index.bs

<pre class='metadata'>
Title: Attribution Reporting
Shortname: attribution-reporting
Level: 1
Status: CG-DRAFT
Group: wicg
Repository: WICG/attribution-reporting-api
URL: https://wicg.github.io/attribution-reporting-api
Editor: Charlie Harrison, Google Inc. https://google.com, csharrison@chromium.org
Editor: John Delaney, Google Inc. https://google.com, johnidel@chromium.org
Editor: Andrew Paseltiner, Google Inc. https://google.com, apaseltiner@chromium.org
Abstract: An API to report that an event may have been caused by another cross-site event. These reports are designed to transfer little enough data between sites that the sites can't use them to track individual users.

Markup Shorthands: markdown on
Complain About: accidental-2119 on, missing-example-ids on
Assume Explicit For: on
</pre>
<pre class=link-defaults>
spec:html; type:element; text:a
spec:html; type:element; text:script
spec:html; type:dfn; text:feature separators
spec:html; type:dfn; text:follow the hyperlink
spec:html; type:dfn; text:navigation params
spec:html; type:dfn; text:prepare the script element
spec:html; type:dfn; text:script fetch options
spec:html; type:dfn; text:set up the classic script request
spec:html; type:dfn; text:set up the module script request
spec:html; type:dfn; text:tokenize the features argument
spec:html; type:dfn; text:update the image data
spec:html; type:dfn; text:window open steps
spec:webdriver; type:dfn; text:error
</pre>
<pre class="anchors">
spec: clear-site-data; type: dfn; urlPrefix: https://w3c.github.io/webappsec-clear-site-data/
    text: clear DOM-accessible storage for origin; url: #abstract-opdef-clear-dom-accessible-storage-for-origin
spec: hr-time; type: dfn; urlPrefix: https://w3c.github.io/hr-time/
    text: current wall time; url: #dfn-current-wall-time
    text: duration; url: #dfn-duration
    text: moment; url: #dfn-moment
spec: idl; type: dfn; urlPrefix: https://webidl.spec.whatwg.org/
    text: throw; url: #dfn-throw
spec: webdriver; urlPrefix: https://w3c.github.io/webdriver/
    type: dfn
        text: getting a property; url: dfn-getting-properties
        text: error code; url: dfn-error-code
spec: uuid; type: dfn; urlPrefix: https://wicg.github.io/uuid/
    text: generate a random UUID; url: #dfn-generate-a-random-uuid
spec: private-state-token-api; type: dfn; urlPrefix: https://wicg.github.io/trust-token-api/
    text: look up the key commitments; url: #look-up-the-key-commitments
    text: generate masked tokens; url: #generate-masked-tokens
    text: unmask tokens; url: #unmask-tokens
    text: sec-private-state-token-crypto-version; url: #sec-private-state-token-crypto-version
spec: structured header; type: dfn; urlPrefix: https://tools.ietf.org/html/rfc8941; 
    text: structured header; url: #name-introduction
    for: structured header
        text: list; url: #name-lists
        text: serialize a list; url: #name-serializing-a-list
        text: parse a list; url: #name-parsing-a-list
        text: string; url: #name-strings
        text: serialize a string; url: #name-serializing-a-string
        text: parse a string; url: #name-parse-a-string
spec: infra; type: dfn; urlPrefix: https://infra.spec.whatwg.org/
    text: starts with; url: #string-starts-with
urlPrefix: https://wicg.github.io/fenced-frame/; type: interface
    text: Fence
</pre>
<pre class=biblio>
{
    "chan": {
        "title": "Channel capacity",
        "href": "https://en.wikipedia.org/wiki/Channel_capacity"
    },
     "dp": {
        "title": "Differential privacy",
        "href": "https://en.wikipedia.org/wiki/Differential_privacy"
    },
     "rr": {
        "title": "Randomized response",
        "href": "https://en.wikipedia.org/wiki/Randomized_response"
    },
     "bin-ent": {
        "title": "Binary entropy function",
        "href": "https://en.wikipedia.org/wiki/Binary_entropy_function"
    },
    "q-sc": {
        "authors": [
            "Claudio Weidmann",
            "Gottfried Lechner"
        ],
        "title": "q-ary symmetric channel",
        "href": "https://arxiv.org/pdf/0909.2009.pdf"
    }

}
</pre>

Introduction {#intro}
=====================

<em>This section is non-normative</em>

This specification describes how web browsers can provide a mechanism to the
web that supports measuring and attributing conversions (e.g. purchases) to ads
a user interacted with on another site. This mechanism should remove one need
for cross-site identifiers like third-party cookies.

## Overview ## {#overview}

Pages/embedded sites are given the ability to register [=attribution sources=] and
[=attribution triggers=], which can be linked by the User Agent to generate and
send [=attribution reports=] containing information from both of those events.

A reporter `https://reporter.example` embedded on `https://source.example` is able to
measure whether an interaction on the page lead to an action on `https://destination.example`
by registering an [=attribution source=] with [=attribution source/attribution destinations=]
of « `https://destination.example` ». Reporters are able to register sources through a variety
of surfaces, but ultimately the reporter is required to provide the User Agent with an
HTTP-response header which allows the source to be eligible for attribution.

At a later point in time, the reporter, now embedded on `https://destination.example`,
may register an [=attribution trigger=]. Reporters can register triggers by sending an
HTTP-response header containing information about the action/event that occurred. Internally,
the User Agent attempts to match the trigger to previously registered source events based on
where the sources/triggers were registered and configurations provided by the reporter.

If the User Agent is able to attribute the trigger to a source, it will generate and
send an [=attribution report=] to the reporter via an HTTP POST request at a later point
in time.

# HTML monkeypatches # {#html-monkeypatches}

<h3 id="monkeypatch-attributionsrc">API for elements</h3>

<pre class="idl">
interface mixin HTMLAttributionSrcElementUtils {
    [CEReactions, SecureContext] attribute USVString attributionSrc;
};

HTMLAnchorElement includes HTMLAttributionSrcElementUtils;
HTMLImageElement includes HTMLAttributionSrcElementUtils;
HTMLScriptElement includes HTMLAttributionSrcElementUtils;
</pre>

Add the following <a spec=html>content attributes</a>:

: <{a}>
:: <dfn for="a" element-attr>attributionsrc</dfn> - A [=string=] containing
    zero or more [=URLs=] to which a background attributionsrc request will be
    made when the <{a}> is navigated.
: <{img}>
:: <dfn for="img" element-attr>attributionsrc</dfn> - A [=string=] containing
    zero or more [=URLs=] to which a background attributionsrc request will be
    made when set.
: <{script}>
:: <dfn for="script" element-attr>attributionsrc</dfn> - A [=string=] containing
    zero or more [=URLs=] to which a background attributionsrc request will be
    made when set.

The IDL attribute {{HTMLAttributionSrcElementUtils/attributionSrc}}
must <a spec=html>reflect</a> the respective content attribute of the same
name.

Whenever an <{img}> or a <{script}> |element| is created or |element|'s
{{HTMLAttributionSrcElementUtils/attributionSrc}} attribute is set or changed,
run [=make background attributionsrc requests=] with |element| and
"<code>[=eligibility/event-source-or-trigger=]</code>".

Issue: More precisely specify which mutations are relevant for the
attributionsrc attribute.

Modify [=update the image data=] as follows:

After the step

> Set |request|'s [=request/priority=] to the current state...

add the step

1. If the element has an <{img/attributionsrc}> attribute, set
    |request|'s [=request/Attribution Reporting Eligibility=] to
    "<code>[=eligibility/event-source-or-trigger=]</code>".

A [=script fetch options=] has an associated <dfn for="script fetch options">
Attribution Reporting eligibility</dfn> (an [=eligibility=]). Unless otherwise
stated it is "<code>[=eligibility/unset=]</code>".

Modify [=prepare the script element=] as follows:

After the step

> Let <var ignore=''>fetch priority</var> be the current state of |el|'s <{script/fetchpriority}>
> content attribute.

add the step

1. Let |Attribution Reporting eligibility| be
    "<code>[=eligibility/event-source-or-trigger=]</code>" if |el| has an
    <{script/attributionsrc}> content attribute and
    "<code>[=eligibility/unset=]</code>" otherwise.

Add "and [=script fetch options/Attribution Reporting eligibility=] is
|Attribution Reporting eligibility|." to the step

> Let <var ignore=''>options</var> be a [=script fetch options=] whose...

Modify [=set up the classic script request=] and
[=set up the module script request=] as follows:

Add "and its [=request/Attribution Reporting eligibility=] is |options|'s
[=script fetch options/Attribution Reporting eligibility=]."

Modify [=follow the hyperlink=] as follows:

After the step

> If |subject|'s link types includes...

add the steps

1. Let |navigationSourceEligible| be false.
1. If |subject| has an `attributionsrc` attribute:
    1. Set |navigationSourceEligible| to true.
    1. [=Make background attributionsrc requests=] with |subject| and
        "<code>[=eligibility/navigation-source=]</code>".

Add "and [=navigate/navigationSourceEligible=] set to
|navigationSourceEligible|" to the step

> [=Navigate=] <var ignore=''>targetNavigable</var>...

<h3 id="monkeypatch-window-open">Window open steps</h4>

Modify the [=tokenize the features argument=] as follows:

Replace the step

> [=Collect a sequence of code points=] that are not [=feature separators=] code
> points from |features| given |position|. Set |value| to the collected code
> points, [=ASCII lowercase|converted to ASCII lowercase=].

with

[=Collect a sequence of code points=] that are not [=feature separators=] code
points from |features| given |position|. Set |value| to the collected code
points, [=ASCII lowercase|converted to ASCII lowercase=]. Set
|originalCaseValue| to the collected code points.

Replace the step

> If |name| is not the empty string, then set |tokenizedFeatures|[|name|] to
> |value|.

with the steps

1. If |name| is not the empty string:
    1. Switch on |name|:
        <dl class="switch">
        : "`attributionsrc`"
        :: Run the following steps:
            1. If |tokenizedFeatures|[|name|] does not [=map/exists|exist=],
                [=map/set=] |tokenizedFeatures|[|name|] to a new [=list=].
            1. [=list/Append=] |originalCaseValue| to |tokenizedFeatures|[|name|].
        : Anything else
        :: [=map/Set=] |tokenizedFeatures|[|name|] to |value|.

        </dl>

Modify the [=window open steps=] as follows:

After the step

> Let |tokenizedFeatures| be the result of
> [=tokenize the features argument|tokenizing=] |features|.

add the steps

1. Let |navigationSourceEligible| be false.
1. If |tokenizedFeatures|["`attributionsrc`"] [=map/exists=]:
    1. [=Assert=]: |tokenizedFeatures|["`attributionsrc`"] is a [=list=].
    1. Set |navigationSourceEligible| to true.
    1. Set |attributionSrcUrls| to a new [=list=].
    1. [=list/iterate|For each=] |value| of
        |tokenizedFeatures|["`attributionsrc`"]:
        1. If |value| is the empty string, [=iteration/continue=].
        1. Let |decodedSrcBytes| be the result of
            [=string/percent-decode|percent-decoding=] |value|.
        1. Let |decodedSrc| be the [=UTF-8 decode without BOM=] of
            |decodedSrcBytes|.
        1. <a spec="HTML" lt="parse a URL">Parse</a> |decodedSrc| relative to
            the <a spec="HTML" lt="entry settings object">entry settings object</a>,
            and set |urlRecord| to the resulting [=URL record=], if any. If
            parsing failed, [=iteration/continue=].
        1. [=list/Append=] |urlRecord| to |attributionSrcUrls|.

Issue: Use |attributionSrcUrls| with [=make a background attributionsrc request=].

In each step that calls [=navigate=], set [=navigate/navigationSourceEligible=]
to |navigationSourceEligible|.

## Navigation monkeypatches ## {#navigation-monkeypatches}

Add the following item to [=navigation params=]:

: <dfn for="navigation params">navigationSourceEligible</dfn>
:: A boolean indicating whether the navigation can register a
    [=source type/navigation=] [=attribution source|source=] in its response.
    Defaults to false.

Modify [=navigate=] as follows:

Add an optional boolean parameter called <dfn for="navigate">
<var>navigationSourceEligible</var></dfn>, defaulting to false.

In the step

> Set <var ignore=''>navigationParams</var> to a new [=navigation params=]
> with...

add the property

: [=navigation params/navigationSourceEligible=]
:: |navigationSourceEligible|

Issue: Use/propagate [=navigation params/navigationSourceEligible=] to the
[=navigation request=]'s [=request/Attribution Reporting eligibility=].

# Network monkeypatches # {#network-monkeypatches}

<pre class="idl">
dictionary AttributionReportingRequestOptions {
  required boolean eventSourceEligible;
  required boolean triggerEligible;
};

partial dictionary RequestInit {
  AttributionReportingRequestOptions attributionReporting;
};

partial interface XMLHttpRequest {
  [SecureContext]
  undefined setAttributionReporting(AttributionReportingRequestOptions options);
};
</pre>

A [=request=] has an associated
<dfn for=request>Attribution Reporting eligibility</dfn> (an [=eligibility=]).
Unless otherwise stated it is "<code>[=eligibility/unset=]</code>".

A [=request=] has an associated
<dfn for=request>trigger verification metadata</dfn> which is null or a [=trigger verification metadata=].

To <dfn>get an eligibility from {{AttributionReportingRequestOptions}}</dfn>
given an optional {{AttributionReportingRequestOptions}} |options|:

1. If |options| is null, return "<code>[=eligibility/unset=]</code>".
1. Let |eventSourceEligible| be |options|'s
    {{AttributionReportingRequestOptions/eventSourceEligible}}.
1. Let |triggerEligible| be |options|'s
    {{AttributionReportingRequestOptions/triggerEligible}}.
1. If (|eventSourceEligible|, |triggerEligible|) is:
    <dl class="switch">
    : (false, false)
    :: Return "<code>[=eligibility/empty=]</code>".
    : (false, true)
    :: Return "<code>[=eligibility/trigger=]</code>".
    : (true, false)
    :: Return "<code>[=eligibility/event-source=]</code>".
    : (true, true)
    :: Return "<code>[=eligibility/event-source-or-trigger=]</code>".

    </dl>

Issue: Check permissions policy.

"<code><dfn>Attribution-Reporting-Eligible</dfn></code>" is a
<a href="https://httpwg.org/specs/rfc8941.html#dictionary">Dictionary Structured
Header</a> set on a [=request=] that indicates which registrations, if
any, are allowed on the corresponding [=response=]. Its values are not specified
and its <dfn lt="eligible key">allowed keys</dfn> are:

<dl dfn-for="eligible key">
: "<dfn><code>event-source</code></dfn>"
:: An [=source type/event=] [=attribution source|source=] may be registered.
: "<dfn><code>navigation-source</code></dfn>"
:: A [=source type/navigation=] [=attribution source|source=] may be registered.
: "<dfn><code>trigger</code></dfn>"
:: A [=attribution trigger|trigger=] may be registered.

</dl>

To <dfn>obtain a dictionary structured header value</dfn> given a [=list=] of [=strings=] |keys| and
a [=set=] of [=strings=] |allowedKeys|:

1. [=set/iterate|For each=] |key| of |allowedKeys|, optionally [=list/append=] the
    [=string/concatenation=] of « "`not-`", |key| » to |keys|.
1. Optionally, [=shuffle a list|shuffle=] |keys|.
1. Let |entries| be a new [=list=].
1. [=list/iterate|For each=] |key| of |keys|:
    1. Let |value| be true.
    1. Optionally, set |value| to a
        <a href="https://httpwg.org/specs/rfc8941.html#token">token</a>
        corresponding to one of [=strings=] in |allowedKeys|.
    1. Let |params| be an [=map/is empty|empty=] [=map=].
    1. [=set/iterate|For each=] |key| of |allowedKeys|, optionally [=map/set=] |params|[|key|] to an
        arbitrary
        <a href="https://httpwg.org/specs/rfc8941.html#item">bare item</a>.
    1. [=list/Append=] a structured dictionary member with the key |key|, the
        value |value|, and the parameters |params| to |entries|.
1. Return a
    <a href="https://httpwg.org/specs/rfc8941.html#dictionary">dictionary</a>
    containing |entries|.

Note: The user agent MAY
<a href="https://httpwg.org/specs/rfc8941.html#specify">"grease"</a> the
dictionary structured headers according to the preceding algorithm to help ensure that recipients
use a proper structured header parser, rather than naive string equality or
`contains` operations, which makes it easier to introduce backwards-compatible
changes to the header definition in the future. Including the allowed keys
as dictionary *values* or *parameters* helps ensure that only the dictionary's
keys are interpreted by the recipient. Likewise, shuffling the dictionary
members helps ensure that, e.g., "`key1, key2`" is treated equivalently to "`key2, key1`".

In the following example, only the "`trigger`" key should be interpreted by the
recipient after the header has been parsed as a structured dictionary:

<pre class="example" heading="Greased Attribution-Reporting-Eligible header">
Attribution-Reporting-Eligible: not-event-source, trigger=event-source;navigation-source=3
</pre>

To <dfn>set Attribution Reporting headers</dfn> given a [=request=] |request|
and an [=origin=] |contextOrigin|:

1. Let |headers| be |request|'s [=request/header list=].
1. Let |eligibility| be |request|'s [=request/Attribution Reporting eligibility=].
1. [=header list/Delete=] "<code>[=Attribution-Reporting-Eligible=]</code>" from
    |headers|.
1. [=header list/Delete=] "<code>[=Attribution-Reporting-Support=]</code>" from
    |headers|.
1. If |eligibility| is "<code>[=eligibility/unset=]</code>", return.
1. Let |keys| be an [=list/is empty|empty=] [=list=].
1. If |eligibility| is:
    <dl class="switch">
    : "<code>[=eligibility/empty=]</code>"
    :: Do nothing.
    : "<code>[=eligibility/event-source=]</code>"
    :: [=list/Append=] "<code>[=eligible key/event-source=]</code>" to |keys|.
    : "<code>[=eligibility/navigation-source=]</code>"
    :: [=list/Append=] "<code>[=eligible key/navigation-source=]</code>" to
        |keys|.
    : "<code>[=eligibility/trigger=]</code>"
    :: 1. [=list/Append=] "<code>[=eligible key/trigger=]</code>" to |keys|.
    :: 1. [=Set trigger verification request headers=] with |request| and |contextOrigin|.
    : "<code>[=eligibility/event-source-or-trigger=]</code>"
    :: [=list/Append=] "<code>[=eligible key/event-source=]</code>" and
        "<code>[=eligible key/trigger=]</code>" to |keys|.
1. Let |dict| be the result of [=obtaining a dictionary structured header value=] with
    |keys| and the [=set=] containing all the [=eligible keys=].
1. [=header list/Set a structured field value=] given
    ("<code>[=Attribution-Reporting-Eligible=]</code>", |dict|) in |headers|.
1. [=Set an OS-support header=] in |headers|.

<h3 id="monkeypatch-fetch">Fetch monkeypatches</h4>

Modify [=fetch=] as follows:

Add a [=Document=] parameter called |document|.

After the step

> If |request|'s [=request/header list=] does not contain `Accept`...

add the step

1. [=Set Attribution Reporting headers=] with |request| and |document|'s [=node/context origin=].

Modify {{Request/constructor(input, init)}} as follows:

In the step

> Set |request| to a new [=request=] with the following properties:

add the property

: [=request/Attribution Reporting eligibility=]
:: |request|'s [=request/Attribution Reporting eligibility=].

After the step

> If |init|["`priority`"] [=map/exists=], then:

add the step

1. If |init|["{{RequestInit/attributionReporting}}"] [=map/exists=], then set
    |request|'s [=request/Attribution Reporting eligibility=] to the result of
    [=get an eligibility from AttributionReportingRequestOptions=] with it.

<h3 id="monkeypatch-xmlhttprequest">XMLHttpRequest monkeypatches</h4>

An {{XMLHttpRequest}} object has an associated
<dfn id="xmlhttprequest-eligibility">Attribution Reporting eligibility</dfn> (an
[=eligibility=]). Unless otherwise stated it is
"<code>[=eligibility/unset=]</code>".

The {{XMLHttpRequest/setAttributionReporting(options)}} method must run these
steps:

1. If <a>this</a>'s
    <a href="https://xhr.spec.whatwg.org/#concept-xmlhttprequest-state">state</a>
    is not <i>opened</i>, then [=throw=] an
    "{{InvalidStateError!!exception}}" {{DOMException}}.
1. If <a>this</a>'s
    <a href="https://xhr.spec.whatwg.org/#send-flag">`send()` flag</a> is set,
    then [=throw=] an "{{InvalidStateError!!exception}}" {{DOMException}}.
1. Set <a>this</a>'s <a href=#xmlhttprequest-eligibility>Attribution Reporting
    eligibility</a> to the result of
    [=get an eligibility from AttributionReportingRequestOptions=] with
    |options|.

Modify {{XMLHttpRequest/send(body)}} as follows:

Add a [=Document=] parameter called |document|.

After the step:

> Let |req| be a new [=request=], initialized as follows...

Add the step:

1. Set |req|'s [=request/Attribution Reporting eligibility=] to <a>this</a>'s <a href=#xmlhttprequest-eligibility>Attribution Reporting
    eligibility</a>.
1. [=Set Attribution Reporting headers=] with |req| and |document|'s [=node/context origin=].

