the result of fetching trusted key value signals with baseUrl, requestBody, context, seller, entriesToBatch[0]'s policy container, renderUrlIdMap and false.
    10. If allTrustedScoringSignals is an ordered map:
      1. For each entry in entriesToBatch:
        
        Let result be a new trusted scoring signals reply.
        
        Set result’s all trusted scoring signals to allTrustedScoringSignals.
        
        If scoringDataVersionMap is not null:
        
        Let renderURL be entry’s ad’s ad descriptor’s url.
        
        Set result’s data version to scoringDataVersionMap[serialized renderURL].
        
        Set entry’s reply to result.
    11. Otherwise, for each entry in entriesToBatch:
      1. Set entry’s reply to failure.

14.8. Generated bid

A generated bid is a bid that needs to be scored by the seller. The bid is either the result of evaluating a bidding script, or an additional bid provided by the `Ad-Auction-Additional-Bid` response headers. It’s a struct with the following items:

reporting id

A reporting bid key or null, initially null. Used to identify a generated bid.

for k-anon auction

A boolean, initially true. If this is false, the bid is only used to determine the hypothetical winner with no k-anonymity constraints, which would be used to update k-anonymity counts only.

bid

A bid with currency, or null. If not null and the value is zero or negative, then this interest group will not participate in the auction. This field should only be null if the top-level auction is performed on a trusted auction server.

bid in seller currency

A double or null. An equivalent of the original bid in seller’s currency. This is either the original bid if the currency already matched, or a conversion provided by scoreAd().

ad

A string. JSON string to be passed to the scoring function.

TODO: Check whether ad descriptor can be moved to bid ad to avoid duplication (WICG/turtledove#868).

ad descriptor

An ad descriptor. Render URL and size of the bid’s ad.

ad component descriptors

Null or a list of ad descriptors. Ad components associated with bid, if any. Will be limited to at most 40 items (and if targetNumAdComponents was specified, it will have exactly that many items) by the time the bid participates in the auction. Must be null if the interest group making this bid has a null ad components field.

selected buyer and seller reporting ID

Null or string. The selected reporting id from the selectable buyer and seller reporting IDs within the interest group. If present, this will be:

Passed alongside buyer reporting ID and buyer and seller reporting ID to report win subject to k-anonymity checks.
Passed alongside buyer and seller reporting ID to report result subject to k-anonymity checks.
Passed alongside buyer and seller reporting ID to scoreAd().

ad cost

Null or a double. Advertiser click or conversion cost passed from generateBid() to reportWin(). Negative values will be ignored and not passed. Will be stochastically rounded when passed.

modeling signals

Null or an unsigned short. A 0-4095 integer (12-bits) passed to reportWin(), with noising.

interest group

An interest group, whose generateBid() invocation generated this bid, or specified by the additional bid.

bid ad

The interest group ad within interest group to display.

bid ad components

A list of interest group ad ad components within interest group to display.

modified bid

Null or a bid with currency. Being null for top level auction. The bid value a component auction’s scoreAd() script returns.

bid duration

A duration in milliseconds. How long it took to run generateBid().

provided as additional bid

A boolean, initially false.

component seller

Null or an origin. Seller in component auction which the interest group is participating. Only set for component auctions, null otherwise.

target number of ad components

Null or unsigned long, initially null. Set if the bidder requested ad component descriptors they provided to be reduced to the given target, taking in account k-anonymity.

number of mandatory ad components

unsigned long, initially 0. Only relevant if target number of ad components is set. Requires the first that many given ad components to be included.

To apply any component ads target to a bid, given a generated bid generatedBid:

If generatedBid’s target number of ad components is null, return.
Assert that generatedBid’s ad component descriptors is not null.
While generatedBid’s ad component descriptors’s size > target number of ad components:
1. Remove the last value from generatedBid’s ad component descriptors.

To try to reach component ads target considering k-anonymity, given a generated bid generatedBid:

If generatedBid’s target number of ad components is null, return false.
Let ig be generatedBid’s interest group.
Let selectedComponents be a new list of ad descriptors.
For each i of get the indices of generatedBid:
1. Let candidateComponent be generatedBid’s ad component descriptors[i].
2. Compute componentAdHashCode by getting the result of compute the key hash of component ad given candidateComponent’s render url.
3. If query k-anonymity cache given ig’s owner, ig’s name, and componentAdHashCode returns true:
  1. Append candidateComponent to selectedComponents.
4. Otherwise:
  1. If i < generatedBid’s number of mandatory ad components, return false.
If selectedComponents’s size < generatedBid’s target number of ad components, return false.
Set generatedBid’s ad component descriptors to selectedComponents.
Apply any component ads target to a bid given generatedBid.
Return query generated bid k-anonymity count given generatedBid.