# Fenced Frame monkeypatches # {#fenced-frame-monkeypatches}

Add the following items to [=fencedframetype/pending event=]:

<dl dfn-for="pending event">
: <dfn>attributionReportingEnabled</dfn>
:: A [=boolean=]
: <dfn>contextOrigin</dfn>
:: An [=origin=]

</dl>

Modify {{Fence/reportEvent()}} as follows:

<div algorithm="report-event-monkeypatch">

Replace the step

> Run <a spec=fenced-frame>report an event</a> using |instance|'s
> [=fenced frame config instance/fenced frame reporter=] with |destination|,
> |event|'s {{FenceEvent/eventType}}, and |event|'s {{FenceEvent/eventData}}.

with

Run <a spec=fenced-frame>report an event</a> using |instance|'s
[=fenced frame config instance/fenced frame reporter=] with |destination|,
|event|'s {{FenceEvent/eventType}}, |event|'s {{FenceEvent/eventData}},
and [=this=]'s [=relevant global object=]'s [=associated Document=].

</div>

Modify <a spec=fenced-frame>report an event</a> as follows:

<div algorithm="report-an-event-monkeypatch">

Add a [=Document=] parameter called |document|.

After the step

> If |reporting map|[|destination|] does not [=map/exist=], return.

add the steps

1. Let |attributionReportingEnabled| be the result of determining whether |document| is
    [=allowed to use=] the "<code>{{PermissionPolicy/attribution-reporting}}</code>" feature.
1. Let |contextOrigin| be |document|'s [=node/context origin=].

In the step

> Let <var ignore>newEvent</var> be a new [=fencedframetype/pending event=] with the following...

add the properties

: [=pending event/attributionReportingEnabled=]
:: |attributionReportingEnabled|
: [=pending event/contextOrigin=]
:: |contextOrigin|

Replace the step

> <a spec=fenced-frame>Send a beacon</a> with |reporting map|[|destination|],
> |eventType|, and |eventData|.

with

<a spec=fenced-frame>Send a beacon</a> with |reporting map|[|destination|],
|eventType|, |eventData|, |attributionReportingEnabled|, and |contextOrigin|.

</div>

Modify [=finalize a reporting destination=] as follows:

<div algorithm="finalize-a-reporting-destination-monkeypatch">

Replace the step

> <a spec=fenced-frame>Send a beacon</a> with |destination map|, |pending event|'s [=pending event/eventType=],
> and |pending event|'s [=pending event/eventData=].

with

<a spec=fenced-frame>Send a beacon</a> with |destination map|, |pending event|'s [=pending event/eventType=],
|pending event|'s [=pending event/eventData=], |pending event|'s [=pending event/attributionReportingEnabled=],
and |pending event|'s [=pending event/contextOrigin=].

</div>

Modify <a spec=fenced-frame>send a beacon</a> as follows:

<div algorithm="send-a-beacon-monkeypatch">

Add a [=boolean=] parameter called |attributionReportingEnabled| and an [=origin=]
parameter called |contextOrigin|.

After the step

> Let <var ignore>destination url</var> be <var ignore>destination map</var>[<var ignore>eventType</var>].

add the steps

1. Let |attributionReportingEligibility| be "<code>[=eligibility/unset=]</code>".
1. Let |processResponse| be null.
1. Let |useParallelQueue| be false.
1. If |attributionReportingEnabled| is true and the result of [=getting supported registrars=]
     is not [=list/is empty|empty=] and |contextOrigin| [=check if an origin is suitable|is suitable=]:
         1. Set |attributionReportingEligibility| to "<code>[=eligibility/event-source=]</code>".
         1. Set |processResponse| to these steps given a [=response=] |response|:
             1. Run [=process an attribution eligible response=] with |contextOrigin|,
                 |attributionReportingEligibility|, and |response|.
         1. Set |useParallelQueue| to true.

         Issue: Allow "<code>[=eligibility/navigation-source=]</code>" when automatic beacon is specified.

In the step

> Let |request| be a new [=request=] with the following properties...

add the property:

: [=request/Attribution Reporting eligibility=]
:: |attributionReportingEligibility|

Replace the step

> [=Fetch=] |request|.

with

[=Fetch=] |request| with [=fetch/processResponse=] being |processResponse| if it is not null
and [=fetch/useParallelQueue=] being |useParallelQueue|.

</div>

Issue: Move this section to <a href="https://wicg.github.io/fenced-frame/">Fenced Frame spec</a>.

# Permissions Policy integration # {#permission-policy-integration}

This specification defines a [=policy-controlled feature=] identified by the string "<code><dfn export for="PermissionPolicy" enum-value>attribution-reporting</dfn></code>".
Its [=policy-controlled feature/default allowlist=] is <a href="https://w3c.github.io/webappsec-permissions-policy/#default-allowlist">`*`</a>.

# Clear Site Data integration # {#clear-site-data-integration}

In [=clear DOM-accessible storage for origin=], add the following step:

> 7. Run [=clear site data=] with |origin|.

To <dfn>clear site data</dfn> given an [=origin=] |origin|:

1. [=set/iterate|For each=] [=attribution source=] |source| of the [=attribution source cache=]:
    1. If |source|'s [=attribution source/reporting origin=] and |origin| are [=same origin=],
        [=set/remove=] |source| from the [=attribution source cache=].
1. [=set/iterate|For each=] [=event-level report=] |report| of the [=event-level report cache=]:
    1. If |report|'s [=event-level report/reporting origin=] and |origin| are [=same origin=],
        [=set/remove=] |report| from the [=event-level report cache=].
1. [=set/iterate|For each=] [=aggregatable report=] |report| of the [=aggregatable report cache=]:
    1. If |report|'s [=aggregatable report/reporting origin=] and |origin| are [=same origin=],
        [=set/remove=] |report| from the [=aggregatable report cache=].

Note: We deliberately do *not* remove matching entries from the
[=attribution rate-limit cache=], as doing so would allow a site to reset and
therefore exceed the intended rate limits at will.

# Structures # {#structures}

<h3 dfn-type=dfn>Trigger state</h3>

A trigger state is a [=struct=] with the following items:

<dl dfn-for="trigger state">
: <dfn>trigger data</dfn>
:: A non-negative 64-bit integer.
: <dfn>report window</dfn>
:: A non-negative integer.

</dl>

<h3 dfn-type=dfn>Randomized response output configuration</h3>

A randomized response output configuration is a [=struct=] with the following items:

<dl dfn-for="randomized response output configuration">
: <dfn>max attributions per source</dfn>
:: A positive integer.
: <dfn>trigger data cardinality</dfn>
:: A positive integer.
: <dfn>num report windows</dfn>
:: A positive integer.

</dl>

<h3 dfn-type=dfn>Randomized source response</h3>

A randomized source response is null or a [=set=] of [=trigger states=].

<h3 id="attribution-filtering">Attribution filtering</h3>

A <dfn>filter value</dfn> is an [=ordered set=] of [=strings=].

A <dfn>filter map</dfn> is an [=ordered map=] whose [=map/key|keys=] are [=strings=] and whose
[=map/value|values=] are [=filter values=].

A <dfn>filter config</dfn> is a [=struct=] with the following items:

<dl dfn-for="filter config">
: <dfn>map</dfn>
:: A [=filter map=].
: <dfn>lookback window</dfn>
:: Null or a positive [=duration=].

</dl>

<h3 dfn-type=dfn>Suitable origin</h3>

A suitable origin is an [=origin=] that is [=check if an origin is suitable|suitable=].

<h3 id="source-type-header">Source type</h3>

A <dfn>source type</dfn> is one of the following:

<dl dfn-for="source type">
: "<dfn><code>navigation</code></dfn>"
:: The source was associated with a top-level navigation.
: "<dfn><code>event</code></dfn>"
:: The source was not associated with a top-level navigation.

</dl>

<h3 id="report-window-header">Report window</h3>

A <dfn>report window</dfn> is a [=struct=] with the following items:

<dl dfn-for="report window">
: <dfn>start</dfn>
:: A [=moment=].
: <dfn>end</dfn>
:: A [=moment=], strictly greater than [=report window/start=].

</dl>


A <dfn>report window list</dfn> is a [=list=] of [=report windows=].
It has the following constraints:

* Elements are in ascending order based on their [=report window/start=].
* Every element's [=report window/start=] is equal to the previous element's [=report window/end=], if it exists.
* There is at least one element in the list.

<h3 dfn-type=dfn>Attribution source</h3>

An attribution source is a [=struct=] with the following items:

<dl dfn-for="attribution source">
: <dfn>source identifier</dfn>
:: A [=string=].
: <dfn>source origin</dfn>
:: A [=suitable origin=].
: <dfn>event ID</dfn>
:: A non-negative 64-bit integer.
: <dfn>attribution destinations</dfn>
:: An [=ordered set=] of [=sites=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>source type</dfn>
:: A [=source type=].
: <dfn>expiry</dfn>
:: A [=duration=].
: <dfn>event-level report windows</dfn>
:: A [=report window list=].
: <dfn>aggregatable report window</dfn>
:: A [=report window=].
: <dfn>priority</dfn>
:: A 64-bit integer.
: <dfn>source time</dfn>
:: A [=moment=].
: <dfn>number of event-level reports</dfn>
:: Number of [=event-level reports=] created for this [=attribution source=].
: <dfn>Max number of event-level reports</dfn>
:: The maximum number of [=event-level reports=] that can be created for this [=attribution source=].
: <dfn>event-level attributable</dfn> (default true)
:: A [=boolean=].
: <dfn>dedup keys</dfn>
:: [=ordered set=] of [=event-level trigger configuration/dedup keys=] associated with this [=attribution source=].
: <dfn>randomized response</dfn>
:: A [=randomized source response=].
: <dfn>randomized trigger rate</dfn>
:: A number between 0 and 1 (both inclusive).
: <dfn>filter data</dfn>
:: A [=filter map=].
: <dfn>debug key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>aggregation keys</dfn>
:: An [=ordered map=] whose [=map/key|keys=] are [=strings=] and whose [=map/value|values=] are
    non-negative 128-bit integers.
: <dfn>aggregatable budget consumed</dfn>
:: A non-negative integer, total [=aggregatable contribution/value=] of all [=aggregatable contributions=] created with this [=attribution source=].
: <dfn>aggregatable dedup keys</dfn>
:: [=ordered set=] of [=aggregatable dedup key/dedup key|aggregatable dedup key values=] associated with this [=attribution source=].
: <dfn>debug reporting enabled</dfn>
:: A [=boolean=].
: <dfn>number of aggregatable reports</dfn>
:: Number of [=aggregatable reports=] created for this [=attribution source=].

</dl>

An [=attribution source=] |source|'s <dfn for="attribution source">expiry time</dfn> is |source|'s [=attribution source/source time=] + |source|'s [=attribution source/expiry=].

An [=attribution source=] |source|'s <dfn for="attribution source">total event-level report window</dfn> is
a [=report window=] [=struct=] with the following fields:

: [=report window/start=]
:: The [=report window/start=] of |source|'s first [=attribution source/event-level report window=].
: [=report window/end=]
:: The [=report window/end=] of |source|'s last [=attribution source/event-level report window=].

Note: The [=attribution source/total event-level report window=] is conceptually a union of [=report windows=], because there
are no gaps in time between any of the [=report windows|windows=] in [=attribution source/event-level report windows=].

An [=attribution source=] |source|'s <dfn for="attribution source">source site</dfn> is the result
of [=obtain a site|obtaining a site=] from |source|'s [=attribution source/source origin=].

<h3 dfn-type=dfn>Aggregatable trigger data</h3>

An aggregatable trigger data is a [=struct=] with the following items:

<dl dfn-for="aggregatable trigger data">
: <dfn>key piece</dfn>
:: A non-negative 128-bit integer.
: <dfn>source keys</dfn>
:: An [=ordered set=] of [=strings=].
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].

</dl>

<h3 dfn-type=dfn>Aggregatable dedup key</h3>

An aggregatable dedup key is a [=struct=] with the following items:

<dl dfn-for="aggregatable dedup key">
: <dfn>dedup key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].

</dl>

<h3 dfn-type=dfn>Event-level trigger configuration</h3>

An event-level trigger configuration is a [=struct=] with the following items:

<dl dfn-for="event-level trigger configuration">
: <dfn>trigger data</dfn>
:: A non-negative 64-bit integer.
: <dfn>dedup key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>priority</dfn>
:: A 64-bit integer.
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].

</dl>

<h3 id="aggregation-coordinator-header">Aggregation coordinator</h3>

An <dfn>aggregation coordinator</dfn> is one of a user-agent-determined [=set=]
of [=suitable origins=] that specifies which aggregation service deployment to use.

<h3 id="aggregatable-source-registration-time-configuration-header">Aggregatable source registration time configuration</h3>

An <dfn>aggregatable source registration time configuration</dfn> is one of the following:

<dl dfn-for="aggregatable source registration time configuration">
: "<dfn><code>exclude</code></dfn>"
:: "`source_registration_time`" is excluded from an [=aggregatable report=]'s [=aggregatable report/shared info=].
: "<dfn><code>include</code></dfn>"
:: "`source_registration_time`" is included in an [=aggregatable report=]'s [=aggregatable report/shared info=].

</dl>


<h3 dfn-type=dfn>Attribution trigger</h3>

An attribution trigger is a [=struct=] with the following items:

<dl dfn-for="attribution trigger">
: <dfn>attribution destination</dfn>
:: A [=site=].
: <dfn>trigger time</dfn>
:: A [=moment=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>debug key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>event-level trigger configurations</dfn>
:: A [=set=] of [=event-level trigger configuration=].
: <dfn>aggregatable trigger data</dfn>
:: A [=list=] of [=aggregatable trigger data=].
: <dfn>aggregatable values</dfn>
:: An [=ordered map=] whose [=map/key|keys=] are [=strings=] and whose
    [=map/value|values=] are non-negative 32-bit integers.
: <dfn>aggregatable dedup keys</dfn>
:: A [=list=] of [=aggregatable dedup key=].
: <dfn>verifications</dfn>
:: A [=list=] of [=trigger verification=].
: <dfn>debug reporting enabled</dfn>
:: A [=boolean=].
: <dfn>aggregation coordinator</dfn>
:: An [=aggregation coordinator=].
: <dfn>aggregatable source registration time configuration</dfn>
:: An [=aggregatable source registration time configuration=].

</dl>

<h3 dfn-type=dfn>Attribution report</h3>

An attribution report is a [=struct=] with the following items:

<dl dfn-for="attribution report, aggregatable report, event-level report">
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>report time</dfn>
:: A [=moment=].
: <dfn>original report time</dfn>
:: A [=moment=].
: <dfn>delivered</dfn> (default false)
:: A [=boolean=].
: <dfn>report ID</dfn>
:: A [=string=].
: <dfn>source debug key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>trigger debug key</dfn>
:: Null or a non-negative 64-bit integer.

</dl>

<h3 dfn-type=dfn>Event-level report</h3>

An event-level report is an [=attribution report=] with the following additional items:

<dl dfn-for="event-level report">
: <dfn>event ID</dfn>
:: A non-negative 64-bit integer.
: <dfn>source type</dfn>
:: A [=source type=].
: <dfn>trigger data</dfn>
:: A non-negative 64-bit integer.
: <dfn>randomized trigger rate</dfn>
:: A number between 0 and 1 (both inclusive).
: <dfn>trigger priority</dfn>
:: A 64-bit integer.
: <dfn>trigger time</dfn>
:: A [=moment=].
: <dfn>source identifier</dfn>
:: A string.
: <dfn>attribution destinations</dfn>
:: An [=ordered set=] of [=sites=].

</dl>

<h3 dfn-type=dfn>Aggregatable contribution</h3>

An aggregatable contribution is a [=struct=] with the following items:

<dl dfn-for="aggregatable contribution">
: <dfn>key</dfn>
:: A non-negative 128-bit integer.
: <dfn>value</dfn>
:: A non-negative 32-bit integer.

</dl>

<h3 dfn-type=dfn>Aggregatable report</h3>

An aggregatable report is an [=attribution report=] with the following additional items:

<dl dfn-for="aggregatable report">
: <dfn>source time</dfn>
:: A [=moment=].
: <dfn>contributions</dfn>
:: A [=list=] of [=aggregatable contributions=].
: <dfn>effective attribution destination</dfn>
:: A [=site=].
: <dfn>serialized private state token</dfn>
:: A [=serialized private state token=].
: <dfn>aggregation coordinator</dfn>
:: An [=aggregation coordinator=].
: <dfn>source registration time configuration</dfn>
:: An [=aggregatable source registration time configuration=].
: <dfn>is null report</dfn> (default false)
:: A [=boolean=].

</dl>

<h3 id="attribution-rate-limits">Attribution rate-limits</h3>

A <dfn>rate-limit scope</dfn> is one of the following:

<ul dfn-for="rate-limit scope">
<li>"<dfn><code>source</code></dfn>"
<li>"<dfn><code>attribution</code></dfn>"
</ul>

An <dfn>attribution rate-limit record</dfn> is a [=struct=] with the following items:

<dl dfn-for="attribution rate-limit record">
: <dfn>scope</dfn>
:: A [=rate-limit scope=].
: <dfn>source site</dfn>
:: A [=site=].
: <dfn>attribution destination</dfn>
:: A [=site=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>time</dfn>
:: A [=moment=].
: <dfn>expiry time</dfn>
:: Null or a [=moment=].

</dl>

<h3 dfn-type=dfn>Attribution debug data</h3>

A <dfn>debug data type</dfn> is a non-empty string that specifies the set of data that is
contained in the [=attribution debug data/body=] of an [=attribution debug data=].

A <dfn>source debug data type</dfn> is a [=debug data type=] for source registrations.
Possible values are:

<ul dfn-for="source debug data type">
<li>"<dfn><code>source-destination-limit</code></dfn>"
<li>"<dfn><code>source-destination-rate-limit</code></dfn>"
<li>"<dfn><code>source-noised</code></dfn>"
<li>"<dfn><code>source-storage-limit</code></dfn>"
<li>"<dfn><code>source-success</code></dfn>"
<li>"<dfn><code>source-unknown-error</code></dfn>"
</ul>

A <dfn>trigger debug data type</dfn> is a [=debug data type=] for trigger registrations.
Possible values are:

<ul dfn-for="trigger debug data type">
<li>"<dfn><code>trigger-aggregate-deduplicated</code></dfn>"
<li>"<dfn><code>trigger-aggregate-excessive-reports</code></dfn>"
<li>"<dfn><code>trigger-aggregate-no-contributions</code></dfn>"
<li>"<dfn><code>trigger-aggregate-insufficient-budget</code></dfn>"
<li>"<dfn><code>trigger-aggregate-storage-limit</code></dfn>"
<li>"<dfn><code>trigger-aggregate-report-window-passed</code></dfn>"
<li>"<dfn><code>trigger-attributions-per-source-destination-limit</code></dfn>"
<li>"<dfn><code>trigger-event-deduplicated</code></dfn>"
<li>"<dfn><code>trigger-event-excessive-reports</code></dfn>"
<li>"<dfn><code>trigger-event-low-priority</code></dfn>"
<li>"<dfn><code>trigger-event-no-matching-configurations</code></dfn>"
<li>"<dfn><code>trigger-event-noise</code></dfn>"
<li>"<dfn><code>trigger-event-report-window-not-started</code></dfn>"
<li>"<dfn><code>trigger-event-report-window-passed</code></dfn>"
<li>"<dfn><code>trigger-event-storage-limit</code></dfn>"
<li>"<dfn><code>trigger-no-matching-source</code></dfn>"
<li>"<dfn><code>trigger-no-matching-filter-data</code></dfn>"
<li>"<dfn><code>trigger-reporting-origin-limit</code></dfn>"
<li>"<dfn><code>trigger-unknown-error</code></dfn>"
</ul>

An <dfn>OS debug data type</dfn> is a [=debug data type=] for OS registrations.
Possible values are:

<ul dfn-for="OS debug data type">
<li>"<dfn><code>os-source-delegated</code></dfn>"
<li>"<dfn><code>os-trigger-delegated</code></dfn>"
</ul>

An attribution debug data is a [=struct=] with the following items:

<dl dfn-for="attribution debug data">
: <dfn>data type</dfn>
:: A [=debug data type=].
: <dfn>body</dfn>
:: A [=map=] whose fields are determined by the [=attribution debug data/data type=].

</dl>

<h3 dfn-type=dfn>Attribution debug report</h3>

An attribution debug report is a [=struct=] with the following items:

<dl dfn-for="attribution debug report">
: <dfn>data</dfn>
:: A [=list=] of [=attribution debug data=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].

</dl>

<h3 dfn-type=dfn>Serialized private state token</h3>

A serialized private state token is a [=forgiving-base64 encoding=] of a [=byte sequence=].

<h3 dfn-type=dfn>Trigger verification</h3>

A trigger verification is a [=struct=] with the following items:

<dl dfn-for="trigger verification">
: <dfn>token</dfn>
:: A [=serialized private state token=].
: <dfn>id</dfn>
:: The result of [=generating a random UUID=] over which the [=trigger verification/token=] is signed.

</dl>

<h3 dfn-type=dfn>Trigger verification metadata</h3>

A trigger verification metadata is a [=struct=] with the following items:

<dl dfn-for="trigger verification metadata">
: <dfn>pretokens</dfn>
:: A [=byte sequence=].
: <dfn>IDs</dfn>
:: A [=list=] of [=string=] generated using [=generating a random UUID=].

</dl>

<h3 dfn-type=dfn>Triggering result</h3>

A <dfn>triggering status</dfn> is one of the following:

<ul dfn-for="triggering status">
<li>"<dfn><code>dropped</code></dfn>"
<li>"<dfn><code>noised</code></dfn>"
<li>"<dfn><code>attributed</code></dfn>"
</ul>

Note: "<code>[=triggering status/noised=]</code>" only applies for [=triggering event-level attribution=] when it is attributed
successfully but dropped as the noise was applied to the source.

A triggering result is a [=tuple=] with the following items:

<dl dfn-for="triggering result">
: <dfn>status</dfn>
:: A [=triggering status=].
: <dfn>debug data</dfn>
:: Null or an [=attribution debug data=].

</dl>

<h3 dfn-type=dfn>Destination rate-limit result</h3>

A destination rate-limit result is one of the following:

<ul dfn-for="destination rate-limit result">
<li>"<dfn><code>allowed</code></dfn>"
<li>"<dfn><code>hit global limit</code></dfn>"
<li>"<dfn><code>hit reporting limit</code></dfn>"
</ul>


# Storage # {#storage}

A user agent holds an <dfn>attribution source cache</dfn>, which is an [=ordered set=] of [=attribution sources=].

A user agent holds an <dfn>event-level report cache</dfn>, which is an [=ordered set=] of [=event-level reports=].

A user agent holds an <dfn>aggregatable report cache</dfn>, which is an [=ordered set=] of [=aggregatable reports=].

A user agent holds an <dfn>attribution rate-limit cache</dfn>, which is an [=ordered set=] of [=attribution rate-limit records=].

The above caches are collectively known as the <dfn>attribution caches</dfn>. The [=attribution caches=] are
shared among all [=environment settings objects=].

Note: This would ideally use <a spec=storage>storage bottles</a> to provide access to the attribution caches.
However attribution data is inherently cross-site, and operations on storage would need to span across all storage bottle maps.

# Constants # {#constants}

<dfn>Valid source expiry range</dfn> is a 2-tuple of positive [=durations=] that controls the
minimum and maximum value that can be used as an [=attribution source/expiry=], respectively.
Its value is (1 day, 30 days).

<dfn>Min report window</dfn> is a positive [=duration=] that controls the
minimum [=duration from=] an [=attribution source's=] [=attribution source/source time=]
and any [=report window/end=] in [=attribution source/aggregatable report window=] or
[=attribution source/event-level report windows=].
Its value is 1 hour.

<dfn>Max entries per filter data</dfn> is a positive integer that controls the
maximum [=map/size=] of an [=attribution source=]'s [=attribution source/filter data=].
Its value is 50.

<dfn>Max values per filter data entry</dfn> is a positive integer that
controls the maximum [=set/size=] of each [=map/value=] of an
[=attribution source=]'s [=attribution source/filter data=]. Its value is 50.

<dfn>Attribution rate-limit window</dfn> is a positive [=duration=] that
controls the rate-limiting window for attribution. Its value is 30 days.

<dfn>Max destinations per source</dfn> is a positive integer that controls the
maximum [=set/size=] of an [=attribution source=]'s
[=attribution source/attribution destinations=]. Its value is 3.

<dfn>Max settable event-level attributions per source</dfn> is a positive integer that
controls the maximum value of [=attribution source/max number of event-level reports=].
Its value is 20.

<dfn>Max settable event-level report windows</dfn> is a positive integer that
controls the maximum [=list/size=] of [=attribution source/event-level report windows=].
Its value is 5.

# Vendor-Specific Values # {#vendor-specific-values}

<dfn>Max aggregation keys per attribution</dfn> is a positive integer that
controls the maximum [=map/size=] of an [=attribution source=]'s
[=attribution source/aggregation keys=], the maximum [=set/size=] of an
[=aggregatable trigger data=]'s [=aggregatable trigger data/source keys=],
and the maximum [=map/size=] of an [=attribution trigger=]'s
[=attribution trigger/aggregatable values=].

<dfn>Max pending sources per source origin</dfn> is a positive integer that
controls how many [=attribution sources=] can be in the
[=attribution source cache=] per [=attribution source/source origin=].

<dfn>Default trigger data cardinality</dfn> is a [=map=] that
controls the valid range of [=event-level trigger configuration/trigger data=].
The keys are «[=source type/navigation=], [=source type/event=]». The values are positive integers.

<dfn>Randomized response epsilon</dfn> is a non-negative double that controls
the randomized response probability of an [=attribution source=]. If [=automation local testing mode=] is true,
this is `∞`.

<dfn>Randomized null report rate excluding source registration time</dfn> is a
double between 0 and 1 (both inclusive) that controls the randomized number of null reports
generated for an [=attribution trigger=] whose [attribution trigger/aggregatable source registration time configuration]
is "<code>[=aggregatable source registration time configuration/exclude=]</code>". If [=automation local testing mode=] is true,
this is 0.

<dfn>Randomized null report rate including source registration time</dfn> is a
double between 0 and 1 (both inclusive) that controls the randomized number of null reports
generated for an [=attribution trigger=] whose [attribution trigger/aggregatable source registration time configuration]
is "<code>[=aggregatable source registration time configuration/include=]</code>". If [=automation local testing mode=] is true,
this is 0.

<dfn>Max event-level reports per attribution destination</dfn> is a positive integer that
controls how many [=event-level reports=] can be in the
[=event-level report cache=] per [=site=] in
[=event-level report/attribution destinations=].

<dfn>Max aggregatable reports per attribution destination</dfn> is a positive integer that controls how
many [=aggregatable reports=] can be in the [=aggregatable report cache=] per
[=aggregatable report/effective attribution destination=].

<dfn>Default event-level attributions per source</dfn> is a [=map=] that
controls how many times a single [=attribution source=] can create an [=event-level report=] by default.
The keys are «[=source type/navigation=], [=source type/event=]». The values are non-negative integers.

<dfn>Max event-level channel capacity per source</dfn> is a [=map=] that
controls how many bits of information can be exposed associated with a single [=attribution source=].
The keys are «[=source type/navigation=], [=source type/event=]». The values are non-negative integers.

<dfn>Max aggregatable reports per source</dfn> is a positive integer that controls how many [=aggregatable reports=]
can be created by [=attribution triggers=] attributed to a single [=attribution source=].

<dfn>Max destinations covered by unexpired sources</dfn> is a positive
integer that controls the maximum number of distinct [=sites=] across all [=attribution source/attribution destinations=]
for unexpired [=attribution sources=] with a given ([=attribution source/source site=], [=attribution source/reporting origin=] [=site=]).

<dfn>Destination rate-limit window</dfn> is a positive [=duration=] that
controls the rate-limiting window for destinations.

<dfn>Max destinations per rate-limit window</dfn> is a [=tuple=] consisting of two integers. The first
controls the maximum number of distinct [=sites=] across all [=attribution source/attribution destinations=]
for [=attribution sources=] with a given [=attribution source/source site=] per [=destination rate-limit window=].
The second controls the maximum number of distinct [=sites=] across all [=attribution source/attribution destinations=]
for [=attribution sources=] with a given ([=attribution source/source site=], [=attribution source/reporting origin=] [=site=])
per [=destination rate-limit window=].

<dfn>Max source reporting origins per rate-limit window</dfn> is a positive
integer that controls the maximum number of distinct
[=attribution source/reporting origin|reporting origins=] for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/attribution destination=]) that can create
[=attribution sources=] per [=attribution rate-limit window=].

<dfn>Max source reporting origins per source reporting site</dfn> is a positive
integer that controls the maximum number of distinct
[=attribution source/reporting origin|reporting origins=] for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/reporting origin=] [=site=]) that can create
[=attribution sources=] per [=origin rate-limit window=].

<dfn>Origin rate-limit window</dfn> is a positive [=duration=] that
controls the rate-limiting window for
[=max source reporting origins per source reporting site=].

<dfn>Max attribution reporting origins per rate-limit window</dfn> is a
positive integer that controls the maximum number of distinct
[=attribution trigger/reporting origin|reporting origins=] for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/attribution destination=]) that can create
[=event-level reports=] per [=attribution rate-limit window=].

<dfn>Max attributions per rate-limit window</dfn> is a positive integer that
controls the maximum number of attributions for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/attribution destination=],
[=attribution rate-limit record/reporting origin=] [=site=]) per
[=attribution rate-limit window=].

<dfn>Allowed aggregatable budget per source</dfn> is a positive integer that controls the total
[=aggregatable report/required aggregatable budget=] of all [=aggregatable reports=] created for
an [=attribution source=].

<dfn>Randomized aggregatable report delay</dfn> is a positive [=duration=] that controls the
random delay to deliver an [=aggregatable report=]. If [=automation local testing mode=] is true,
this is 0.

<dfn>Default aggregation coordinator</dfn> is the [=aggregation coordinator=] that controls how to
obtain the public key for encrypting an [=aggregatable report=] by default.

<dfn>Verification tokens per trigger</dfn> is a positive integer that controls the number of
encoded masked messages sent for signature when [=set trigger verification request headers|initiating trigger verification=]
and the maximum number of [=serialized private state tokens=] that can be attached to an [=attribution trigger=].

# General Algorithms # {#general-algorithms}

<h3 id="serialize-integer">Serialize an integer</h3>

To <dfn>serialize an integer</dfn>, represent it as a string of the shortest possible decimal number.

Issue: This would ideally be replaced by a more descriptive algorithm in Infra. See
<a href="https://github.com/whatwg/infra/issues/201">infra/201</a>

<h3 id="parsing-json-fields">Parsing JSON fields</h3>

Note: The "`Attribution-Reporting-Register-Source`" and
"`Attribution-Reporting-Register-Trigger`" response headers contain JSON-encoded
data, rather than <a href="https://httpwg.org/specs/rfc8941.html">structured
values</a>, because of limitations on nesting in the latter. The recursive
nature of JSON makes it more amenable to future extensions.

To <dfn>parse an optional 64-bit signed integer</dfn> given a [=map=] |map|, a
[=string=] |key|, and a possibly null 64-bit signed integer |default|:

1. If |map|[|key|] does not [=map/exists|exist=], return |default|.
1. If |map|[|key|] is not a [=string=], return an error.
1. Let |value| be the result of applying the
    <a spec="html">rules for parsing integers</a> to |map|[|key|].
1. If |value| is an error, return an error.
1. If |value| cannot be represented by a 64-bit signed integer, return an error.
1. Return |value|.

To <dfn>parse an optional 64-bit unsigned integer</dfn> given a [=map=] |map|,
a [=string=] |key|, and a possibly null 64-bit unsigned integer |default|:

1. If |map|[|key|] does not [=map/exists|exist=], return |default|.
1. If |map|[|key|] is not a [=string=], return an error.
1. Return the result of applying the
    <a spec="html">rules for parsing non-negative integers</a> to |map|[|key|].
1. If |value| is an error, return an error.
1. If |value| cannot be represented by a 64-bit unsigned integer, return an
    error.
1. Return |value|.

<h3 id="serialize-destinations">Serialize attribution destinations</h3>

To <dfn>serialize [=event-level report/attribution destinations=]</dfn> |destinations|, run the following steps:

1. [=Assert=]: |destinations| is not [=set/is empty|empty=].
1. Let |destinationStrings| be a [=list=].
1. [=list/iterate|For each=] |destination| in |destinations|:
    1. [=Assert=]: |destination| is not the [=opaque origin=].
    1. [=list/Append=] |destination| <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a> to |destinationStrings|.
1. If |destinationStrings|'s [=set/size=] is equal to 1, return |destinationStrings|[0].
1. Return |destinationStrings|.

To <dfn>check if a scheme is suitable</dfn> given a [=string=] |scheme|:

1. If |scheme| is "`http`" or "`https`", return true.
1. Return false.

To <dfn>check if an origin is suitable</dfn> given an [=origin=] |origin|:

1. If |origin| is not a [=potentially trustworthy origin=], return false.
1. If |origin|'s [=origin/scheme=] is not
    [=check if a scheme is suitable|suitable=], return false.
1. Return true.

<h3 id="parsing-filter-data">Parsing filter data</h3>

To <dfn>parse filter values</dfn> given a |value|:

1. If |value| is not a [=map=], return null.
1. Let |result| be a new [=filter map=].
1. [=map/iterate|For each=] |filter| → |data| of |value|:
    1. If |filter| [=starts with=] "`_`", return null.
    1. If |data| is not a [=list=], return null.
    1. Let |set| be a new [=ordered set=].
    1. [=list/iterate|For each=] |d| of |data|:
        1. If |d| is not a [=string=], return null.
        1. [=set/Append=] |d| to |set|.
    1. [=map/Set=] |result|[|filter|] to |set|.
1. Return |result|.

To <dfn>parse filter data</dfn> given a |value|:

1. Let |map| be the result of running [=parse filter values=] with |value|.
1. If |map| is null, return null.
1. If |map|'s [=map/size=] is greater than the [=max entries per filter data=],
    return null.
1. [=map/iterate|For each=] |filter| → |set| of |map|:
    1. If |set|'s [=set/size=] is greater than the
        [=max values per filter data entry=], return null.
1. Return |map|.

Issue: Determine whether to limit [=string/length=] or
[=string/code point length=] for |filter| and |d| above.

To <dfn>parse filter config</dfn> given a |value|:

1. If |value| is not a [=map=], return null.
1. Let |lookbackWindow| be null.
1. If |value|["`_lookback_window`"] [=map/exists=]:
    1. If |value|["`_lookback_window`"] is not a positive integer, return null.
    1. Set |lookbackWindow| to the [=duration=] of |value|["`_lookback_window`"] seconds.
    1. [=map/Remove=] |value|["`_lookback_window`"].
1. Let |map| be the result of running [=parse filter values=] with |value|.
1. If |map| is null, return null.
1. Let |filter| be a [=filter config=] with the items:
    : [=filter config/map=]
    :: |map|
    : [=filter config/lookback window=]
    :: |lookbackWindow|
1. Return |filter|.

<h3 id="parsing-filters">Parsing filters</h3>

To <dfn>parse filters</dfn> given a |value|:

1. Let |filtersList| be a new [=list=].
1. If |value| is a [=map=], then:
    1. Let |filterConfig| be the result of running [=parse filter config=] with |value|.
    1. If |filterConfig| is null, return null.
    1. [=list/Append=] |filterConfig| to |filtersList|.
    1. Return |filtersList|.
1. If |value| is not a [=list=], return null.
1. [=list/iterate|For each=] |data| of |value|:
    1. Let |filterConfig| be the result of running [=parse filter config=] with |data|.
    1. If |filterConfig| is null, return null.
    1. [=list/Append=] |filterConfig| to |filtersList|.
1. Return |filtersList|.

To <dfn>parse a filter pair</dfn> given a [=map=] |map|:

1. Let |positive| be a [=list=] of [=filter configs=], initially empty.
1. If |map|["`filters`"] [=map/exists=], set |positive| to the result of running
    [=parse filters=] with |map|["`filters`"].
1. If |positive| is null, return null.
1. Let |negative| be a [=list=] of [=filter configs=], initially empty.
1. If |map|["`not_filters`"] [=map/exists=], set |negative| to the result of
    running [=parse filters=] with |map|["`not_filters`"].
1. If |negative| is null, return null.
1. Return the [=tuple=] (|positive|, |negative|).

<h3 id="debug-keys">Cookie-based debugging</h3>

To <dfn>check if cookie-based debugging is allowed</dfn> given a
[=suitable origin=] |reportingOrigin|:

1. Let |domain| be the
    <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-canonicalized-host-names">canonicalized domain name</a>
    of |reportingOrigin|'s [=origin/host=].
1. For each |cookie| of the user agent's <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-storage-model">cookie store</a>:
    1. If |cookie|'s name is not "`ar_debug`", [=iteration/continue=].
    1. If |cookie|'s http-only-flag is false, [=iteration/continue=].
    1. If |cookie|'s secure-flag is false, [=iteration/continue=].
    1. If |cookie|'s same-site-flag is not "`None`", [=iteration/continue=].
    1. If |cookie|'s host-only-flag is true and |domain| is not
        identical to |cookie|'s domain, [=iteration/continue=].
    1. If |cookie|'s host-only-flag is false and |domain| does not
        <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-domain-matching">domain-match</a>
        |cookie|'s domain, [=iteration/continue=].
    1. If "`/`" does not
        <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-paths-and-path-match">path-match</a>
        |cookie|'s path, [=iteration/continue=].
    1. Return <strong>allowed</strong>.
1. Return <strong>blocked</strong>.

Issue: Ideally this would use the
<a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-retrieval-algorithm">cookie-retrieval algorithm</a>,
but it cannot: There is no way to consider *only* cookies whose http-only-flag
is true and whose same-site-flag is "`None`"; there is no way to prevent the
last-access-time from being modified; and the return value is a string that
would have to be further processed to check for the "`ar_debug`" cookie.

<h3 algorithm id="obtaining-context-origin">Obtaining context origin</h3>

To obtain the <dfn for=node>context origin</dfn> of a [=node=] |node|, return |node|'s [=node navigable=]'s
<a spec=fenced-frame for=navigable>unfenced container document</a>'s [=origin=].

<h3 id="obtaining-randomized-response">Obtaining a randomized response</h3>

To <dfn>obtain a randomized response</dfn> given |trueValue|, a [=set=] |possibleValues|, and a
double |randomPickRate|:

1. [=Assert=]: |randomPickRate| is between 0 and 1 (both inclusive).
1. Let |r| be a random double between 0 (inclusive) and 1 (exclusive) with uniform probability.
1. If |r| is less than |randomPickRate|, return a random item from |possibleValues| with uniform
    probability.
1. Otherwise, return |trueValue|.

<h3 algorithm id="parsing-aggregation-key-piece">Parsing aggregation key piece</h3>

To <dfn>parse an aggregation key piece</dfn> given a [=string=] |input|, perform the following steps.
This algorithm will return either a non-negative 128-bit integer or an error.

1. If |input|'s [=string/code point length=] is not between 3 and 34 (both inclusive), return an error.
1. If the first character is not a U+0030 DIGIT ZERO (0), return an error.
1. If the second character is not a U+0058 LATIN CAPITAL LETTER X character (X) and not a
    U+0078 LATIN SMALL LETTER X character (x), return an error.
1. Let |value| be the [=code point substring=] from 2 to the end of |input|.
1. If the characters within |value| are not all [=ASCII hex digits=], return an error.
1. Interpret |value| as a hexadecimal number and return as a non-negative 128-bit integer.

<h3 dfn id="can-attribution-rate-limit-record-be-removed">Can attribution rate-limit record be removed</h3>

Given an [=attribution rate-limit record=] |record| and a [=moment=] |now|:
1. If the [=duration from=] |record|'s [=attribution rate-limit record|time=] and |now| is <= [=attribution rate-limit window=] , return false.
1. If |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/attribution=]</code>", return true.
1. If |record|'s [=attribution rate-limit record/expiry time=] is after |now|, return false.
1. Return true.

<h3 id="obtaining-and-delivering-debug-report">Obtaining and delivering an attribution debug report</h3>

To <dfn>obtain and deliver a debug report</dfn> given a [=list=] of [=attribution debug data=] |data|
and a [=suitable origin=] |reportingOrigin|:

1. Let |debugReport| be an [=attribution debug report=] with the items:
    : [=attribution debug report/data=]
    :: |data|
    : [=attribution debug report/reporting origin=]
    :: |reportingOrigin|
1. [=Queue a task=] to [=attempt to deliver a verbose debug report=] with |debugReport|.

<h3 id="making-a-background-attributionsrc-request">Making a background attributionsrc request</h3>

An <dfn>eligibility</dfn> is one of the following:

<dl dfn-for="eligibility">
: "<dfn><code>unset</code></dfn>"
:: Depending on context, a [=attribution trigger|trigger=] may or may not be
    registered.
: "<dfn><code>empty</code></dfn>"
:: Neither a [=attribution source|source=] nor a
    [=attribution trigger|trigger=] may be registered.
: "<dfn><code>event-source</code></dfn>"
:: An [=source type/event=] [=attribution source|source=] may be registered.
: "<dfn><code>navigation-source</code></dfn>"
:: A [=source type/navigation=] [=attribution source|source=] may be registered.
: "<dfn><code>trigger</code></dfn>"
:: A [=attribution trigger|trigger=] may be registered.
: "<dfn><code>event-source-or-trigger</code></dfn>"
:: An [=source type/event=] [=attribution source|source=] or a
    [=attribution trigger|trigger=] may be registered.

</dl>

A <dfn>registrar</dfn> is one of the following:

<dl dfn-for="registrar">
: "<dfn><code>web</code></dfn>"
:: The user agent supports web registrations.
: "<dfn><code>os</code></dfn>"
:: The user agent supports OS registrations.

</dl>

To <dfn>validate a background attributionsrc eligibility</dfn> given an
[=eligibility=] |eligibility|:

1. [=Assert=]: |eligibility| is
    "<code>[=eligibility/navigation-source=]</code>" or
    "<code>[=eligibility/event-source-or-trigger=]</code>".