To adjust bid list based on k-anonymity given a list of generated bids bidsBatch:

Let bidsToScore be a new list of generated bids
For each generatedBid of bidsBatch:
1. Let bidCopy be a clone of generatedBid.
2. Set bidCopy’s for k-anon auction to false.
3. Apply any component ads target to a bid given bidCopy.
4. Append bidCopy to bidsToScore
5. Let selectedReportingId be a string-or-null that is set to null.
6. If generatedBid’s selected buyer and seller reporting ID is not null, set selectedReportingId to it.
7. Let igAd be the interest group ad from generatedBid’s interest group’s ads whose render url is generatedBid’s ad descriptor’s url.
8. Let isBidKAnon be the result of query generated bid k-anonymity count given generatedBid.
9. If isBidKAnon is true and running query reporting ID k-anonymity count with generatedBid’s interest group, igAd, selectedReportingId is true:
  1. Append generatedBid to bidsToScore.
  Note: Conceptually, a bid that’s already k-anonymous is considered for both the k-anonymous and non-enforcing-k-anonymity leadership, which is represented here in the specification by two separate generated bid objects that get scored independently. An implementation does not, however, actually need to perform the relevant work twice.
10. Otherwise, if the result of applying try to reach component ads target considering k-anonymity given generatedBid is true:
  1. Append generatedBid to bidsToScore.
Return bidsToScore.

A bid debug reporting info is a struct with the following items:

component seller: Null or an origin. Seller in component auction which was running to produce this reporting information. Only set for component auctions, null otherwise.
interest group owner: An origin. Matches owner of the interest group that was used to call generateBid() to produce this reporting information.
bidder debug win report url: Null or a URL, initially null. Set by generateBid()’s forDebuggingOnly’s reportAdAuctionWin(url).
bidder debug loss report url: Null or a URL, initially null. Set by generateBid()’s forDebuggingOnly’s reportAdAuctionLoss(url).
seller debug win report url: Null or a URL, initially null. In the case of a component auction, these are the values from component seller that the scored ad was created in. Set by scoreAd()’s forDebuggingOnly’s reportAdAuctionWin(url).
seller debug loss report url: Null or a URL, initially null. In the case of a component auction, these are the values from component seller that the scored ad was created in. Set by scoreAd()’s forDebuggingOnly’s reportAdAuctionLoss(url).
top level seller debug win report url: Null or a URL, initially null. Set in the case this bid was made in a component auction, won it, and was then scored by the top-level seller. Set by top-level seller’s scoreAd()’s forDebuggingOnly’s reportAdAuctionWin(url).
top level seller debug loss report url: Null or a URL, initially null. Set in the case this bid was made in a component auction, won it, and was then scored by the top-level seller. Set by top-level seller’s scoreAd()’s forDebuggingOnly’s reportAdAuctionLoss(url).
server filtered debugging only reports: A map whose keys are origins and whose values are lists of urls. forDebuggingOnly reports that have been filtered (also downsampled) by the trusted auction server.

A bid with currency is a struct with the following items:

value: A double. The value of the bid.
currency: A currency tag. The currency the bid is in.

An ad descriptor is a struct with the following items:

url: A URL, which will be rendered to display the ad creative if this bid wins the auction.
size: Null or an ad size, initially null.

An ad size is a struct with the following items:

width: A double.
width units: A string. Can only be one of "px" (pixel), "sh" (screen height), and "sw" (screen width).
height: A double.
height units: A string. Can only be one of "px" (pixel), "sh" (screen height), and "sw" (screen width).

To parse an AdRender ad size given an object adSlotSize:

If either adSlotSize["height"] or adSlotSize["width"] does not exist, return null.
Let width and widthUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adSlotSize["width"], respectively.
If width is null, return null.
Let height and heightUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adSlotSize["height"], respectively.
If height is null, return null.
Let adSize be a new ad size.
Set adSize’s width to width, width units to widthUnit, height to height, height units to heightUnit.
Return adSize.

An ad keyword replacement is a struct with the following items:

match: A string, represents the match within a renderURL, that is going to be replaced by replacement. Must be in the format ${...} or %%...%%.
replacement: A string, meant to replace match within a renderURL.