To <dfn>make a background attributionsrc request</dfn> given a [=URL=] |url|, an
[=origin=] |contextOrigin|, an [=eligibility=] |eligibility|, and a
{{Document}} |document|:

1. [=Validate a background attributionsrc eligibility|Validate=] |eligibility|.
1. If |url|'s [=url/scheme=] is not [=check if a scheme is suitable|suitable=],
    return.
1. If |contextOrigin| is not [=check if an origin is suitable|suitable=], return.
1. Let |context| be |document|'s [=relevant settings object=].
1. If |context| is not a [=secure context=], return.
1. If |document| is not [=allowed to use=] the "<code>{{PermissionPolicy/attribution-reporting}}</code>" feature, return.
1. Let |supportedRegistrars| be the result of [=getting supported registrars=].
1. If |supportedRegistrars| [=list/is empty=], return.
1. Let |request| be a new [=request=] with the following properties:
    :   [=request/method=]
    ::  "`GET`"
    :   [=request/URL=]
    ::  |url|
    :   [=request/keepalive=]
    ::  true
    :   [=request/Attribution Reporting eligibility=]
    ::  |eligibility|
1. [=Fetch=] |request| with [=fetch/processResponse=] being
    [=process an attributionsrc response=] with |contextOrigin|, |eligibility|,
    and |request|'s [=request/trigger verification metadata=].

Issue: Audit other properties on |request| and set them properly.

Issue(839): Support header-processing on redirects. Due to <a href=https://fetch.spec.whatwg.org/#atomic-http-redirect-handling>atomic HTTP redirect handling</a>,
we cannot process registrations through integration with [=fetch=].

Issue: Check for transient activation with "<code>[=eligibility/navigation-source=]</code>".

To <dfn>make background attributionsrc requests</dfn> given an
{{HTMLAttributionSrcElementUtils}} |element| and an [=eligibility=]
|eligibility|:

1. Let |attributionSrc| be |element|'s
    {{HTMLAttributionSrcElementUtils/attributionSrc}}.
1. Let |tokens| be the result of
    [=split a string on ASCII whitespace|splitting=] |attributionSrc| on ASCII
    whitespace.
1. [=list/iterate|For each=] |token| of |tokens|:
    1. <a spec="HTML" lt="parse a URL">Parse</a> |token|, relative to
        |element|'s [=Node/node document=]. If that is not successful,
        [=iteration/continue=]. Otherwise, let |url| be the resulting
        [=URL record=].
    1. Run [=make a background attributionsrc request=] with |url|,
        |element|'s [=node/context origin=], |eligibility|, and |element|'s [=Node/node document=].

Issue: Consider allowing the user agent to limit the size of |tokens|.

To <dfn>process an attributionsrc response</dfn> given a [=suitable origin=] |contextOrigin|,
an [=eligibility=] |eligibility|, a [=request/trigger verification metadata=] |triggerVerificationMetadata|,
and a [=response=] |response|:

1. [=Validate a background attributionsrc eligibility|Validate=] |eligibility|.
1. Run [=process an attribution eligible response=] with |contextOrigin|,
    |eligibility|, and |response|.

To <dfn>process an attribution eligible response</dfn> given a [=suitable origin=]
|contextOrigin|, an [=eligibility=] |eligibility|, and a [=response=] |response|:

1. The user-agent MAY ignore the response; if so, return.
   
    Note: The user-agent may prevent attribution for a number of reasons, such as user opt-out. In these
    cases, it is preferred to abort the API flow at response time rather than at request time so this state is not
    immediately detectable.

1. [=Assert=]: |eligibility| is
    "<code>[=eligibility/navigation-source=]</code>" or
    "<code>[=eligibility/event-source=]</code>" or
    "<code>[=eligibility/event-source-or-trigger=]</code>".
1. Let |reportingOrigin| be |response|'s [=response/URL=]'s [=url/origin=].
1. If |reportingOrigin| is not [=check if an origin is suitable|suitable=], return.
1. Let |sourceHeader| be the result of [=header list/get|getting=]
    "`Attribution-Reporting-Register-Source`" from |response|'s
    [=response/header list=].
1. Let |triggerHeader| be the result of [=header list/get|getting=]
    "`Attribution-Reporting-Register-Trigger`" from |response|'s
    [=response/header list=].
1. Let |osSourceRegistrations| be the result of
    [=get OS registrations from a header list|getting OS registrations=]
    from |response|'s [=response/header list=] with
    "`Attribution-Reporting-Register-OS-Source`".
1. Let |osTriggerRegistrations| be the result of
    [=get OS registrations from a header list|getting OS registrations=]
    from |response|'s [=response/header list=] with
    "`Attribution-Reporting-Register-OS-Trigger`".
1. If |eligibility| is:
    <dl class="switch">
    : "<code>[=eligibility/navigation-source=]</code>"
    : "<code>[=eligibility/event-source=]</code>"
    :: Run the following steps:
        1. If |sourceHeader| and |osSourceRegistrations| are both null or both not
            null, return.
        1. If |sourceHeader| is not null:
            1. Let |sourceType| be "<code>[=source type/navigation=]</code>".
            1. If |eligibility| is "<code>[=eligibility/event-source=]</code>",
                set |sourceType| to "<code>[=source type/event=]</code>".
            1. Let |source| be the result of running
                [=parse source-registration JSON=] with |sourceHeader|,
                |contextOrigin|, |reportingOrigin|, |sourceType|, and [=current wall time=].
            1. If |source| is not null, [=process an attribution source|process=]
                |source|.
        1. If |osSourceRegistrations| is not null and the user agent supports OS
            registrations:
              1. Process |osSourceRegistrations| according to an [=implementation-defined=] algorithm.
              1. Run [=obtain and deliver debug reports on OS registrations=] with
                  "<code>[=OS debug data type/os-source-delegated=]</code>", |osSourceRegistrations|,
                  and |contextOrigin|.
    : "<code>[=eligibility/event-source-or-trigger=]</code>"
    :: Run the following steps:
        1. If the number of non-null entries in «|sourceHeader|,
            |triggerHeader|, |osSourceRegistrations|, |osTriggerRegistrations|» is not 1, return.
        1. If |sourceHeader| is not null:
            1. Let |source| be the result of running
                [=parse source-registration JSON=] with |sourceHeader|,
                |contextOrigin|, |reportingOrigin|,
                "<code>[=source type/event=]</code>", and [=current wall time=].
            1. If |source| is not null,
                [=process an attribution source|process=] |source|.
        1. If |triggerHeader| is not null:
            1. Let |destinationSite| be the result of [=obtaining a site=] from
                |contextOrigin|.
            1. Let |triggerVerifications| be the result of [=receiving trigger verification tokens=] 
                with |response|'s [=response/URL=]'s [=url/origin=], |response|'s [=response/header list=],
                and |triggerVerificationMetadata|.
            1. Let |trigger| be the result of running
                [=create an attribution trigger=] with |triggerHeader|
                |destinationSite|, |reportingOrigin|, |triggerVerifications|, and [=current wall time=].
            1. If |trigger| is not null:
                1. [=Maybe defer and then complete trigger attribution=] with |trigger|.
        1. If |osSourceRegistrations| is not null and the user agent supports OS
            registrations:
              1. Process |osSourceRegistrations| according to an [=implementation-defined=] algorithm.
              1. Run [=obtain and deliver debug reports on OS registrations=] with
                  "<code>[=OS debug data type/os-source-delegated=]</code>", |osSourceRegistrations|,
                  and |contextOrigin|.
        1. If |osTriggerRegistrations| is not null and the user agent supports OS
            registrations:
              1. Process |osTriggerRegistrations| according to an [=implementation-defined=] algorithm.
              1. Run [=obtain and deliver debug reports on OS registrations=] with
                  "<code>[=OS debug data type/os-trigger-delegated=]</code>", |osTriggerRegistrations|,
                  and |contextOrigin|.

    </dl>

# Source Algorithms # {#source-algorithms}

<h3 algorithm id="obtaining-randomized-source-response">Obtaining a randomized source response</h3>

To <dfn>obtain a set of possible trigger states</dfn> given a [=randomized response output configuration=] |config|:
1. Let |possibleTriggerStates| be a new [=list/is empty|empty=] [=set=].
1. For each integer |triggerData| between 0 (inclusive) and |config|'s [=randomized response output configuration/trigger data cardinality=] (exclusive):
    1. For each integer |reportWindow| between 0 (inclusive) and |config|'s [=randomized response output configuration/num report windows=] (exclusive):
        1. Let |state| be a new [=trigger state=] with the items:
            : [=trigger state/trigger data=]
            :: |triggerData|
            : [=trigger state/report window=]
            :: |reportWindow|
        1. [=set/Append=] |state| to |possibleTriggerStates|.
1. Let |possibleValues| be a new [=list/is empty|empty=] [=set=].
1. For each integer |attributions| between 0 (inclusive) and |config's| [=randomized response output configuration/max attributions per source=] (inclusive):
    1. [=set/Append=] to |possibleValues| all distinct |attributions|-length combinations of
        |possibleTriggerStates|.

To <dfn>obtain a randomized source response pick rate</dfn> given a [=randomized response output configuration=] |config| and a double |epsilon|:

1. Let |possibleValues| be the result of [=obtaining a set of possible trigger states=] with |config|.
1. Let |numPossibleValues| be the [=set/size=] of |possibleValues|.
1. Return |numPossibleValues| / (|numPossibleValues| - 1 + e<sup>|epsilon|</sup>).

To <dfn>obtain a randomized source response</dfn> given a [=randomized response output configuration=] |config| and a double |epsilon|:

1. Let |possibleValues| be the result of [=obtaining a set of possible trigger states=] with |config|.
1. Let |pickRate| be the result of [=obtaining a randomized source response pick rate=] with |config| and |epsilon|.
1. Return the result of [=obtaining a randomized response=] with null, |possibleValues|, and
    |pickRate|.


<h3 algorithm id="computing-channel-capacity">Computing channel capacity</h3>

To <dfn>compute the channel capacity of a source</dfn> given a [=randomized response output configuration=] |config| and a double |epsilon|:
1. Let |pickRate| be the [=obtain a randomized source response pick rate|randomized response pick rate=] with |config| and |epsilon|.
1. Let |states| be the [=obtain a set of possible trigger states|number of possible trigger states=] with |config|.
1. Let |p| be |pickRate| * (|states| - 1) / |states|.
1. Return log2(|states|) - h(|p|) - |p| * log2(|states| - 1) where h is the binary entropy function [[BIN-ENT]].

Note: This algorithm computes the channel capacity [[CHAN]] of a q-ary symmetric channel [[Q-SC]].

<h3 algorithm id="parsing-source-registration">Parsing source-registration JSON</h3>

To <dfn>parse an attribution destination</dfn> from a [=string=] |str|:
1. Let |url| be the result of running the [=URL parser=] on the value of
    the |str|.
1. If |url| is failure or null, return null.
1. If |url|'s [=url/origin=] is not [=check if an origin is suitable|suitable=],
    return null.
1. Return the result of [=obtain a site|obtaining a site=] from |url|'s
    [=url/origin=].

To <dfn>parse attribution destinations</dfn> from a [=map=] |map|:
1. If |map|["`destination`"] does not [=map/exists|exist=], return null.
1. Let |val| be |map|["`destination`"].
1. If |val| is a [=string=], set |val| to « |val| ».
1. If |val| is not a [=list=], return null.
1. Let |result| be an [=ordered set=].
1. [=list/iterate|For each=] |value| of |val|:
    1. If |value| is not a [=string=], return null.
    1. Let |destination| be the result of [=parse an attribution destination=] with |value|.
    1. If |destination| is null, return null.
    1. [=set/Append=] |destination| to |result|.
1. If |result| [=set/is empty=] or its [=set/size=] is greater than the
    [=max destinations per source=], return null.
1. Return |result|.

To <dfn>parse a duration</dfn> given a [=map=] |map|, a [=string=] |key|, and a
tuple of [=durations=] (|clampStart|, |clampEnd|):

1. [=Assert=]: |clampStart| < |clampEnd|.
1. Let |seconds| be null.
1. If |map|[|key|] [=map/exists=] and is a non-negative integer, set |seconds| to |map|[|key|].
1. Otherwise, set |seconds| to the result of running
    [=parse an optional 64-bit unsigned integer=] with |map|, |key|, and null.
1. If |seconds| is an error, return an error.
1. If |seconds| is null, return |clampEnd|.
1. Let |duration| be the [=duration=] of |seconds| seconds.
1. If |duration| is less than |clampStart|, return |clampStart|.
1. If |duration| is greater than |clampEnd|, return |clampEnd|.
1. Return |duration|.

Issue: Consider rejecting out-of-bounds values instead of silently clamping.

To <dfn>parse aggregation keys</dfn> given an [=ordered map=] |map|:

1. Let |aggregationKeys| be a new [=ordered map=].
1. If |map|["`aggregation_keys`"] does not [=map/exist=], return |aggregationKeys|.
1. Let |values| be |map|["`aggregation_keys`"].
1. If |values| is not an [=ordered map=], return null.
1. If |values|'s [=map/size=] is greater than the user agent's
    [=max aggregation keys per attribution=], return null.
1. [=map/iterate|For each=] |key| → |value| of |values|:
    1. If |value| is not a [=string=], return null.
    1. Let |keyPiece| be the result of running [=parse an aggregation key piece=] with |value|.
    1. If |keyPiece| is an error, return null.
    1. [=map/Set=] |aggregationKeys|[|key|] to |keyPiece|.
1. Return |aggregationKeys|.

Issue: Determine whether to limit [=string/length=] or [=string/code point length=] for |key| above.

To <dfn>obtain default effective windows</dfn> given a [=source type=] |sourceType|,
a [=moment=] |sourceTime|, and a [=duration=] |eventReportWindow|:

1. Let |deadlines| be «» if |sourceType| is "<code>[=source type/event=]</code>", else « 2 days, 7 days ».
1. [=list/Remove=] all elements in |deadlines| that are greater than or equal to |eventReportWindow|.
1. [=list/Append=] |eventReportWindow| to |deadlines|.
1. Let |lastEnd| be |sourceTime|.
1. Let |windows| be «».
1. [=list/iterate|For each=] |deadline| of |deadlines|:
    1. Let |window| be a new [=report window=] whose items are

        : [=report window/start=]
        :: |lastEnd|
        : [=report window/end=]
        :: |lastEnd| + |deadline|

    1. [=list/Append=] |window| to |windows|.
    1. Set |lastEnd| to |lastEnd| + |deadline|.
1. Return |windows|.

To <dfn>parse report windows</dfn> given a [=map=] |map|, a [=moment=] |sourceTime|,
and a [=report window list=] |default|:

1. If |map|["`event_report_windows`"] does not [=map/exist=], return |default|.
1. Let |values| be |map|["`event_report_windows`"].
1. If |values| is not a [=map=], return an error.
1. Let |defaultEndDuration| be the [=duration from=] |sourceTime| and the [=report window/end=] of the last element of |default|.
1. Let |startDuration| be 0 seconds.
1. If |map|["`start_time`"] [=map/exists=]:
    1. Let |start| be |map|["`start_time`"].
    1. If |start| is not a non-negative integer, return an error.
    1. Set |startDuration| to |start| seconds.
    1. If |startDuration| is greater than |defaultEndDuration|, return an error.
1. If |values|["`end_times`"] does not [=map/exist=] or is not a [=list=], return an error.
1. Let |endDurations| be |values|["`end_times`"].
1. If the [=list/size=] of |endDurations| is greater than [=max settable event-level report windows=], return an error.
1. If |endDurations| [=list/is empty=], return an error.
1. Let |windows| be an [=list/is empty|empty=] [=list=].
1. [=list/iterate|For each=] |end| of |endDurations|:
    1. If |end| is not a positive integer, return an error.
    1. Let |endDuration| be |end| seconds.
    1. If |endDuration| is greater than |defaultEndDuration|, set |endDuration| to |defaultEndDuration|.
    1. If |endDuration| is less than [=min report window=], set |endDuration| to [=min report window=].
    1. If |endDuration| is less than or equal to |startDuration|, return an error.
    1. Let |window| be a new [=report window=] whose items are

        : [=report window/start=]
        :: |sourceTime| + |startDuration|
        : [=report window/end=]
        :: |sourceTime| + |endDuration|

    1. [=list/Append=] |window| to |windows|.
    1. Set |startDuration| to |endDuration|.
1. Return |windows|.

To <dfn noexport>parse source-registration JSON</dfn> given a [=byte sequence=]
|json|, a [=suitable origin=] |sourceOrigin|, a [=suitable origin=] |reportingOrigin|, a
[=source type=] |sourceType|, and a [=moment=] |sourceTime|:

1. Let |value| be the result of running
    [=parse JSON bytes to an Infra value=] with |json|.
1. If |value| is not an [=ordered map=], return null.
1. Let |attributionDestinations| be the result of running
    [=parse attribution destinations=] with |value|.
1. If |attributionDestinations| is null, return null.
1. Let |sourceEventId| be the result of running
    [=parse an optional 64-bit unsigned integer=] with |value|,
    "`source_event_id`", and 0.
1. If |sourceEventId| is an error, return null.
1. Let |expiry| be the result of running [=parse a duration=] with |value|,
    "`expiry`", and [=valid source expiry range=].
1. If |expiry| is an error, return null.
1. If |sourceType| is "<code>[=source type/event=]</code>", round |expiry| away
    from zero to the nearest day (86400 seconds).
1. Let |priority| be the result of running
    [=parse an optional 64-bit signed integer=] with |value|, "`priority`", and
    0.
1. If |priority| is an error, return null.
1. Let |filterData| be a new [=filter map=].
1. If |value|["`filter_data`"] [=map/exists=]:
    1. Set |filterData| to the result of running [=parse filter data=] with
        |value|["`filter_data`"].
    1. If |filterData| is null, return null.
    1. If |filterData|["`source_type`"] [=map/exists=], return null.
1. [=map/Set=] |filterData|["`source_type`"] to « |sourceType| ».
1. Let |debugKey| be the result of running
    [=parse an optional 64-bit unsigned integer=] with |value|, "`debug_key`",
    and null.
1. If |debugKey| is an error, set |debugKey| to null.
1. If the result of running [=check if cookie-based debugging is allowed=] with
    |reportingOrigin| is <strong>blocked</strong>, set |debugKey| to null.
1. Let |aggregationKeys| be the result of running [=parse aggregation keys=] with |value|.
1. If |aggregationKeys| is null, return null.
1. Let |triggerDataCardinality| be the user agent's [=default trigger data cardinality=][|sourceType|].
1. Let |maxAttributionsPerSource| be [=default event-level attributions per source=][|sourceType|].
1. Set |maxAttributionsPerSource| to |value|["`max_event_level_reports`"] if it [=map/exists=].
1. If |maxAttributionsPerSource| is not a non-negative integer, or is greater than [=max settable event-level attributions per source=], return null.
1. Let |eventReportWindow| be the result of running [=parse a duration=] with
    |value|, "`event_report_window`", and ([=min report window=], |expiry|).
1. If |eventReportWindow| is an error, return null.
1. Let |aggregatableReportWindowEnd| be the result of running [=parse a duration=]
    with |value|, "`aggregatable_report_window`", and ([=min report window=], |expiry|).
1. If |aggregatableReportWindowEnd| is an error, return null.
1. Let |debugReportingEnabled| be false.
1. If |value|["`debug_reporting`"] [=map/exists=] and is a [=boolean=], set
    |debugReportingEnabled| to |value|["`debug_reporting`"].

1. Let |eventReportWindows| be the result of [=obtaining default effective windows=] given |sourceType|, |sourceTime|, and |eventReportWindow|.
1. If both |value|["`event_report_window`"] and |value|["`event_report_windows`"] [=map/exist=], return null.
1. Set |eventReportWindows| to the result of [=parsing report windows=] with |value|, |sourceTime|, and |eventReportWindows|.
1. If |eventReportWindows| is an error, return null.
1. Let |aggregatableReportWindow| be a new [=report window=] with the following items:

    : [=report window/start=]
    :: |sourceTime|
    : [=report window/end=]
    :: |sourceTime| + |aggregatableReportWindowEnd|

1. Let |randomizedResponseConfig| be a new [=randomized response output configuration=] whose items are:

    : [=randomized response output configuration/max attributions per source=]
    :: |maxAttributionsPerSource|
    : [=randomized response output configuration/num report windows=]
    :: The [=list/size=] of |eventReportWindows|.
    : [=randomized response output configuration/trigger data cardinality=]
    :: |triggerDataCardinality|

1. Let |epsilon| be the user agent's [=randomized response epsilon=].
1. If the result of [=computing the channel capacity of a source=] with |randomizedResponseConfig| and |epsilon| is greater than
    [=max event-level channel capacity per source=][|sourceType|], return null.

1. Let |source| be a new [=attribution source=] struct whose items are:

    : [=attribution source/source identifier=]
    :: A new unique [=string=]
    : [=attribution source/source origin=]
    :: |sourceOrigin|
    : [=attribution source/event ID=]
    :: |sourceEventId|
    : [=attribution source/attribution destinations=]
    :: |attributionDestinations|
    : [=attribution source/reporting origin=]
    :: |reportingOrigin|
    : [=attribution source/expiry=]
    :: |expiry|
    : [=attribution source/event-level report windows=]
    :: |eventReportWindows|
    : [=attribution source/aggregatable report window=]
    :: |aggregatableReportWindow|
    : [=attribution source/priority=]
    :: |priority|
    : [=attribution source/source time=]
    :: |sourceTime|
    : [=attribution source/source type=]
    :: |sourceType|
    : [=attribution source/max number of event-level reports=]
    :: |maxAttributionsPerSource|
    : [=attribution source/randomized response=]
    :: The result of [=obtaining a randomized source response=] with |randomizedResponseConfig| and |epsilon|.
    : [=attribution source/randomized trigger rate=]
    :: The result of [=obtaining a randomized source response pick rate=] with |randomizedResponseConfig| and |epsilon|.
    : [=attribution source/filter data=]
    :: |filterData|
    : [=attribution source/debug key=]
    :: |debugKey|
    : [=attribution source/aggregation keys=]
    :: |aggregationKeys|
    : [=attribution source/aggregatable budget consumed=]
    :: 0
    : [=attribution source/debug reporting enabled=]
    :: |debugReportingEnabled|
1. Return |source|.

Issue: Determine proper charset-handling for the JSON header value.

<h3 id="processing-an-attribution-source">Processing an attribution source</h3>

To <dfn>check if an [=attribution source=] exceeds the time-based destination limits</dfn> given an
[=attribution source=] |source|, run the following steps:

1. Let |matchingSources| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/source=]</code>"
     * |record|'s [=attribution rate-limit record/source site=] and |source|'s [=attribution source/source site=] are equal
     * |record|'s [=attribution rate-limit record/expiry time=] is greater than |source|'s [=attribution source/source time=]
     * The [=duration from=] |record|'s [=attribution rate-limit record/time=] and |source|'s [=attribution source/source time=]
        is less than [=destination rate-limit window=]
1. Let |matchingSameReportingSources| be all the [=attribution rate-limit records|records=] in |matchingSources|
    whose associated [=attribution rate-limit record/reporting origin=] is [=same site=] with |source|'s
    [=attribution source/reporting origin=].
1. Let |destinations| be the [=set=] of every [=attribution rate-limit record/attribution destination=] in |matchingSources|,
    [=set/union|unioned=] with |source|'s [=attribution source/attribution destinations=].
1. Let |sameReportingDestinations| be the [=set=] of every [=attribution rate-limit record/attribution destination=] in |matchingSameReportingSources|,
    [=set/union|unioned=] with |source|'s [=attribution source/attribution destinations=].
1. Let |hitRateLimit| be whether |destinations|'s [=set/size=] is greater than [=max destinations per rate-limit window=][0].
1. Let |hitSameReportingRateLimit| be whether |sameReportingDestinations|'s [=set/size=] is greater than [=max destinations per rate-limit window=][1].
1. If (|hitRateLimit|, |hitSameReportingRateLimit|) is
    <dl class="switch">
    : (false, false)
    :: Return "<code>[=destination rate-limit result/allowed=]</code>".
    : (false, true)
    :: Return "<code>[=destination rate-limit result/hit reporting limit=]</code>".
    : (true, false)
    :: Return "<code>[=destination rate-limit result/hit global limit=]</code>".
    : (true, true)
    :: Return "<code>[=destination rate-limit result/hit reporting limit=]</code>".

    </dl>

Note: We do not emit an explicit [=source debug data type=] for "<code>[=destination rate-limit result/hit global limit=]</code>",
we only emit a [=source debug data type/source-success=] type. For this reason, when both limits are hit, just interpret
it as "<code>[=destination rate-limit result/hit reporting limit=]</code>" to ensure that the most useful report is sent.

To <dfn>check if an [=attribution source=] exceeds the unexpired destination limit</dfn> given an
[=attribution source=] |source|, run the following steps:

1. Let |unexpiredSources| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/source=]</code>"
     * |record|'s [=attribution rate-limit record/source site=] and |source|'s [=attribution source/source site=] are equal
     * |record|'s [=attribution rate-limit record/reporting origin=] and |source|'s [=attribution source/reporting origin=] are [=same site=]
     * |record|'s [=attribution rate-limit record/expiry time=] is greater than |source|'s [=attribution source/source time=]
1. Let |unexpiredDestinations| be an [=set/is empty|empty=] [=set=].
1. For each [=attribution rate-limit record=] |unexpiredRecord| of |unexpiredSources|:
    1. [=set/Append=] |unexpiredRecord|'s [=attribution rate-limit record/attribution destination=] to |unexpiredDestinations|.
1. Let |newDestinations| be the result of taking the [=set/union=] of |unexpiredDestinations| and |source|'s [=attribution source/attribution destinations=].
1. Return whether |newDestinations|'s [=set/size=] is greater than the user agent's [=max destinations covered by unexpired sources=].

To <dfn>obtain a fake report</dfn> given an [=attribution source=] |source| and
a [=trigger state=] |triggerState|:

1. Let |fakeConfig| be a new [=event-level trigger configuration=] with the items:
    : [=event-level trigger configuration/trigger data=]
    :: |triggerState|'s [=trigger state/trigger data=]
    : [=event-level trigger configuration/dedup key=]
    :: null
    : [=event-level trigger configuration/priority=]
    :: 0
    : [=event-level trigger configuration/filters=]
    :: «[ "`source_type`" → « |source|'s [=attribution source/source type=] » ]»
1. Let |fakeTrigger| be a new [=attribution trigger=] with the items:
    : [=attribution trigger/attribution destinations=]
    :: |source|'s [=attribution source/attribution destinations=]
    : [=attribution trigger/trigger time=]
    :: |source|'s [=attribution source/source time=]
    : [=attribution trigger/reporting origin=]
    :: |source|'s [=attribution source/reporting origin=]
    : [=attribution trigger/filters=]
    :: «[]»
    : [=attribution trigger/debug key=]
    :: null
    : [=attribution trigger/event-level trigger configurations=]
    :: « |fakeConfig| »
    : [=attribution trigger/aggregatable trigger data=]
    :: «»
    : [=attribution trigger/aggregatable values=]
    :: «[]»
    : [=attribution trigger/aggregatable dedup key=]
    :: «»
    : [=attribution trigger/debug reporting enabled=]
    :: false
    : [=attribution trigger/aggregation coordinator=]
    :: [=default aggregation coordinator=]
    : [=attribution trigger/verifications=]
    :: «»
    : [=attribution trigger/aggregatable source registration time configuration=]
    :: "<code>[=aggregatable source registration time configuration/exclude=]</code>"
1. Let |fakeReport| be the result of running [=obtain an event-level report=] with |source|,
    |fakeTrigger|, and |fakeConfig|.
1. Set |fakeReport|'s [=event-level report/report time=] to the result of
    running [=obtain the report time at a window=] with |source| and
    |triggerState|'s [=trigger state/report window=].
1. Return |fakeReport|.

To <dfn>check if debug reporting is allowed</dfn> given a [=source debug data type=] |dataType|
and a [=suitable origin=] |reportingOrigin|:
1. If |dataType| is:
    <dl class="switch">
    : "<code>[=source debug data type/source-destination-limit=]</code>"
    : "<code>[=source debug data type/source-destination-rate-limit=]</code>"
    :: Return <strong>allowed</strong>.
    : "<code>[=source debug data type/source-noised=]</code>"
    : "<code>[=source debug data type/source-storage-limit=]</code>"
    : "<code>[=source debug data type/source-success=]</code>"
    : "<code>[=source debug data type/source-unknown-error=]</code>"
    :: Return the result of running [=check if cookie-based debugging is allowed=] with |reportingOrigin|.

    </dl>

To <dfn>obtain and deliver a debug report on source registration</dfn> given a
[=source debug data type=] |dataType| and an [=attribution source=] |source|:

1. If |source|'s [=attribution source/debug reporting enabled=] is false, return.
1. If the result of running [=check if debug reporting is allowed=] with |dataType| and |source|'s
    [=attribution source/reporting origin=] is <strong>blocked</strong>, return.
1. Let |body| be a new [=map=] with the following key/value pairs:
    : "`attribution_destination`"
    :: |source|'s [=attribution source/attribution destinations=], [=serialize attribution destinations|serialized=].
    : "`source_event_id`"
    :: |source|'s [=attribution source/event ID=], [=serialize an integer|serialized=].
    : "`source_site`"
    :: |source|'s [=attribution source/source site=], <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
1. If |source|'s [=attribution source/debug key=] is not null, [=map/set=] |body|["`source_debug_key`"]
    to |source|'s [=attribution source/debug key=], [=serialize an integer|serialized=].

1. If |dataType| is:
    <dl class="switch">
    : "<code>[=source debug data type/source-destination-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to the user agent's [=max destinations covered by unexpired sources=],
         [=serialize an integer|serialized=].
    : "<code>[=source debug data type/source-destination-rate-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to the user agent's [=max destinations per rate-limit window=][1],
         [=serialize an integer|serialized=].
    : "<code>[=source debug data type/source-storage-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to the user agent's [=max pending sources per source origin=],
         [=serialize an integer|serialized=].

    </dl>
1. Let |data| be a new [=attribution debug data=] with the items:
    : [=attribution debug data/data type=]
    :: |dataType|
    : [=attribution debug data/body=]
    :: |body|
1. Run [=obtain and deliver a debug report=] with « |data| » and |source|'s [=attribution source/reporting origin=].

To <dfn>process an attribution source</dfn> given an [=attribution source=] |source|:

1. Let |destinationRateLimitResult| be the result of running [=check if an attribution source exceeds the time-based destination limit=] with |source|.
1. If |destinationRateLimitResult| is "<code>[=destination rate-limit result/hit reporting limit=]</code>":
    1. Run [=obtain and deliver a debug report on source registration=] with "<code>[=source debug data type/source-destination-rate-limit=]</code>" and |source|.
    1. Return.
1. If |destinationRateLimitResult| is "<code>[=destination rate-limit result/hit global limit=]</code>":
    1. Run [=obtain and deliver a debug report on source registration=] with "<code>[=source debug data type/source-success=]</code>" and |source|.
    1. Return.
1. Let |cache| be the user agent's [=attribution source cache=].
1. [=list/Remove=] all [=attribution sources=] |entry| in |cache| where |entry|'s [=attribution source/expiry time=] is less than |source|'s [=attribution source/source time=].
1. Let |pendingSourcesForSourceOrigin| be the [=set=] of all
    [=attribution sources=] |pendingSource| of |cache| where |pendingSource|'s
    [=attribution source/source origin=] and |source|'s
    [=attribution source/source origin=] are [=same origin=].
1. If |pendingSourcesForSourceOrigin|'s [=list/size=] is greater than or equal
    to the user agent's [=max pending sources per source origin=]:
    1. Run [=obtain and deliver a debug report on source registration=] with "<code>[=source debug data type/source-storage-limit=]</code>" and |source|.
    1. Return.
1. If the result of running [=check if an attribution source exceeds the unexpired destination limit=]
    with |source| is true:
    1. Run [=obtain and deliver a debug report on source registration=] with "[=source debug data type/source-destination-limit=]</code>" and |source|.
    1. Return.
1. [=set/iterate|For each=] |destination| in |source|'s [=attribution source/attribution destinations=]:
    1. Let |rateLimitRecord| be a new [=attribution rate-limit record=] with the items:
        : [=attribution rate-limit record/scope=]
        :: "<code>[=rate-limit scope/source=]</code>"
        : [=attribution rate-limit record/source site=]
        :: |source|'s [=attribution source/source site=]
        : [=attribution rate-limit record/attribution destination=]
        :: |destination|
        : [=attribution rate-limit record/reporting origin=]
        :: |source|'s [=attribution source/reporting origin=]
        : [=attribution rate-limit record/time=]
        :: |source|'s [=attribution source/source time=]
        : [=attribution rate-limit record/expiry time=]
        :: |source|'s [=attribution source/expiry time=]
    1. If the result of running [=should processing be blocked by reporting-origin limit=] with
        |rateLimitRecord| is <strong>blocked</strong>:
        1. Run [=obtain and deliver a debug report on source registration=] with "[=source debug data type/source-success=]</code>" and |source|.
        1. Return.
    1. [=set/Append=] |rateLimitRecord| to the [=attribution rate-limit cache=].
1. [=list/Remove=] all [=attribution rate-limit records=] |entry| from the [=attribution rate-limit cache=] if the result of running
    [=can attribution rate-limit record be removed=] with |entry| and |source|'s [=attribution source/source time=] is true.
1. Let |debugDataType| be "<code>[=source debug data type/source-success=]</code>".
1. If |source|'s [=attribution source/randomized response=] is not null and is a [=set=]:
    1. [=set/iterate|For each=] [=trigger state=] |triggerState| of |source|'s
        [=attribution source/randomized response=]:
        1. Let |fakeReport| be the result of running [=obtain a fake report=]
            with |source| and |triggerState|.
        1. [=set/Append=] |fakeReport| to the [=event-level report cache=].
    1. If |source|'s [=attribution source/randomized response=] is not [=set/is empty|empty=],
        then set |source|'s [=attribution source/event-level attributable=] value to false.
    1. [=map/iterate|For each=] |destination| in [=source=]'s [=attribution source/attribution destinations=]:
        1. Let |rateLimitRecord| be a new [=attribution rate-limit record=] with the items:
            : [=attribution rate-limit record/scope=]
            :: "<code>[=rate-limit scope/attribution=]</code>"
            : [=attribution rate-limit record/source site=]
            :: |source|'s [=attribution source/source site=]
            : [=attribution rate-limit record/attribution destination=]
            :: |destination|
            : [=attribution rate-limit record/reporting origin=]
            :: |source|'s [=attribution source/reporting origin=]
            : [=attribution rate-limit record/time=]
            :: |source|'s [=attribution source/source time=]
            : [=attribution rate-limit record/expiry time=]
            :: null
        1. [=set/Append=] |rateLimitRecord| to the [=attribution rate-limit cache=].
    1. Set |debugDataType| to "<code>[=source debug data type/source-noised=]</code>".
1. Run [=obtain and deliver a debug report on source registration=] with |debugDataType| and |source|.
1. [=set/Append=] |source| to |cache|.

Note: Because a fake report does not have a "real" effective destination, we need to subtract from the
privacy budget of all possible destinations.

# Triggering Algorithms # {#trigger-algorithms}

<h3 algorithm id="attribution-trigger-creation">Creating an attribution trigger</h3>

To <dfn>parse event triggers</dfn> given an [=ordered map=] |map|:

1. Let |eventTriggers| be a new [=set=].
1. If |map|["`event_trigger_data`"] does not [=map/exists|exist=], return
    |eventTriggers|.
1. Let |values| be |map|["`event_trigger_data`"].
1. If |values| is not a [=list=], return null.
1. [=list/iterate|For each=] |value| of |values|:
    1. If |value| is not an [=ordered map=], return null.
    1. Let |triggerData| be the result of running
        [=parse an optional 64-bit unsigned integer=] with |value|,
        "`trigger_data`", and 0.
    1. If |triggerData| is an error, return null.
    1. Let |dedupKey| be the result of running
        [=parse an optional 64-bit unsigned integer=] with |value|,
        "`deduplication_key`", and null.
    1. If |dedupKey| is an error, return null.
    1. Let |priority| be the result of running
        [=parse an optional 64-bit signed integer=] with |value|, "`priority`",
        and 0.
    1. If |priority| is an error, return null.
    1. Let |filterPair| be the result of running [=parse a filter pair=] with
        |value|.
    1. If |filterPair| is null, return null.
    1. Let |eventTrigger| be a new [=event-level trigger configuration=] with
        the items:
        : [=event-level trigger configuration/trigger data=]
        :: |triggerData|
        : [=event-level trigger configuration/dedup key=]
        :: |dedupKey|
        : [=event-level trigger configuration/priority=]
        :: |priority|
        : [=event-level trigger configuration/filters=]
        :: |filterPair|[0]
        : [=event-level trigger configuration/negated filters=]
        :: |filterPair|[1]
    1. [=set/Append=] |eventTrigger| to |eventTriggers|.
1. Return |eventTriggers|.

To <dfn>parse aggregatable trigger data</dfn> given an [=ordered map=] |map|:

1. Let |aggregatableTriggerData| be a new [=list=].
1. If |map|["`aggregatable_trigger_data`"] does not [=map/exist=], return |aggregatableTriggerData|.
1. Let |values| be |map|["`aggregatable_trigger_data`"].
1. If |values| is not a [=list=], return null.
1. [=list/iterate|For each=] |value| of |values|:
    1. If |value| is not an [=ordered map=], return null.
    1. If |value|["`key_piece`"] does not [=map/exist=] or is not a [=string=], return null.
    1. Let |keyPiece| be the result of running [=parse an aggregation key piece=] with |value|["`key_piece`"].
    1. If |keyPiece| is an error, return null.
    1. Let |sourceKeys| be a new [=ordered set=].
    1. If |value|["`source_keys`"] [=map/exists=]:
        1. If |value|["`source_keys`"] is not a [=list=], return null.
        1. If |value|["`source_keys`"]'s [=list/size=] is greater than the user agent's
            [=max aggregation keys per attribution=], return null.
        1. [=list/iterate|For each=] |sourceKey| of |value|["`source_keys`"]:
            1. If |sourceKey| is not a [=string=], return null.
            1. [=set/Append=] |sourceKey| to |sourceKeys|.
    1. Let |filterPair| be the result of running [=parse a filter pair=] with
        |value|.
    1. If |filterPair| is null, return null.
    1. Let |aggregatableTrigger| be a new [=aggregatable trigger data=] with the items:
        : [=aggregatable trigger data/key piece=]
        :: |keyPiece|
        : [=aggregatable trigger data/source keys=]
        :: |sourceKeys|
        : [=aggregatable trigger data/filters=]
        :: |filterPair|[0]
        : [=aggregatable trigger data/negated filters=]
        :: |filterPair|[1]
    1. [=list/Append=] |aggregatableTrigger| to |aggregatableTriggerData|.
1. Return |aggregatableTriggerData|.

Issue: Determine whether to limit [=string/length=] or [=string/code point length=] for |sourceKey| above.

To <dfn>parse aggregatable values</dfn> given an [=ordered map=] |map|:

1. If |map|["`aggregatable_values`"] does not [=map/exist=], return «[]».
1. Let |values| be |map|["`aggregatable_values`"].
1. If |values| is not an [=ordered map=], return null.
1. If |values|'s [=map/size=] is greater than the user agent's
    [=max aggregation keys per attribution=], return null.
1. [=map/iterate|For each=] |key| → |value| of |values|:
     1. If |value| is not an integer, return null.
     1. If |value| is less than or equal to 0, return null.
     1. If |value| is greater than [=allowed aggregatable budget per source=], return null.
1. Return |values|.

Issue: Determine whether to limit [=string/length=] or [=string/code point length=] for |key| above.

To <dfn>parse aggregatable dedup keys</dfn> given an [=ordered map=] |map|:

1. Let |aggregatableDedupKeys| be a new [=list=].
1. If |map|["`aggregatable_deduplication_keys`"] does not [=map/exist=], return |aggregatableDedupKeys|.
1. Let |values| be |map|["`aggregatable_deduplication_keys`"].
1. If |values| is not a [=list=], return null.
1. [=list/iterate|For each=] |value| of |values|:
    1. If |value| is not an [=ordered map=], return null.
    1. Let |dedupKey| be the result of running
        [=parse an optional 64-bit unsigned integer=] with |value|,
        "`deduplication_key`", and null.
    1. If |dedupKey| is an error, return null.
    1. Let |filterPair| be the result of running [=parse a filter pair=] with
        |value|.
    1. If |filterPair| is null, return null.
    1. Let  |aggregatableDedupKey| be a new [=aggregatable dedup key=] with the items:
        : [=aggregatable dedup key/dedup key=]
        :: |dedupKey|
        : [=aggregatable dedup key/filters=]
        :: |filterPair|[0]
        : [=aggregatable dedup key/negated filters=]
        :: |filterPair|[1]
    1. [=set/Append=] |aggregatableDedupKey| to |aggregatableDedupKeys|.
1. Return |aggregatableDedupKeys|.