14.9. Direct from seller signals

A direct from seller signals key is a struct with the following items:

seller: An origin. Matches the origin that served the captured `Ad-Auction-Signals` header.
ad slot: A string. Matches the adSlot key of the JSON dictionaries in the top-level array of the `Ad-Auction-Signals` value.

A direct from seller signals is a struct with the following items:

auction signals: Null or a string. Opaque JSON data passed to both buyers' and the seller’s script runners.
seller signals: Null or a string. Opaque JSON data passed to the seller’s script runner.
per buyer signals: A map whose keys are origins and whose values are strings. Keys are buyers whose scheme must be "https". Values are opaque JSON data passed to corresponding buyer’s script runner.

14.10. Additional bids

A signed additional bid with metadata is a struct with the following items:

signed additional bid: A string for an encoded additional bid.
seller nonce: Null or a string. If present, represents the randomly-generated seller nonce returned in the `Ad-Auction-Additional-Bid` response header. This must be 36 characters, and should be the canonoical string representation of a version 4 UUID.

14.11. Score ad output

The output of running a Protected Audience scoreAd() script, is represented using the following type:

dictionary ScoreAdOutput {
  required double desirability;
  double bid;
  DOMString bidCurrency;
  double incomingBidInSellerCurrency;
  boolean allowComponentAuction = false;
};

Either a dictionary of this type, or a double, are handled as the return values.

The meanings of the fields are as follows:

desirability: Numeric score of the bid. Must be positive or the ad will be rejected. The winner of the auction is the bid which was given the highest score.
bid: Only relevant if this is a component auction. If present, this will be passed to the top-level seller’s scoreAd() and reportResult() methods instead of the original bid, if the ad wins the component auction and top-level auction, respectively.
bidCurrency: Only relevant if this is a component auction and bid is set. Specifies which currency the bid field is in.
incomingBidInSellerCurrency: Provides a conversion of the incoming bid to auction’s seller currency. This is different from bid which is the bid the component auction itself produces.
allowComponentAuction: If the bid being scored is from a component auction and this value is not true, the bid is ignored. This field must be present and true both when the component seller scores a bid, and when that bid is being scored by the top-level auction.

TODO: This also has an ad field, which should behave similar to the way bid affects modified bid, and then affecting the adMetadata parameter to scoreAd.

To process scoreAd output given an Completion Record result:

If result is an an abrupt completion, return failure.
If result.[[Value]] is a Number:
1. Let checkedScore be the result of converting result.[[Value]] to a double.
2. If an exception was thrown in the previous step, return failure.
3. Let resultIDL be a new ScoreAdOutput.
4. Set resultIDL’s desirability to checkedScore.
5. Return resultIDL.
Let resultIDL be the result of converting result.[[Value]] to a ScoreAdOutput.
If an exception was thrown in the previous step, return failure.
If resultIDL["bidCurrency"] exists and result of checking whether a string is a valid currency tag applied to resultIDL["bidCurrency"] is false, then return failure.
Return resultIDL.

14.12. Leading bid info

A leading bid info is the information of the auction’s leading bid so far when ranking scored bids. It’s a struct with the following items:

top score: A double, initially 0.0. The highest score so far.
top non-k-anon-enforced score: A double, initially 0.0. The highest score so far when disregarding k-anonymity.
top bids count: An integer, initially 0. The number of bids with the same top score.
top non-k-anon-enforced bids count: Number of bids that are tied for leadership when disregarding k-anonymity thus far.
at most one top bid owner: A boolean, initially true. Whether all bids of top score are from the same interest group owner.
leading bid: Null or a generated bid, initially null. The leading bid of the auction so far.
leading non-k-anon-enforced bid: Null or a generated bid, initially null. The leading bid of the auction disregarding k-anonymity so far.
auction config: An auction config. The auction config of the auction which generated this leading bid.
second highest score: A double, initially 0.0. The second highest score so far. If more than one bids tie with top score, this will be set to top score.
highest scoring other bids count: An integer, initially 0. The number of bids with the same second highest score.
highest scoring other bid: Null or a generated bid. The second highest scoring other bid.
highest scoring other bid owner: Null or an origin, initially null. The interest group owner that made bids with the second highest score. Set to null if there are more than one owners made bids with the second highest score.
top level seller: Null or an origin. The seller in the top level auction. Only set for component auctions, null otherwise.
top level seller signals: Null or a string. Signals from the seller in the top level auction, produced as the output of the top-level seller’s reportResult() method. Only set for component auctions, null otherwise.
component seller: Null or an origin. Seller in component auction which generated this leading bid. Only set for the top level auction when component auctions are present, null otherwise.
bidding data version: Null or an unsigned long. Data-Version value from the trusted bidding signals server’s response(s). Will only be not null if the `Data-Version` header was provided and had a consistent value for all of the trusted bidding signals server responses used to construct the trustedBiddingSignals.
scoring data version: Null or an unsigned long. Data-Version value from the trusted scoring signals server’s response. Will only be not null if the `Data-Version` header was provided in the response headers from the trusted scoring signals server.
buyer reporting result: Null or a reporting result, initially null.
seller reporting result: Null or a reporting result, initially null.
component seller reporting result: Null or a reporting result, initially null.