To <dfn noexport>create an attribution trigger</dfn> given a [=byte sequence=]
|json|, a [=site=] |destination|, a [=suitable origin=] |reportingOrigin|, a [=list=] of [=trigger verification=] |triggerVerifications|,
and a [=moment=] |triggerTime|:

1. Let |value| be the result of running
    [=parse JSON bytes to an Infra value=] with |json|.
1. If |value| is not an [=ordered map=], return null.
1. Let |eventTriggers| be the result of running [=parse event triggers=]
    with |value|.
1. If |eventTriggers| is null, return null.
1. Let |aggregatableTriggerData| be the result of running [=parse aggregatable trigger data=]
    with |value|.
1. If |aggregatableTriggerData| is null, return null.
1. Let |aggregatableValues| be the result of running [=parse aggregatable values=] with |value|.
1. If |aggregatableValues| is null, return null.
1. Let |aggregatableDedupKeys| be the result of running [=parse aggregatable dedup keys=]
    with |value|.
1. If |aggregatableDedupKeys| is null, return null.
1. Let |debugKey| be the result of running
    [=parse an optional 64-bit unsigned integer=] with |value|, "`debug_key`",
    and null.
1. If |debugKey| is an error, set |debugKey| to null.
1. If the result of running [=check if cookie-based debugging is allowed=] with
    |reportingOrigin| is <strong>blocked</strong>, set |debugKey| to null.
1. Let |filterPair| be the result of running [=parse a filter pair=] with |value|.
1. If |filterPair| is null, return null.
1. Let |debugReportingEnabled| be false.
1. If |value|["`debug_reporting`"] [=map/exists=] and is a [=boolean=], set
    |debugReportingEnabled| to value["`debug_reporting`"].
1. Let |aggregationCoordinator| be [=default aggregation coordinator=].
1. If |value|["`aggregation_coordinator_origin`"] [=map/exists=]:
    1. If |value|["`aggregation_coordinator_origin`"] is not a [=string=], return null.
    1. Let |url| be the result of running the [=URL parser=] on |value|["`aggregation_coordinator_origin`"].
    1. If |url| is failure or null, return null.
    1. If |url|'s [=url/origin=] is not an [=aggregation coordinator=], return null.
    1. Set |aggregationCoordinator| to |url|'s [=url/origin=].
1. Let |aggregatableSourceRegTimeConfig| be "<code>[=aggregatable source registration time configuration/exclude=]</code>".
1. If |value|["`aggregatable_source_registration_time`"] [=map/exists=]:
    1. If |value|["`aggregatable_source_registration_time`"] is not a [=string=], return null.
    1. If |value|["`aggregatable_source_registration_time`"] is not an [=aggregatable source registration time configuration=],
        return null.
    1. Set |aggregatableSourceRegTimeConfig| to |value|["`aggregatable_source_registration_time`"].
1. Let |trigger| be a new [=attribution trigger=] with the items:
    : [=attribution trigger/attribution destination=]
    :: |destination|
    : [=attribution trigger/trigger time=]
    :: |triggerTime|
    : [=attribution trigger/reporting origin=]
    :: |reportingOrigin|
    : [=attribution trigger/filters=]
    :: |filterPair|[0]
    : [=attribution trigger/negated filters=]
    :: |filterPair|[1]
    : [=attribution trigger/debug key=]
    :: |debugKey|
    : [=attribution trigger/event-level trigger configurations=]
    :: |eventTriggers|
    : [=attribution trigger/aggregatable trigger data=]
    :: |aggregatableTriggerData|
    : [=attribution trigger/aggregatable values=]
    :: |aggregatableValues|
    : [=attribution trigger/aggregatable dedup keys=]
    :: |aggregatableDedupKeys|
    : [=attribution trigger/verifications=]
    :: |triggerVerifications|
    : [=attribution trigger/debug reporting enabled=]
    :: |debugReportingEnabled|
    : [=attribution trigger/aggregation coordinator=]
    :: |aggregationCoordinator|
    : [=attribution trigger/aggregatable source registration time configuration=]
    :: |aggregatableSourceRegTimeConfig|
1. Return |trigger|.

Issue: Determine proper charset-handling for the JSON header value.

<h3 dfn id="does-filter-data-match">Does filter data match</h3>

To <dfn>match [=filter values=]</dfn> given a [=filter value=] |a| and a [=filter value=] |b|:
1. If |b| [=set/is empty=], then:
    1. If |a| [=set/is empty=], then return true.
    1. Otherwise, return false.
1. Let |i| be the [=set/intersection=] of |a| and |b|.
1. If |i| [=set/is empty=], then return false.
1. Return true.

To <dfn>match [=filter values=] with negation</dfn> given a [=filter value=] |a| and a [=filter value=] |b|:
1. If |b| [=set/is empty=], then:
    1. If |a| is not [=set/is empty|empty=], then return true.
    1. Otherwise, return false.
1. Let |i| be the [=set/intersection=] of |a| and |b|.
1. If |i| is not [=set/is empty|empty=], then return false.
1. Return true.

To <dfn>match an attribution source's filter data against a filter config</dfn> given an
[=attribution source=] |source|, a [=filter config=] |filter|, a [=moment=] |moment|, and a [=boolean=]
<dfn for="match an attribution source's filter data against a filter config"><var>isNegated</var></dfn>:

1. Let |lookbackWindow| be |filter|'s [=filter config/lookback window=].
1. If |lookbackWindow| is not null:
    1. If the [=duration from=] |moment| and the |source|'s [=attribution source/source time=] is greater than |lookbackWindow|:
        1. If |isNegated| is false, return false.
    1. Else if |isNegated| is true, return false.
    
    Note: If non-negated, the source must have been registered inside of the
    lookback window. If negated, it must be outside of the lookback window.

1. Let |filterMap| be |filter|'s [=filter config/map=].
1. Let |sourceData| be |source|'s [=attribution source/filter data=].
1. [=map/iterate|For each=] |key| → |filterValues| of |filterMap|:
    1. If |sourceData|[|key|] does not [=map/exist=], [=iteration/continue=].
    1. Let |sourceValues| be |sourceData|[|key|].
    1. If |isNegated| is:
        <dl class="switch">
        <dt>false</dt>
        <dd> If the result of running [=match filter values=] with |sourceValues| and |filterValues|
             is false, return false.</dd>

        <dt>true</dt>
        <dd>If the result of running [=match filter values with negation=] with |sourceValues| and
            |filterValues| is false, return false.</dd>
        </dl>
1. Return true.

To <dfn>match an attribution source's filter data against filters</dfn> given an
[=attribution source=] |source|, a [=list=] of [=filter configs=] |filters|, a [=moment=] |moment|, and a [=boolean=]
<dfn for="match an attribution source's filter data against filters"><var>isNegated</var></dfn>:

1. If |filters| [=list/is empty=], return true.
1. [=list/iterate|For each=] |filter| of |filters|:
    1. If the result of running [=match an attribution source's filter data against a filter config=] with |source|, |filter|, |moment|, and |isNegated| is true, return true.
1. Return false.

To <dfn>match an attribution source's filter data against filters and negated filters</dfn> given an
[=attribution source=] |source|, a [=list=] of [=filter configs=] |filters|, a [=list=] of [=filter configs=] |notFilters|, and a [=moment=] |moment|:

1. If the result of running [=match an attribution source's filter data against filters=] with
    |source|, |filters|, |moment|, and [=match an attribution source's filter data against filters/isNegated=] set to false is false, return false.
1. If the result of running [=match an attribution source's filter data against filters=] with
    |source|, |notFilters|, |moment|, and [=match an attribution source's filter data against filters/isNegated=] set to true is false, return false.
1. Return true.

<h3 dfn id="should-block-attribution-for-attribution-limit">Should attribution be blocked by attribution rate limit</h3>

Given an [=attribution trigger=] |trigger| and [=attribution source=] |sourceToAttribute|:

1. Let |matchingRateLimitRecords| be all [=attribution rate-limit records=] |record| of [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/attribution=]</code>"
     * |record|'s [=attribution rate-limit record/source site=] and |sourceToAttribute|'s [=attribution source/source site=] are equal
     * |record|'s [=attribution rate-limit record/attribution destination=] and |trigger|'s [=attribution trigger/attribution destination=] are equal
     * |record|'s [=attribution rate-limit record/reporting origin=] and |trigger|'s [=attribution trigger/reporting origin=] are [=same site=]
     * |record|'s [=attribution rate-limit record/time=] is at least [=attribution rate-limit window=] before |trigger|'s [=attribution trigger/trigger time=]
1. If |matchingRateLimitRecords|'s [=list/size=] is greater than or equal to [=max attributions per rate-limit window=], return <strong>blocked</strong>.
1. Return <strong>allowed</strong>.

<h3 dfn id="should-block-processing-for-reporting-origin-limit">Should processing be blocked by reporting-origin limit</h3>

Given an [=attribution rate-limit record=] |newRecord|:

1. Let |max| be [=max source reporting origins per rate-limit window=].
1. If |newRecord|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/attribution=]</code>", set |max| to
     [=max attribution reporting origins per rate-limit window=].
1. Let |matchingRateLimitRecords| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] and |newRecord|'s [=attribution rate-limit record/scope=] are equal
     * |record|'s [=attribution rate-limit record/source site=] and |newRecord|'s [=attribution rate-limit record/source site=] are equal
     * |record|'s [=attribution rate-limit record/attribution destination=] and |newRecord|'s [=attribution rate-limit record/attribution destination=] are equal
     * The [=duration from=] |record|'s [=attribution rate-limit record/time=] and  |newRecord|'s [=attribution rate-limit record/time=] is <= [=attribution rate-limit window=]
1. Let |distinctReportingOrigins| be the [=set=] of all [=attribution rate-limit record/reporting origin=] in |matchingRateLimitRecords|,
    [=set/union|unioned=] with «|newRecord|'s [=attribution rate-limit record/reporting origin=]»
1. If |distinctReportingOrigins|'s [=list/size=] is greater than |max|, return <strong>blocked</strong>.

    NOTE: [=rate-limit scope/source=] scopes have an auxiliary [=max source reporting origins per source reporting site=] rate limit that also must be enforced.

1. If |newRecord|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/attribution=]</code>", return <strong>allowed</strong>
1. Let |matchingRateLimitRecords| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/source=]</code>"
     * |record|'s [=attribution rate-limit record/source site=] and |newRecord|'s [=attribution rate-limit record/source site=] are equal
     * The [=duration from=] |record|'s [=attribution rate-limit record/time=] and  |newRecord|'s [=attribution rate-limit record/time=] is <= [=origin rate-limit window=]
1. Let |distinctReportingOrigins| be the [=set=] of all [=attribution rate-limit record/reporting origin=] in |matchingRateLimitRecords|,
    [=set/union|unioned=] with «|newRecord|'s [=attribution rate-limit record/reporting origin=]»
1. If |distinctReportingOrigins|'s [=list/size=] is greater than [=max source reporting origins per source reporting site=], return <strong>blocked</strong>.
1. Return <strong>allowed</strong>.

<h3 dfn id="should-block-attribution-for-rate-limits">Should attribution be blocked by rate limits</h3>

Given an [=attribution trigger=] |trigger|, an [=attribution source=]
|sourceToAttribute|, and an [=attribution rate-limit record=] |newRecord|:

1. If the result of running [=should attribution be blocked by attribution rate limit=] with |trigger| and
    |sourceToAttribute| is <strong>blocked</strong>:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
        with "<code>[=trigger debug data type/trigger-attributions-per-source-destination-limit=]</code>", |trigger|, |sourceToAttribute| and
        [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. If the result of running [=should processing be blocked by reporting-origin limit=] with
    |newRecord| is <strong>blocked</strong>:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
        with "<code>[=trigger debug data type/trigger-reporting-origin-limit=]</code>", |trigger|, |sourceToAttribute| and
        [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. Return null.

<h3 algorithm id="creating-aggregatable-contributions">Creating aggregatable contributions</h3>

To <dfn>create [=aggregatable contributions=]</dfn> given an [=attribution source=] |source| and an
 [=attribution trigger=] |trigger|, run the following steps:

1. Let |aggregationKeys| be the result of [=map/clone|cloning=] |source|'s [=attribution source/aggregation keys=].
1. [=list/iterate|For each=] |triggerData| of |trigger|'s [=attribution trigger/aggregatable trigger data=]:
    1. If the result of running [=match an attribution source's filter data against filters and negated filters=] with
        |source|, |triggerData|'s [=aggregatable trigger data/filters=],
        |triggerData|'s [=aggregatable trigger data/negated filters=], and
        |trigger|'s [=attribution trigger/trigger time=]
        is false, [=iteration/continue=]:
    1. [=set/iterate|For each=] |sourceKey| of |triggerData|'s [=aggregatable trigger data/source keys=]:
        1. If |aggregationKeys|[|sourceKey|] does not [=map/exist=], [=iteration/continue=].
        1. [=map/Set=] |aggregationKeys|[|sourceKey|] to |aggregationKeys|[|sourceKey|] bitwise-OR |triggerData|'s
            [=aggregatable trigger data/key piece=].
1. Let |aggregatableValues| be |trigger|'s [=attribution trigger/aggregatable values=].
1. Let |contributions| be a new empty [=list=].
1. [=map/iterate|For each=] |id| → |key| of |aggregationKeys|:
    1. If |aggregatableValues|[|id|] does not [=map/exist=], [=iteration/continue=].
    1. Let |contribution| be a new [=aggregatable contribution=] with the items:
        : [=aggregatable contribution/key=]
        :: |key|
        : [=aggregatable contribution/value=]
        :: |aggregatableValues|[|id|]
    1. [=list/Append=] |contribution| to |contributions|.
1. Return |contributions|.

<h3 id="can-source-create-aggregatable-contributions">Can source create aggregatable contributions</h3>

To <dfn>check if an [=attribution source=] can create [=aggregatable contributions=]</dfn> given an
[=aggregatable report=] |report| and an [=attribution source=] |sourceToAttribute|, run the following steps:

1. Let |remainingAggregatableBudget| be [=allowed aggregatable budget per source=] minus |sourceToAttribute|'s
    [=attribution source/aggregatable budget consumed=].
1. [=Assert=]: |remainingAggregatableBudget| is greater than or equal to 0.
1. If |report|'s [=aggregatable report/required aggregatable budget=] is greater than
    |remainingAggregatableBudget|, return false.
1. Return true.

<h3 id="obtaining-trigger-debug-data">Obtaining debug data on trigger registration</h3>

To <dfn>obtain debug data body on trigger registration</dfn> given a
[=trigger debug data type=] |dataType|, an [=attribution trigger=] |trigger|,
an optional [=attribution source=] <dfn for="obtain debug data body on trigger registration">
<var>sourceToAttribute</var></dfn>, and an optional [=attribution report=]
<dfn for="obtain debug data body on trigger registration"><var>report</var></dfn>:

1. Let |body| be a new [=map/is empty|empty=] [=map=].
1. If |dataType| is:
    <dl class="switch">
    : "<code>[=trigger debug data type/trigger-attributions-per-source-destination-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to the user agent's [=max attributions per rate-limit window=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-reporting-origin-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to the user agent's [=max attribution reporting origins per rate-limit window=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-event-storage-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=max event-level reports per attribution destination=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-aggregate-storage-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=max aggregatable reports per attribution destination=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-aggregate-insufficient-budget=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=allowed aggregatable budget per source=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-aggregate-excessive-reports=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=max aggregatable reports per source=],
    : "<code>[=trigger debug data type/trigger-event-low-priority=]</code>"
    : "<code>[=trigger debug data type/trigger-event-excessive-reports=]</code>"
    ::
        1. [=Assert=]: |report| is not null and is an [=event-level report=].
        1. Return the result of running [=obtain an event-level report body=] with |report|.

    </dl>

1. [=map/Set=] |body|["`attribution_destination`"] to |trigger|'s [=attribution trigger/attribution destination=],
    <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
1. If |trigger|'s [=attribution trigger/debug key=] is not null, [=map/set=] |body|["`trigger_debug_key`"]
    to |trigger|'s [=attribution trigger/debug key=], [=serialize an integer|serialized=].
1. If |sourceToAttribute| is not null:
    1. [=map/Set=] |body|["`source_event_id`"] to |source|'s [=attribution source/event ID=], [=serialize an integer|serialized=].
    1. [=map/Set=] |body|["`source_site`"] to |source|'s [=attribution source/source site=], <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
    1. If |sourceToAttribute|'s [=attribution source/debug key=] is not null, [=map/set=]
        |body|["`source_debug_key`"] to |sourceToAttribute|'s [=attribution source/debug key=],
        [=serialize an integer|serialized=].
1. Return |body|.

To <dfn>obtain debug data on trigger registration</dfn> given a [=trigger debug data type=] |dataType|,
an [=attribution trigger=] |trigger|, an optional [=attribution source=]
<dfn for="obtain debug data on trigger registration"><var>sourceToAttribute</var></dfn>,
and an optional [=attribution report=] <dfn for="obtain debug data on trigger registration"><var>report</var></dfn>:

1. If |trigger|'s [=attribution trigger/debug reporting enabled=] is false, return null.
1. If the result of running [=check if cookie-based debugging is allowed=] with |trigger|'s
    [=attribution trigger/reporting origin=] is <strong>blocked</strong>, return null.
1. Let |data| be a new [=attribution debug data=] with the items:
    : [=attribution debug data/data type=]
    :: |dataType|.
    : [=attribution debug data/body=]
    :: The result of running [=obtain debug data body on trigger registration=] with |dataType|, |trigger|, |sourceToAttribute| and |report|.
1. Return |data|.

<h3 algorithm id="triggering-event-level-attribution">Triggering event-level attribution</h3>

An [=event-level report=] |a| <dfn for="event-level report">is lower-priority than</dfn>
an [=event-level report=] |b| if any of the following are true:

* |a|'s [=event-level report/trigger priority=] is less than |b|'s [=event-level report/trigger priority=].
* |a|'s [=event-level report/trigger priority=] is equal to |b|'s [=event-level report/trigger priority=]
     and |a|'s [=event-level report/trigger time=] is greater than |b|'s [=event-level report/trigger time=].

An <dfn>event-level-report-replacement result</dfn> is one of the following:

<dl dfn-for="event-level-report-replacement result">
: "<dfn><code>add-new-report</code></dfn>"
:: The new report should be added.
: "<dfn><code>drop-new-report-none-to-replace</code></dfn>"
:: The new report should be dropped because the attributed source has reached
    its [=attribution source/max number of event-level reports|report limit=]
    and there is no pending report to consider for replacement.
: "<dfn><code>drop-new-report-low-priority</code></dfn>"
:: The new report should be dropped because the attributed source has reached
    its [=attribution source/max number of event-level reports|report limit=]
    and the new report [=event-level report/is lower-priority than=] all pending
    reports.

</dl>

To <dfn>maybe replace event-level report</dfn> given an [=attribution source=]
|sourceToAttribute| and an [=event-level report=] |report|:

1. [=Assert=]: |sourceToAttribute|'s [=attribution source/number of event-level reports=] is less than or equal to
    |sourceToAttribute|'s [=attribution source/max number of event-level reports=].
1. If |sourceToAttribute|'s [=attribution source/number of event-level reports=] is less than
    |sourceToAttribute|'s [=attribution source/max number of event-level reports=], return "<code>[=event-level-report-replacement result/add-new-report=]</code>".
1. Let |matchingReports| be a new [=list=] whose elements are all the elements in the [=event-level report cache=] whose [=event-level report/report time=] and [=event-level report/source identifier=] are equal to |report|'s, [=list/sorted in ascending order=] using [=event-level report/is lower-priority than=].
1. If |matchingReports| [=list/is empty=]:
    1. Set |sourceToAttribute|'s [=attribution source/event-level attributable=] value to false.
    1. Return "<code>[=event-level-report-replacement result/drop-new-report-none-to-replace=]</code>".
1. [=Assert=]: |sourceToAttribute|'s [=attribution source/number of event-level reports=]
    is greater than or equal to |matchingReports|'s [=list/size=].
1. Set |matchingReports| to the result of [=list/sort in ascending order|sorting=] |matchingReports|
    in ascending order using [=event-level report/is lower-priority than=].
1. Let |lowestPriorityReport| be |matchingReports|[0].
1. If |report| [=event-level report/is lower-priority than=] |lowestPriorityReport|,
    return "<code>[=event-level-report-replacement result/drop-new-report-low-priority=]</code>".
1. [=set/Remove=] |lowestPriorityReport| from the [=event-level report cache=].
1. Decrement |sourceToAttribute|'s [=attribution source/number of event-level reports=] value by 1.
1. Return "<code>[=event-level-report-replacement result/add-new-report=]</code>".

To <dfn>trigger event-level attribution</dfn> given an [=attribution trigger=] |trigger|, an
[=attribution source=] |sourceToAttribute|, and an
[=attribution rate-limit record=] |rateLimitRecord|, run the following steps:

1. If |trigger|'s [=attribution trigger/event-level trigger configurations=]
    [=list/is empty=], return the [=triggering result=]
    ("<code>[=triggering status/dropped=]</code>", null).
1. If |sourceToAttribute|'s [=attribution source/randomized response=] is not null and is not [=set/is empty|empty=]:
    1. [=Assert=]: |sourceToAttribute|'s [=attribution source/event-level attributable=] is false.
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
        with "<code>[=trigger debug data type/trigger-event-noise=]</code>", |trigger|, |sourceToAttribute| and
        [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. Let |windowResult| be the result of [=check whether a moment falls within a window=]
    with |trigger|'s [=attribution trigger/trigger time=] and
    |sourceToAttribute|'s [=attribution source/total event-level report window=].
1. If |windowResult| is <strong>falls before</strong>:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
        with "<code>[=trigger debug data type/trigger-event-report-window-not-started=]</code>",
        |trigger|, |sourceToAttribute| and [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. If |windowResult| is <strong>falls after</strong>:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
        with "<code>[=trigger debug data type/trigger-event-report-window-passed=]</code>",
        |trigger|, |sourceToAttribute| and [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. [=Assert=]: |windowResult| is <strong>falls within</strong>.
1. Let |matchedConfig| be null.
1. [=set/iterate|For each=] [=event-level trigger configuration=] |config| of |trigger|'s
    [=attribution trigger/event-level trigger configurations=]:
    1. If the result of running
        [=match an attribution source's filter data against filters and negated filters=] with |sourceToAttribute|,
        |config|'s [=event-level trigger configuration/filters=],
        |config|'s [=event-level trigger configuration/negated filters=], and
        |trigger|'s [=attribution trigger/trigger time=] is true:
        1. Set |matchedConfig| to |config|.
        1. [=iteration/Break=].
1. If |matchedConfig| is null:
    1. Let |debugData| be the result of running
        [=obtain debug data on trigger registration=] with "<code>[=trigger debug data type/trigger-event-no-matching-configurations=]</code>",
        |trigger|, |sourceToAttribute| and [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. If |matchedConfig|'s [=event-level trigger configuration/dedup key=] is not null and
    |sourceToAttribute|'s [=attribution source/dedup keys=] [=list/contains=] it:
     1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
         with "<code>[=trigger debug data type/trigger-event-deduplicated=]</code>", |trigger|, |sourceToAttribute| and
         [=obtain debug data on trigger registration/report=] set to null.
     1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. Let |numMatchingReports| be the number of entries in the [=event-level report cache=] whose
    [=event-level report/attribution destinations=] [=set/contains=] |trigger|'s [=attribution trigger/attribution destination=].
1. If |numMatchingReports| is greater than or equal to the user agent's [=max event-level reports per attribution destination=]:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
        with "<code>[=trigger debug data type/trigger-event-storage-limit=]</code>", |trigger|, |sourceToAttribute| and
        [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. If the result of running [=should attribution be blocked by rate limits=]
    with |trigger|, |sourceToAttribute|, and |rateLimitRecord| is not null,
    return it.
1. Let |report| be the result of running [=obtain an event-level report=] with |sourceToAttribute|, |trigger|,
    and |matchedConfig|.
1. If |sourceToAttribute|'s [=attribution source/event-level attributable=] value
    is false:
     1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
         with "<code>[=trigger debug data type/trigger-event-excessive-reports=]</code>", |trigger|, |sourceToAttribute| and |report|.
     1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. If the result of running [=maybe replace event-level report=] with |sourceToAttribute| and |report| is:
    <dl class="switch">
    : "<code>[=event-level-report-replacement result/add-new-report=]</code>"
    :: Do nothing.
    : "<code>[=event-level-report-replacement result/drop-new-report-none-to-replace=]</code>"
    ::
         1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
             with "<code>[=trigger debug data type/trigger-event-excessive-reports=]</code>", |trigger|, |sourceToAttribute| and |report|.
         1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
    : "<code>[=event-level-report-replacement result/drop-new-report-low-priority=]</code>"
    ::
         1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
             with "<code>[=trigger debug data type/trigger-event-low-priority=]</code>", |trigger|, |sourceToAttribute| and |report|.
         1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).