A reporting result is a struct with the following items:

report url: Null or a URL, initially null. Set by sendReportTo(url).
reporting beacon map: Null or an ordered map whose keys are strings and whose values are URLs, initially null. Set by registerAdBeacon(map).
reporting macro map: Null or an ordered map whose keys are strings and whose values are strings, initially null. Set by registerAdMacro(name, value).

An auction report info is a struct with the following items:

debug win report urls

A list of URLs whose schemes must be "https". The winning bid’s generated bid’s debug win report URLs.

debug loss report urls

A list of strings whose schemes must be "https". Losing bid’s generated bid’s debug loss report URLs.

TODO: Change the two lists to a single URL since no more than one debug reports can be sent after downsampling debug reports. While the browser is experimenting with third party cookie deprecation (before they have been fully removed), the forDebuggingOnly reporting APIs are not downsampled, so they are still lists.

real time reporting contributions map

A real time reporting contributions map

A real time reporting contributions map is an ordered map whose keys are origins and whose values are lists of real time reporting contributions.

A real time reporting contribution is a struct with the following items:

bucket: A long. Must be greater than 0 and less than the sum of number of user buckets and number of platform buckets.
priority weight: A double. Must be greater than 0 and less than infinity, dictates the relative likelihood of which bucket will get the contribution.
latency threshold: Null or a duration in milliseconds. Initially null. Reports when a latency (e.g., generateBid() execution latency) is greater than this threshold.

14.13. K-Anonymity Records

A k-anonymity key is a string used as a key for tracking k-anonymity status.

A k-anonymity record is a timestamped cache of the k-anonymity status for a given k-anonymity key. These records are stored in the user agent.

is k-anonymous: A boolean indicating whether the k-anonymity key indicated by this record was reported as k-anonymous.
timestamp: The moment when the k-anonymity status in this record was last fetched.

14.14. auction data config

An auction data config is a struct with the following items:

publisher: An origin. The origin of the top level page running the ad auction. The scheme must be "https".
seller: An origin. The origin of the seller running the ad auction. The scheme must be "https".
coordinator: The origin of the coordinator hosting public encryption keys for the server running the ad auction. The scheme must be "https".
encryption key: Null or a byte sequence. The public HPKE encryption key to be used to encrypt the request.
encryption key id: Null or a byte containing the key ID corresponding to the encryption key.
request size: unsigned long or null. An optional field, containing the desired size for the returned encrypted request blob.
per buyer config: A map whose keys are origins and values are auction data buyer config.

An auction data per seller result is a struct with the following items:

seller: The origin of the seller that this result corresponds to. Will match one of the provided auction data configs’s seller.
request: Null or a byte sequence. The encrypted request generated for this seller. Null indicates an error occured and the error field will contain additional information.
error: Null or a string. Null when the request succeeds. Otherwise contains additional information about the failure.

An auction data buyer config is a struct with the following items:

size: unsigned long or null. An optional field, initially null, containing the size of the request to allocate to this buyer.

14.15. Cumulative timeout tracker

A cumulative timeout tracker is a struct with the following items:

remaining: A duration in milliseconds or null. When non-null, records how much of the timeout remains to be consumed. When null, states there is no limit. Initially null.
limit: A duration in milliseconds, or null (reprensenting no limit).

To create a cumulative timeout tracker given an auction config auctionConfig and an origin buyer:

Let tracker be a new cumulative timeout tracker.
Set tracker’s limit to auctionConfig’s all buyers cumulative timeout.
If auctionConfig’s per buyer cumulative timeouts is not null and per buyer cumulative timeouts contains buyer, then set tracker’s limit to auctionConfig’s per buyer cumulative timeouts[buyer].
Set tracker’s remaining to tracker’s limit.
Return tracker.