    </dl>
1. Let |triggeringStatus| be "<code>[=triggering status/attributed=]</code>".
1. Let |debugData| be null.
1. If |sourceToAttribute|'s [=attribution source/randomized response=] is:
    <dl class="switch">
    : null
    :: [=set/Append=] |report| to the [=event-level report cache=].
    : not null
    ::
        1. Set |triggeringStatus| to "<code>[=triggering status/noised=]</code>".
        1. Set |debugData| to the result of running [=obtain debug data on trigger registration=]
            with "<code>[=trigger debug data type/trigger-event-noise=]</code>", |trigger|, |sourceToAttribute| and
            [=obtain debug data on trigger registration/report=] set to null.

    </dl>
1. Increment |sourceToAttribute|'s [=attribution source/number of event-level reports=] value by 1.
1. If |matchedConfig|'s [=event-level trigger configuration/dedup key=] is not null,
    [=list/append=] it to |sourceToAttribute|'s [=attribution source/dedup keys=].
1. If |triggeringStatus| is "<code>[=triggering status/attributed=]</code>" and
    |report|'s [=event-level report/source debug key=] is not null and |report|'s
    [=event-level report/trigger debug key=] is not null, [=queue a task=] to
    [=attempt to deliver a debug report=] with |report|.
1. Return the [=triggering result=] (|triggeringStatus|, |debugData|).

<h3 algorithm id="triggering-aggregatable-attribution">Triggering aggregatable attribution</h3>

To <dfn>trigger aggregatable attribution</dfn> given an [=attribution trigger=] |trigger|, an
[=attribution source=] |sourceToAttribute|, and an
[=attribution rate-limit record=] |rateLimitRecord|, run the following steps:

1. If the result of running [=check if an attribution trigger contains aggregatable data=] is false,
    return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", null).
1. Let |windowResult| be the result of [=check whether a moment falls within a window=] with |trigger|'s
    [=attribution trigger/trigger time=] and |sourceToAttribute|'s [=attribution source/aggregatable report window=].
1. If |windowResult| is <strong>falls after</strong>:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
        with "<code>[=trigger debug data type/trigger-aggregate-report-window-passed=]</code>", |trigger|, |sourceToAttribute|
        and [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. [=Assert=]: |windowResult| is <strong>falls within</strong>.
1. Let |matchedDedupKey| be null.
1. [=list/iterate|For each=] [=aggregatable dedup key=] |aggregatableDedupKey| of |trigger|'s [=attribution trigger/aggregatable dedup keys=]:
    1. If the result of running [=match an attribution source's filter data against filters and negated filters=]
        with |sourceToAttribute|, |aggregatableDedupKey|'s [=aggregatable dedup key/filters=],
        |aggregatableDedupKey|'s [=aggregatable dedup key/negated filters=], and 
        |trigger|'s [=attribution trigger/trigger time=] is true:
        1. Set |matchedDedupKey| to |aggregatableDedupKey|'s [=aggregatable dedup key/dedup key=].
        1. [=iteration/Break=].
1. If |matchedDedupKey| is not null and |sourceToAttribute|'s [=attribution source/aggregatable dedup keys=]
    [=list/contains=] it:
     1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
         with "<code>[=trigger debug data type/trigger-aggregate-deduplicated=]</code>", |trigger|, |sourceToAttribute|
         and [=obtain debug data on trigger registration/report=] set to null.
     1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. Let |report| be the result of running [=obtain an aggregatable report=] with |sourceToAttribute| and |trigger|.
1. If |report|'s [=aggregatable report/contributions=] [=list/is empty=]:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=] with
        "<code>[=trigger debug data type/trigger-aggregate-no-contributions=]</code>", |trigger|, |sourceToAttribute| and
        [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. Let |numMatchingReports| be the number of entries in the [=aggregatable report cache=] whose
    [=aggregatable report/effective attribution destination=] equals |trigger|'s [=attribution trigger/attribution destination=]
     and [=aggregatable report/is null report=] is false.
1. If |numMatchingReports| is greater than or equal to the user agent's
    [=max aggregatable reports per attribution destination=]:
     1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
         with "<code>[=trigger debug data type/trigger-aggregate-storage-limit=]</code>", |trigger|, |sourceToAttribute| and
         [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. If the result of running [=should attribution be blocked by rate limits=]
    with |trigger|, |sourceToAttribute|, and |rateLimitRecord| is not null,
    return it.
1. If |sourceToAttribute|'s [=attribution source/number of aggregatable reports=] value is equal to [=max aggregatable reports per source=], then:
    1. Let |debugData| be the result of running [=obtain debug data on trigger registration=] with
        "<code>[=trigger debug data type/trigger-aggregate-excessive-reports=]</code>", |trigger|, |sourceToAttribute|, and |report|.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. If the result of running [=check if an attribution source can create aggregatable contributions=]
    with |report| and |sourceToAttribute| is false:
     1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
         with "<code>[=trigger debug data type/trigger-aggregate-insufficient-budget=]</code>", |trigger|, |sourceToAttribute| and
        [=obtain debug data on trigger registration/report=] set to null.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", |debugData|).
1. Add |report| to the [=aggregatable report cache=].
1. Increment |sourceToAttribute|'s [=attribution source/number of aggregatable reports=] value by 1.
1. Increment |sourceToAttribute|'s [=attribution source/aggregatable budget consumed=] value by
    |report|'s [=aggregatable report/required aggregatable budget=].
1. If |matchedDedupKey| is not null, [=list/append=] it to |sourceToAttribute|'s [=attribution source/aggregatable dedup keys=].
1. Run [=generate null reports and assign private state tokens=] with |trigger| and |report|.
1. If |report|'s [=aggregatable report/source debug key=] is not null and |report|'s
    [=aggregatable report/trigger debug key=] is not null, [=queue a task=] to
    [=attempt to deliver a debug report=] with |report|.
1. Return the [=triggering result=] ("<code>[=triggering status/attributed=]</code>", null).

<h3 algorithm id="triggering-attribution">Triggering attribution</h3>

To <dfn>obtain and deliver a debug report on trigger registration</dfn> given a [=trigger debug data type=] |dataType|,
an [=attribution trigger=] |trigger| and an optional [=attribution source=]
<dfn for="obtain and deliver a debug report on trigger registration"><var>sourceToAttribute</var></dfn>:

1. Let |debugData| be the result of running [=obtain debug data on trigger registration=]
    with |dataType|, |trigger|, |sourceToAttribute| and
    [=obtain debug data on trigger registration/report=] set to null.
1. If |debugData| is null, return.
1. Run [=obtain and deliver a debug report=] with « |debugData| » and |trigger|'s [=attribution trigger/reporting origin=].

To <dfn>find matching sources</dfn> given an [=attribution trigger=] |trigger|:

1. Let |matchingSources| be a new [=list/is empty|empty=] [=list=].
1. [=set/iterate|For each=] |source| of the [=attribution source cache=]:
    1. If |source|'s [=attribution source/attribution destinations=] does not [=set/contains|contain=] |trigger|'s [=attribution trigger/attribution destination=], [=iteration/continue=].
    1. If |source|'s [=attribution source/reporting origin=] and |trigger|'s [=attribution trigger/reporting origin=] are not [=same origin=], [=iteration/continue=].
    1. If |source|'s [=attribution source/expiry time=] is less than or equal to |trigger|'s [=attribution trigger/trigger time=], [=iteration/continue=].
    1. [=list/Append=] |source| to |matchingSources|.
1. Set |matchingSources| to the result of [=list/sort in descending order|sorting=] |matchingSources|
    in descending order, with |a| being less than |b| if any of the following are true:
      * |a|'s [=attribution source/priority=] is less than |b|'s [=attribution source/priority=].
      * |a|'s [=attribution source/priority=] is equal to |b|'s [=attribution source/priority=] and |a|'s
         [=attribution source/source time=] is less than |b|'s [=attribution source/source time=].
1. Return |matchingSources|.

To <dfn>check if an [=attribution trigger=] contains aggregatable data</dfn> given an [=attribution trigger=] |trigger|,
run the following steps:

1. If |trigger|'s [=attribution trigger/aggregatable trigger data=] is not [=list/is empty|empty=], return true.
1. If |trigger|'s [=attribution trigger/aggregatable values=] is not [=map/is empty|empty=], return true.
1. Return false.

To <dfn noexport>trigger attribution</dfn> given an [=attribution trigger=] |trigger|, run the following steps:

1. Let |hasAggregatableData| be the result of [=checking if an attribution trigger contains aggregatable data=]
    with |trigger|.
1. If |trigger|'s [=attribution trigger/event-level trigger configurations=]
    [=set/is empty=] and |hasAggregatableData| is false, return.
1. Let |matchingSources| be the result of running [=find matching sources=] with |trigger|.
1. If |matchingSources| [=list/is empty=]:
    1. Run [=obtain and deliver a debug report on trigger registration=]
        with "<code>[=trigger debug data type/trigger-no-matching-source=]</code>", |trigger| and [=obtain and deliver a debug report on trigger registration/sourceToAttribute=] set to null.
    1. If |hasAggregatableData| is true, then run [=generate null reports and assign private state tokens=]
        with |trigger| and [=generate null reports and assign private state tokens/report=] set to null.
    1. Return.
1. Let |sourceToAttribute| be |matchingSources|[0].
1. If the result of running
    [=match an attribution source's filter data against filters and negated filters=] with
    |sourceToAttribute|, |trigger|'s [=attribution trigger/filters=],
    |trigger|'s [=attribution trigger/negated filters=], and 
    |trigger|'s [=attribution trigger/trigger time=] is false:
    1. Run [=obtain and deliver a debug report on trigger registration=]
        with "<code>[=trigger debug data type/trigger-no-matching-filter-data=]</code>",
        |trigger|, and |sourceToAttribute|.
    1. If |hasAggregatableData| is true, then run [=generate null reports and assign private state tokens=]
        with |trigger| and [=generate null reports and assign private state tokens/report=] set to null.
    1. Return.
1. [=list/Remove=] |sourceToAttribute| from |matchingSources|.
1. [=list/iterate|For each=] |item| of |matchingSources|:
    1. [=set/Remove=] |item| from the [=attribution source cache=].
1. Let |rateLimitRecord| be a new [=attribution rate-limit record=] with the items:
    : [=attribution rate-limit record/scope=]
    :: "<code>[=rate-limit scope/attribution=]</code>"
    : [=attribution rate-limit record/source site=]
    :: |sourceToAttribute|'s [=attribution source/source site=]
    : [=attribution rate-limit record/attribution destination=]
    :: |trigger|'s [=attribution trigger/attribution destination=]
    : [=attribution rate-limit record/reporting origin=]
    :: |sourceToAttribute|'s [=attribution source/reporting origin=]
    : [=attribution rate-limit record/time=]
    :: |sourceToAttribute|'s [=attribution source/source time=]
    : [=attribution rate-limit record/expiry time=]
    :: null
1. Let |eventLevelResult| be the result of running [=trigger event-level attribution=]
    with |trigger|, |sourceToAttribute|, and |rateLimitRecord|.
1. Let |aggregatableResult| be the result of running [=trigger aggregatable attribution=]
    with |trigger|, |sourceToAttribute|, and |rateLimitRecord|.
1. Let |eventLevelDebugData| be |eventLevelResult|'s [=triggering result/debug data=].
1. Let |aggregatableDebugData| be |aggregatableResult|'s [=triggering result/debug data=].
1. Let |debugDataList| be an [=list/is empty|empty=] [=list=].
1. If |eventLevelDebugData| is not null, then [=list/append=] |eventLevelDebugData| to |debugDataList|.
1. If |aggregatableDebugData| is not null:
    1. If |debugDataList| [=list/is empty=] or |aggregatableDebugData|'s [=attribution debug data/data type=]
        does not equal |eventLevelDebugData|'s [=attribution debug data/data type=],
        then [=list/append=] |aggregatableDebugData| to |debugDataList|.
1. If |debugDataList| is not [=list/is empty|empty=], then run [=obtain and deliver a debug report=]
    with |debugDataList| and |trigger|'s [=attribution trigger/reporting origin=].
1. If |hasAggregatableData| and |aggregatableResult|'s [=triggering result/status=] is "<code>[=triggering status/dropped=]</code>",
    run [=generate null reports and assign private state tokens=] with |trigger| and
    [=generate null reports and assign private state tokens/report=] set to null.
1. If both |eventLevelResult|'s [=triggering result/status=] and |aggregatableResult|'s
    [=triggering result/status=] are "<code>[=triggering status/dropped=]</code>", return.
1. If neither |eventLevelResult|'s [=triggering result/status=] nor |aggregatableResult|'s
    [=triggering result/status=] is "<code>[=triggering status/attributed=]</code>", return.
1. [=set/Append=] |rateLimitRecord| to the [=attribution rate-limit cache=].
1. [=list/Remove=] all [=attribution rate-limit records=] |entry| from the [=attribution rate-limit cache=] if the result of running
    [=can attribution rate-limit record be removed=] with |entry| and |trigger|'s [=attribution trigger/trigger time=] is true.

<h3 algorithm id="delivery-time">Establishing report delivery time</h3>

To <dfn>check whether a moment falls within a window</dfn> given a [=moment=] |moment| and
a [=report window=] |window|:

1. If |moment| is less than |window|'s [=report window/start=], return
    <strong>falls before</strong>.
1. If |moment| is greater than or equal to |window|'s [=report window/end=],
    return <strong>falls after</strong>.
1. Return <strong>falls within</strong>.

To <dfn>obtain a report time from a window</dfn> given a [=moment=] |sourceTime| and
a [=report window=] |window|:

1. Return |sourceTime| + |window|'s [=report window/end=].

To <dfn>obtain the report time at a window</dfn> given an
[=attribution source=] |source| and a non-negative integer |window|:

1. [=Assert=]: |source|'s [=attribution source/event-level report windows=][|window|] [=list/exists=].
1. Let |win| be |source|'s [=attribution source/event-level report windows=][|window|].
1. Return the result of running [=obtain a report time from a window=] with
    |source|'s [=attribution source/source time=] and |win|.

To <dfn>obtain an event-level report delivery time</dfn> given an [=attribution source=]
|source| and a [=moment=] |triggerTime|:

1. If [=automation local testing mode=] is true, return |triggerTime|.
1. Let |windows| be |source|'s [=attribution source/event-level report windows=].
1. [=list/iterate|For each=] |window| of |windows|:
    1. If the result of [=check whether a moment falls within a window=] with
        |triggerTime| and |window| is <strong>falls within</strong>, return the result
        of running [=obtain a report time from a window=] with |source|'s
        [=attribution source/source time=] and |window|.
1. [=Assert=]: not reached.

To <dfn>obtain an aggregatable report delivery time</dfn> given a [=moment=]
|triggerTime|, perform the following steps. They return a [=moment=].

1. Let |r| be a random double between 0 (inclusive) and 1 (exclusive) with uniform probability.
1. Return |triggerTime| + |r| * [=randomized aggregatable report delay=].

<h3 algorithm id="obtaining-an-event-level-report">Obtaining an event-level report</h3>

To <dfn>obtain an event-level report</dfn> given an [=attribution source=] |source|, an [=attribution trigger=]
|trigger|, and an [=event-level trigger configuration=] |config|:

1. Let |triggerDataCardinality| be the user agent's [=default trigger data cardinality=][|source|'s [=attribution source/source type=]].
1. Let |reportTime| be the result of running [=obtain an event-level report delivery time=] with |source| and |trigger|'s [=attribution trigger/trigger time=].
1. Let |report| be a new [=event-level report=] struct whose items are:

    : [=event-level report/event ID=]
    :: |source|'s [=attribution source/event ID=].
    : [=event-level report/trigger data=]
    :: The remainder when dividing |config|'s [=event-level trigger configuration/trigger data=] by
        |triggerDataCardinality|.
    : [=event-level report/randomized trigger rate=]
    :: |source|'s [=attribution source/randomized trigger rate=].
    : [=event-level report/reporting origin=]
    :: |source|'s [=attribution source/reporting origin=].
    : [=event-level report/attribution destinations=]
    :: |source|'s [=attribution source/attribution destinations=].
    : [=event-level report/report time=]
    :: |reportTime|
    : [=event-level report/original report time=]
    :: |reportTime|
    : [=event-level report/trigger priority=]
    :: |config|'s [=event-level trigger configuration/priority=].
    : [=event-level report/trigger time=]
    :: |trigger|'s [=attribution trigger/trigger time=].
    : [=event-level report/source identifier=]
    :: |source|'s [=attribution source/source identifier=].
    : [=event-level report/report id=]
    :: The result of [=generating a random UUID=].
    : [=event-level report/source debug key=]
    :: |source|'s [=attribution source/debug key=].
    : [=event-level report/trigger debug key=]
    :: |trigger|'s [=attribution trigger/debug key=].
1. Return |report|.

<h3 id="obtaining-required-aggregatable-budget">Obtaining an aggregatable report's required budget</h3>

An [=aggregatable report=] |report|'s <dfn for="aggregatable report">
required aggregatable budget</dfn> is the total [=aggregatable contribution/value=] of |report|'s
[=aggregatable report/contributions=].

<h3 algorithm id="obtaining-an-aggregatable-report">Obtaining an aggregatable report</h3>

To <dfn>obtain an aggregatable report</dfn> given an [=attribution source=] |source| and
an [=attribution trigger=] |trigger|:

1. Let |reportTime| be the result of running [=obtain an aggregatable report delivery time=] with |trigger|'s [=attribution trigger/trigger time=].
1. Let |report| be a new [=aggregatable report=] struct whose items are:

    : [=aggregatable report/reporting origin=]
    :: |source|'s [=attribution source/reporting origin=].
    : [=aggregatable report/effective attribution destination=]
    :: |trigger|'s [=attribution trigger/attribution destination=].
    : [=aggregatable report/source time=]
    :: |source|'s [=attribution source/source time=].
    : [=aggregatable report/original report time=]
    :: |reportTime|.
    : [=aggregatable report/report time=]
    :: |reportTime|.
    : [=aggregatable report/report id=]
    :: The result of [=generating a random UUID=].
    : [=aggregatable report/source debug key=]
    :: |source|'s [=attribution source/debug key=].
    : [=aggregatable report/trigger debug key=]
    :: |trigger|'s [=attribution trigger/debug key=].
    : [=aggregatable report/contributions=]
    :: The result of running [=create aggregatable contributions=] with |source| and |trigger|.
    : [=aggregatable report/serialized private state token=]
    :: null.
    : [=aggregatable report/aggregation coordinator=]
    :: |trigger|'s [=attribution trigger/aggregation coordinator=].
    : [=aggregatable report/source registration time configuration=]
    :: |trigger|'s [=attribution trigger/aggregatable source registration time configuration=].
1. Return |report|.

<h3 id="generating-randomized-null-reports">Generating randomized null reports</h3>

To <dfn>obtain a null report</dfn> given an [=attribution trigger=] |trigger| and a [=moment=] |sourceTime|:

1. Let |reportTime| be the result of running [=obtain an aggregatable report delivery time=] with |trigger|'s
    [=attribution trigger/trigger time=].
1. Let |contribution| be a new [=aggregatable contribution=] with the items:

    : [=aggregatable contribution/key=]
    :: 0
    : [=aggregatable contribution/value=]
    :: 0
1. Let |report| be a new [=aggregatable report=] struct whose items are:

    : [=aggregatable report/reporting origin=]
    :: |trigger|'s [=attribution trigger/reporting origin=]
    : [=aggregatable report/effective attribution destination=]
    :: |trigger|'s [=attribution trigger/attribution destination=]
    : [=aggregatable report/source time=]
    :: |sourceTime|
    : [=aggregatable report/original report time=]
    :: |reportTime|
    : [=aggregatable report/report time=]
    :: |reportTime|
    : [=aggregatable report/report id=]
    :: The result of [=generating a random UUID=]
    : [=aggregatable report/source debug key=]
    :: null
    : [=aggregatable report/trigger debug key=]
    :: |trigger|'s [=attribution trigger/debug key=]
    : [=aggregatable report/contributions=]
    :: « |contribution| »
    : [=aggregatable report/serialized private state token=]
    :: null
    : [=aggregatable report/aggregation coordinator=]
    :: |trigger|'s [=attribution trigger/aggregation coordinator=]
    : [=aggregatable report/source registration time configuration=]
    :: |trigger|'s [=attribution trigger/aggregatable source registration time configuration=]
    : [=aggregatable report/is null report=]
    :: true
1. Return |report|.