To expend cumulative timeout time given a cumulative timeout tracker tracker and a duration in milliseconds timeUsed:

If tracker’s remaining is null, return.
Decrement tracker’s remaining by timeUsed.

To compute effective timeout given a cumulative timeout tracker tracker and a duration in milliseconds perBuyerTimeout:

If tracker’s remaining is null, return perBuyerTimeout.
If perBuyerTimeout < tracker’s remaining, return perBuyerTimeout.
Return tracker’s remaining.

The is expired of a cumulative timeout tracker tracker is:

False if tracker’s remaining is null or positive.
True otherwise, that is, if tracker’s remaining ≤ 0.

15. User Agent Automation

For the purposes of user agent automation and website testing, this document defines the below [WebDriver2] extension commands.

15.1. Set Protected Audience K-Anonymity

The Set Protected Audience K-Anonymity WebDriver extension command instructs the user agent to use the specified hashes as the only k-anonymous sets for the interest group with the given owner and name.

The k-anonymity overrides is a map containing the currently active set of k-anonymity overrides, which is initially empty. The keys of k-anonymity overrides are tuples of (an origin for interest group owner, a string for interest group name). The values of k-anonymity overrides are maps whose keys are SHA-256 hashes and whose values are k-anonymity records. The k-anonymity overrides are checked before and take precedence over the k-anonymity cache.

HTTP Method	URI Template
POST	`session/{session id}/protected_audience/set_k_anonymity`

The remote end steps, given session, URL variables and parameters are:

If parameters is not a JSON Object, return a WebDriver error with error code invalid argument.
Let owner be the result of getting a property named "owner" from parameters.
If owner is undefined or is not a string, return a WebDriver error with error code invalid argument.
Let ownerOrigin be the result running parse an https origin on owner.
If ownerOrigin is failure, return a WebDriver error with error code invalid argument.
Let name be the result of getting a property named "name" from parameters.
If name is not a string, return a WebDriver error with error code invalid argument.
Let hashes be the result of getting a property named "hashes" from parameters.
If hashes is not a list, return a WebDriver error with error code invalid argument.
Let override be a map whose keys are SHA-256 hashes and whose values are k-anonymity records.
For each hashString of hashes:
1. If hashString is not a string, return a WebDriver error with error code invalid argument.
2. Let hash be the result of running forgiving-base64 decode with hashString.
3. If hash is failure or hash’s length is not 32, return a WebDriver error with error code invalid argument.
4. Let record be a new k-anonymity record.
5. Set record’s timestamp field to the current coarsened wall time.
6. Set record’s is k-anonymous field to true.
7. Set override[hash] to record.
Set the user agent’s k-anonymity overrides[(ownerOrigin,name)] to override.
Return success with data null.

16. Privacy Considerations

Protected Audience aims to advance the privacy of remarketing and custom audience advertising on the web, so naturally privacy considerations are paramount to Protected Audience’s design. Partitioning data by site is the central mechanism to prevent joining a user’s identity across sites:

Interest group definitions come from just one site, the site that called joinAdInterestGroup().
Bidding (generateBid()) and scoring (scoreAd()) scripts are exposed to interest group data from the joining site, and data from the site that will display the ad, but these scripts are run in strict isolation to prevent leaking this cross-site information.
The browser can enforce that trusted bidding and scoring signals are fetched from servers complying with certain privacy requirements, e.g. not performing event-level logging.
Ads are rendered in fencedframes that isolate them from the surrounding page to prevent cross-site leakage.
Reporting is strictly controlled by the browser to prevent cross-site leaks: Inputs to event-level reporting functions, reportWin() and reportResult(), only contain limited cross-site information, e.g. the k-anonymous ad URL. Event-level reporting is meant to be a temporary stepping stone to more private mechanisms like Private Aggregation API.
If § 9 Interest Group Updates are allowed to run after navigating to another page, the source IP address used for those requests can continue to reveal coarse location information about the device. Implementations may wish to implement some form of IP privacy, like a proxy, or limit how long updates can run post-navigation.

17. Security Considerations

Protected Audience involves the browser running untrusted JavaScript downloaded from multiple parties, so security concerns are top of mind. Fortunately Protected Audience is a highly constrained API not attempting to be a general purpose execution environment. Execution of this JavaScript is controlled and limited as follows:

Protected Audience requires the origin of the scripts' URLs to match that of the origin of the interest group owner, which is in turn required to match the origin of the context calling the joinAdInterestGroup().
URL schemes are required to be HTTPS.
Redirects are disallowed.
Responses are required to contain the Ad-Auction-Allowed: ?1 header.
Fetches are uncredentialed.

Protected Audience has the browser pass in several “browserSignals” to the bidding script that give the script unforgeable information about the context that the script is being executed in. This way bidders and sellers have the choice to only participate in auctions where they are comfortable working with the involved parties.

The execution environment available to these scripts is the absolute minimum necessary to calculate a bid. It supports only ECMAScript. It does not support network, storage, timer, date, DOM, Workers, postMessage, Navigator or Window APIs.

Protected Audience adds Permission-Policies to control access to the Protected Audience APIs to give sites and embedders the ability to clamp down on use of the APIs as they see fit.

Auction config and interest group data are processed as JSON and not via the structured clone algorithm, in part because interest groups are updated via JSON server responses. However, there is also a security reason to not use the structured clone algorithm, which is that the data may be shared with other parties -- in particular, the auction config perBuyerSignals are sent from the seller to each buyer. Supporting structured cloning here would mean that buyer scripts would have to be prepared to handle arbitrary, complex, and potentially cyclic objects from the seller.

Protected Audience (formerly FLEDGE)

Abstract

Status of this document

1. Introduction

2. Joining Interest Groups

2.1. joinAdInterestGroup()

2.2. Interest Group Storage Maintenance

3. Leaving Interest Groups

3.1. leaveAdInterestGroup()

3.2. clearOriginJoinedAdInterestGroups()

4. Running Ad Auctions

4.1. runAdAuction()

4.2. canLoadAdAuctionFencedFrame()

4.3. getInterestGroupAdAuctionData()

5. Reporting

5.1. Common types and algorithms

5.2. forDebuggingOnly

5.2.1. Downsampling

5.3. realTimeReporting

5.3.1. Platform contribution

5.3.2. Apply noise (RAPPOR)

5.4. privateAggregation

5.4.1. Signal base value

5.4.2. On event contribution entry

5.4.3. Worklet function

5.4.4. Averager

5.4.5. Metrics structures

5.4.6. Private Aggregation contributions

5.4.7. Algorithms

5.5. Get storage interest groups for owner

6. Additional Bids and Negative Targeting

6.1. createAuctionNonce()

6.2. Additional Bids

6.3. Negative Targeting

6.3.1. Negative Interest Groups

7. K-anonymity

8. Script Runners

8.1. Realm and agent

8.2. Script evaluation

8.3. Global scopes

8.3.1. InterestGroupBiddingScriptRunnerGlobalScope

8.3.2. InterestGroupScoringScriptRunnerGlobalScope

8.3.3. InterestGroupReportingScriptRunnerGlobalScope

9. Interest Group Updates

10. Feature Detection

11. Common Algorithms

12. Permissions Policy Integration

13. Fetch Patch for Auction Headers

13.1. The `Sec-Ad-Auction-Fetch` HTTP request header

13.2. The `Ad-Auction-Signals` HTTP response header

13.3. The `Ad-Auction-Additional-Bid` HTTP response header.

13.4. The `Ad-Auction-Result` HTTP response header.

13.5. The `Ad-Auction-Result-Nonce` HTTP response header.

14. Structures

14.1. Interest group

14.2. Currency tag

14.3. Auction config

14.4. Bid generator

14.5. Script fetcher

14.6. Trusted bidding signals batcher

14.7. Trusted scoring signals batcher

14.8. Generated bid

14.9. Direct from seller signals

14.10. Additional bids

14.11. Score ad output

14.12. Leading bid info

14.13. K-Anonymity Records

14.14. auction data config

14.15. Cumulative timeout tracker

15. User Agent Automation

15.1. Set Protected Audience K-Anonymity

16. Privacy Considerations

17. Security Considerations

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

Informative References

IDL Index

5.2. `forDebuggingOnly`

5.3. `realTimeReporting`

5.4. `privateAggregation`

13.1. The ``Sec-Ad-Auction-Fetch`` HTTP request header

13.2. The ``Ad-Auction-Signals`` HTTP response header

13.3. The ``Ad-Auction-Additional-Bid`` HTTP response header.

13.4. The ``Ad-Auction-Result`` HTTP response header.

13.5. The ``Ad-Auction-Result-Nonce`` HTTP response header.