To <dfn>obtain rounded source time</dfn> given a [=moment=] |sourceTime|, return |sourceTime| in seconds
since the UNIX epoch, rounded down to a multiple of a whole day (86400 seconds).

To <dfn>determine if a randomized null report is generated</dfn> given a double |randomPickRate|:

1. [=Assert=]: |randomPickRate| is between 0 and 1 (both inclusive).
1. Let |r| be a random double beween 0 (inclusive) and 1 (exclusive) with uniform probability.
1. If |r| is less than |randomPickRate|, return true.
1. Otherwise, return false.

To <dfn>generate null reports</dfn> given an [=attribution trigger=] |trigger| and an optional [=aggregatable report=] |report| defaulting to null:

1. Let |nullReports| be a new [=list/is empty|empty=] [=list=].
1. If |trigger|'s [=attribution trigger/aggregatable source registration time configuration=] is "<code>[=aggregatable source registration time configuration/exclude=]</code>":
    1. If |report| is null and the result of [=determining if a randomized null report is generated=] with
        [=randomized null report rate excluding source registration time=] is true:
        1. Let |nullReport| be the result of [=obtaining a null report=] with |trigger| and |trigger|'s
            [=attribution trigger/trigger time=].
        1. [=set/Append=] |nullReport| to the [=aggregatable report cache=].
        1. [=list/Append=] |nullReport| to |nullReports|.
1. Otherwise:
    1. Let |maxSourceExpiry| be [=valid source expiry range=][1].
    1. Round |maxSourceExpiry| away from zero to the nearest day (86400 seconds).
    1. Let |roundedAttributedSourceTime| be null.
    1. If |report| is not null, set |roundedAttributedSourceTime| to the result of [=obtaining rounded source time=] with |report|'s
        [=aggregatable report/source time=].
    1. For each integer |day| between 0 (inclusive) and the number of days in |maxSourceExpiry| (inclusive):
        1. Let |fakeSourceTime| be |trigger|'s [=attribution trigger/trigger time=] - |day| days.
        1. If |roundedAttributedSourceTime| is not null and equals the result of [=obtaining rounded source time=] with |fakeSourceTime|:
            1. [=iteration/Continue=].
        1. If the result of [=determining if a randomized null report is generated=] with [=randomized null report rate including source registration time=] is true:
            1. Let |nullReport| be the result of [=obtaining a null report=] with |trigger| and |fakeSourceTime|.
            1. [=set/Append=] |nullReport| to the [=aggregatable report cache=].
            1. [=list/Append=] |nullReport| to |nullReports|.
1. Return |nullReports|.

To <dfn>shuffle a [=list=]</dfn> |list|, reorder |list|'s elements such that each possible permutation has equal
probability of appearance.

To <dfn>assign private state tokens</dfn> given a [=list=] of [=aggregatable reports=] |reports| and
an [=attribution trigger=] |trigger|:

1. If |reports| [=list/is empty=], return.
1. Let |verifications| be |trigger|'s [=attribution trigger/verifications=].
1. If |verifications| [=list/is empty=], return.
1. [=shuffle a list|Shuffle=] |reports|.
1. [=shuffle a list|Shuffle=] |verifications|.
1. Let |n| be the minimum of |reports|'s [=list/size=] and |verifications|'s [=list/size=].
1. For each integer |i| between 0 (inclusive) and |n| (exclusive):
    1. Set |reports|[i]'s [=aggregatable report/report ID=] to |verifications|[i]'s [=trigger verification/id=].
    1. Set |reports|[i]'s [=aggregatable report/serialized private state token=] to |verifications|[i]'s [=trigger verification/token=].


To <dfn>generate null reports and assign private state tokens</dfn> given an [=attribution trigger=] |trigger|
and an optional [=aggregatable report=] <dfn for="generate null reports and assign private state tokens"><var>report</var></dfn> defaulting to null:

1. Let |reports| be the result of [=generating null reports=] with |trigger| and |report|.
1. If |report| is not null:
    1. [=list/Append=] |report| to |reports|.
1. Run [=assign private state tokens=] with |reports| and |trigger|.

<h3 id="deferring-trigger-attribution">Deferring trigger attribution</h3>

To <dfn>maybe defer and then complete trigger attribution</dfn> given an [=attribution trigger=] |trigger|,
run the following steps [=in parallel=]:

1. Let |navigation| be the navigation that landed on the [=document=] from which |trigger|'s registration was initiated.
1. If |navigation| is null, return.
1. Let |sources| be all source registrations originating from background attributionsrc requests initiated by |navigation|.
1. If |sources| is empty, return.
1. Wait until all |sources| are [=process an attribution source|processed=].
1. [=Trigger attribution=] with |trigger|.

Issue: Specify this in terms of <a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigating-across-documents">Navigation</a>

# Report delivery # {#report-delivery}

The user agent MUST periodically [=set/iterate=] over its [=event-level report cache=] and
[=aggregatable report cache=] and run [=queue a report for delivery=] on each item.

To <dfn>queue a report for delivery</dfn> given an [=attribution report=] |report|, run the following steps [=in parallel=]:

1. If |report|'s [=attribution report/delivered=] value is true, return.
1. Set |report|'s [=attribution report/delivered=] value to true.
1. If |report|'s [=attribution report/report time=] is less than [=current wall time=], add an [=implementation-defined=] random non-negative [=duration=] to |report|'s [=attribution report/report time=].

    Note: On startup, it is possible the user agent will need to send many reports whose report times passed while the browser was
     closed. Adding random delay prevents temporal joining of reports from different [=attribution source/source origin=]s.
1. Wait until [=current wall time=] is equal to |report|'s [=attribution report/report time=].
1. Optionally, wait a further [=implementation-defined=] [=duration=].

    Note: This is intended to allow user agents to optimize device resource usage.
1. Run [=attempt to deliver a report=] with |report|.

<h3 id="encode-integer">Encode an unsigned k-bit integer</h3>

To <dfn>encode an unsigned k-bit integer</dfn>, represent it as a big-endian [=byte sequence=]
of length k / 8, left padding with zero as necessary.

<h3 id="obtain-aggregatable-report-debug-mode">Obtaining an aggregatable report's debug mode</h3>

An [=aggregatable report=] |report|'s <dfn for="aggregatable report">debug mode</dfn> is the result
of running the following steps:

1. If |report|'s [=aggregatable report/source debug key=] is null, return <strong>disabled</strong>.
1. If |report|'s [=aggregatable report/trigger debug key=] is null, return <strong>disabled</strong>.
1. Return <strong>enabled</strong>.

<h3 id="obtain-aggregatable-report-shared-info">Obtaining an aggregatable report's shared info</h3>

An [=aggregatable report=] |report|'s <dfn for="aggregatable report">shared info</dfn> is the result
of running the following steps:

1. Let |reportingOrigin| be |report|'s [=aggregatable report/reporting origin=].
1. Let |sharedInfo| be an [=ordered map=] of the following key/value pairs:

    : "`api`"
    :: "`attribution-reporting`"
    : "`attribution_destination`"
    :: |report|'s [=aggregatable report/effective attribution destination=], <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>
    : "`report_id`"
    :: |report|'s [=aggregatable report/report ID=]
    : "`reporting_origin`"
    :: |reportingOrigin|, [=serialization of an origin|serialized=]
    : "`scheduled_report_time`"
    :: |report|'s [=aggregatable report/original report time=] in seconds since the UNIX epoch, [=serialize an integer|serialized=]
    : "`version`"
    :: A [=string=], API version.

1. If |report|'s [=aggregatable report/debug mode=] is <strong>enabled</strong>,
    [=map/set=] |sharedInfo|["`debug_mode`"] to "`enabled`".
1. If |report|'s [=aggregatable report/source registration time configuration=] is:
    <dl class="switch">
    : "<code>[=aggregatable source registration time configuration/include=]</code>"</dt>
    :: [=map/Set=] |sharedInfo|["`source_registration_time`"] to the result of [=obtaining rounded source time=]
        with |report|'s [=aggregatable report/source time=], [=serialize an integer|serialized=].
    : "<code>[=aggregatable source registration time configuration/exclude=]</code>"
    :: [=map/Set=] |sharedInfo|["`source_registration_time`"] to "`0`".

    </dl>

1. Return the [=string=] resulting from executing [=serialize an infra value to a json string=] on |sharedInfo|.

<h3 id="obtain-aggregatable-report-aggregation-service-payloads">Obtaining an aggregatable report's aggregation service payloads</h3>

To <dfn>obtain the public key for encryption</dfn> given an [=aggregation coordinator=] |aggregationCoordinator|:

1. Let |url| be a new [=URL record=].
1. Set |url|'s [=url/scheme=] to |aggregationCoordinator|'s [=origin/scheme=].
1. Set |url|'s [=url/host=] to |aggregationCoordinator|'s [=origin/host=].
1. Set |url|'s [=url/port=] to |aggregationCoordinator|'s [=origin/port=].
1. Set |url|'s [=url/path=]  to «"`.well-known`", "`aggregation-service`", "`public-keys`"».
1. Return a user-agent-determined public key from |url| or an error in the event that the user
    agent failed to obtain the public key from |url|. This step may be asynchronous.

Issue: Specify this in terms of [=fetch=].

Note: The user agent might enforce weekly key rotation. If there are multiple keys, the user agent
might independently pick a key uniformly at random for every encryption operation.
The key should be uniquely identifiable.

An [=aggregatable report=] |report|'s <dfn for="aggregatable report">plaintext payload</dfn>
is the result of running the following steps:

1. Let |payloadData| be a new [=list/is empty|empty=] [=list=].
1. [=list/iterate|For each=] |contribution| of |report|'s [=aggregatable report/contributions=]:
    1. Let |contributionData| be a [=map=] of the following key/value pairs:

        : "`bucket`"
        :: |contribution|'s [=aggregatable contribution/key=], [=encode an unsigned k-bit integer|encoded=]
        : "`value`"
        :: |contribution|'s [=aggregatable contribution/value=], [=encode an unsigned k-bit integer|encoded=]

    1. [=list/Append=] |contributionData| to |payloadData|.
1. Let |payload| be a [=map=] of the following key/value pairs:

    : "`data`"
    :: |payloadData|
    : "`operation`"
    :: "`histogram`"

1. Return the [=byte sequence=] resulting from [[!RFC8949|CBOR encoding]] |payload|.

To <dfn>obtain the encrypted payload</dfn> given an [=aggregatable report=] |report| and
a public key |pkR|, run the following steps:

1. Let |plaintext| be |report|'s [=aggregatable report/plaintext payload=].
1. Let |encodedSharedInfo| be |report|'s [=aggregatable report/shared info=], [=utf-8 encode|encoded=].
1. Let |info| be the [=string/concatenate|concatenation=] of «"`aggregation_service`", |encodedSharedInfo|».
1. Set up [[RFC9180|HPKE]] [[RFC9180#name-encryption-to-a-public-key|sender's context]]
    with |pkR| and |info|.
1. Return the [=byte sequence=] or an error resulting from [[RFC9180#name-encryption-and-decryption|encrypting]]
    |plaintext| with the [[RFC9180#name-encryption-to-a-public-key|sender's context]].

To <dfn>obtain the aggregation service payloads</dfn> given an [=aggregatable report=] |report|,
run the following steps:

1. Let |pkR| be the result of running [=obtain the public key for encryption=]
    with |report|'s [=aggregatable report/aggregation coordinator=].
1. If |pkR| is an error, return |pkR|.
1. Let |encryptedPayload| be the result of running [=obtain the encrypted payload=] with |report| and |pkR|.
1. If |encryptedPayload| is an error, return |encryptedPayload|.
1. Let |aggregationServicePayloads| be a new [=list/is empty|empty=] [=list=].
1. Let |aggregationServicePayload| be a [=map=] of the following key/value pairs:

    : "`payload`"
    :: |encryptedPayload|, [=forgiving-base64 encode|base64 encoded=]
    : "`key_id`"
    :: A [=string=] identifying |pkR|

1. If |report|'s [=aggregatable report/debug mode=] is <strong>enabled</strong>,
    [=map/set=] |aggregationServicePayload|["`debug_cleartext_payload`"] to |report|'s
    [=aggregatable report/plaintext payload=], [=forgiving-base64 encode|base64 encoded=].
1. [=list/Append=] |aggregationServicePayload| to |aggregationServicePayloads|.
1. Return |aggregationServicePayloads|.

<h3 id="serialize-report-body">Serialize attribution report body</h3>

To <dfn>obtain an event-level report body</dfn> given an [=attribution report=] |report|, run the following steps:

1. Let |data| be a [=map=] of the following key/value pairs:

    : "`attribution_destination`"
    :: |report|'s [=event-level report/attribution destinations=], [=serialize attribution destinations|serialized=].
    : "`randomized_trigger_rate`"
    :: |report|'s [=event-level report/randomized trigger rate=]
    : "`source_type`"
    :: |report|'s [=event-level report/source type=]
    : "`source_event_id`"
    :: |report|'s [=event-level report/event ID=], [=serialize an integer|serialized=]
    : "`trigger_data`"
    :: |report|'s [=event-level report/trigger data=], [=serialize an integer|serialized=]
    : "`report_id`"
    :: |report|'s [=event-level report/report ID=]
    : "`scheduled_report_time`"
    :: |report|'s [=event-level report/original report time=] in seconds since the UNIX epoch, [=serialize an integer|serialized=]

1. If |report|'s [=event-level report/source debug key=] is not null, [=map/set=]
    |data|["`source_debug_key`"] to |report|'s [=event-level report/source debug key=],
    [=serialize an integer|serialized=].
1. If |report|'s [=event-level report/trigger debug key=] is not null, [=map/set=]
    |data|["`trigger_debug_key`"] to |report|'s [=event-level report/trigger debug key=],
    [=serialize an integer|serialized=].
1. Return |data|.

To <dfn>serialize an [=event-level report=]</dfn> |report|, run the following steps:

1. Let |data| be the result of running [=obtain an event-level report body=] with |report|.
1. Return the [=byte sequence=] resulting from executing [=serialize an infra value to JSON bytes=] on |data|.

To <dfn>serialize an [=aggregatable report=] </dfn> |report|, run the following steps:

1. [=Assert=]: |report|'s [=aggregatable report/effective attribution destination=] is not the [=opaque origin=].
1. Let |aggregationServicePayloads| be the result of running [=obtain the aggregation service payloads=].
1. If |aggregationServicePayloads| is an error, return |aggregationServicePayloads|.
1. Let |data| be a [=map=] of the following key/value pairs:

    : "`shared_info`"
    :: |report|'s [=aggregatable report/shared info=]
    : "`aggregation_service_payloads`"
    :: |aggregationServicePayloads|
    : "`aggregation_coordinator_origin`"
    :: |report|'s [=aggregatable report/aggregation coordinator=], [=serialization of an origin|serialized=]

1. If |report|'s [=aggregatable report/source debug key=] is not null, [=map/set=]
    |data|["`source_debug_key`"] to |report|'s [=aggregatable report/source debug key=],
    [=serialize an integer|serialized=].
1. If |report|'s [=aggregatable report/trigger debug key=] is not null, [=map/set=]
    |data|["`trigger_debug_key`"] to |report|'s [=aggregatable report/trigger debug key=],
    [=serialize an integer|serialized=].
1. Return the [=byte sequence=] resulting from executing [=serialize an infra value to JSON bytes=] on |data|.

To <dfn>serialize an [=attribution report=]</dfn> |report|, run the following steps:

1. If |report| is an:
    <dl class="switch">
    <dt>[=event-level report=]</dt>
    <dd>Return the result of running [=serialize an event-level report=] with |report|.</dd>

    <dt>[=aggregatable report=]</dt>
    <dd>Return the result of running [=serialize an aggregatable report=] with |report|.</dd>
    </dl>

Note: The inclusion of "`report_id`" in the report body is intended to allow the report recipient
to perform deduplication and prevent double counting, in the event that the user agent retries
reports on failure. To prevent the report recipient from learning additional information about
whether a user is online, retries might be limited in number and subject to random delays.

<h3 id="serialize-debug-report-body">Serialize attribution debug report body</h3>

To <dfn>serialize an [=attribution debug report=]</dfn> |report|, run the following steps:

1. Let |collection| be an [=list/is empty|empty=] [=list=].
1. [=list/iterate|For each=] |debugData| of |report|'s [=attribution debug report/data=]:
    1. Let |data| be a [=map=] of the following key/value pairs:
        : "`type`"
        :: |debugData|'s [=attribution debug data/data type=]
        : "`body`"
        :: |debugData|'s [=attribution debug data/body=]
    1. [=list/Append=] |data| to |collection|.
1. Return the [=byte sequence=] resulting from executing [=serialize an Infra value to JSON bytes=] on |collection|.

<h3 id="get-report-url">Get report request URL</h3>

To <dfn>generate a report URL</dfn> given a [=suitable origin=] |reportingOrigin| and a [=list=] of [=strings=] |path|:

1. Let |reportUrl| be a new [=URL=] record.
1. Set |reportUrl|'s [=url/scheme=] to |reportingOrigin|'s [=origin/scheme=].
1. Set |reportUrl|'s [=url/host=] to |reportingOrigin|'s [=origin/host=].
1. Set |reportUrl|'s [=url/port=] to |reportingOrigin|'s [=origin/port=].
1. Let |fullPath| be «"`.well-known`", "`attribution-reporting`"».
1. [=list/Append=] |path| to |fullPath|.
1. Set |reportUrl|'s [=url/path=] to |fullPath|.
1. Return |reportUrl|.

To <dfn>generate an attribution report URL</dfn> given an [=attribution report=] |report| and an optional
[=boolean=] <dfn for="generate an attribution report URL"><var>isDebugReport</var></dfn> (default false):

1. Let |path| be an [=list/is empty|empty=] [=list=].
1. If |isDebugReport| is true, [=list/append=] "`debug`" to |path|.
1. If |report| is an:
    <dl class="switch">
    <dt>[=event-level report=]</dt>
    <dd>[=list/Append=] "`report-event-attribution`" to |path|.</dd>

    <dt>[=aggregatable report=]</dt>
    <dd>[=list/Append=] "`report-aggregate-attribution`" to |path|.</dd>
    </dl>
1. Return the result of running [=generate a report URL=] with |report|'s
    [=attribution report/reporting origin=] and |path|.

To <dfn>generate an attribution debug report URL</dfn> given an [=attribution debug report=] |report|:

1. Let |path| be «"`debug`", "`verbose`"».
1. Return the result of running [=generate a report URL=] with |report|'s
    [=attribution debug report/reporting origin=] and |path|.

<h3 id="create-report-request">Creating a report request</h3>

To <dfn>create a report request</dfn> given a [=URL=] |url|, a [=byte sequence=] |body|,
and a [=header list=] |newHeaders| (defaults to an empty [=list=]):

1. Let |headers| be a new [=header list=] containing a [=header=] named
    "`Content-Type`" whose value is "`application/json`".
1. [=list/iterate|For each=] |header| in |newHeaders|:
    1. [=header list/Append=] |header| to |headers|.
1. Let |request| be a new [=request=] with the following properties:
    :   [=request/method=]
    ::  "`POST`"
    :   [=request/URL=]
    ::  |url|
    :   [=request/header list=]
    ::  |headers|
    :   [=request/body=]
    ::  A [=/body=] whose [=body/source=] is |body|.
    :   [=request/referrer=]
    :: "`no-referrer`"
    :   [=request/client=]
    ::  `null`
    :   [=request/origin=]
    ::  |url|'s [=url/origin=]
    :   [=request/window=]
    ::  "`no-window`"
    :   [=request/service-workers mode=]
    ::  "`none`"
    :   [=request/initiator=]
    ::  ""
    :   [=request/mode=]
    ::  "`same-origin`"
    :   [=request/unsafe-request flag=]
    ::  set
    :   [=request/credentials mode=]
    ::  "`omit`"
    :   [=request/cache mode=]
    ::  "`no-store`"
1. Return |request|.

<h3 id="get-report-headers">Get report request headers</h3>

To <dfn>generate attribution report headers</dfn> given an [=attribution report=] |report|:

1. Let |newHeaders| be a new [=header list=].
1. If |report| is an [=aggregatable report=]:
    1. If |report|'s [=aggregatable report/serialized private state token=] is not null,
        [=header list/append=] a new [=header=] named "`Sec-Attribution-Reporting-Private-State-Token`" to |newHeaders|
        whose value is |report|'s [=aggregatable report/serialized private state token=].
1. Return |newHeaders|.

<h3 id="issue-report-request">Issuing a report request</h3>

This algorithm constructs a [=request=] and attempts to deliver it to a [=suitable origin=].

To <dfn>remove a report from the cache</dfn> given an [=attribution report=] |report|:

1. If |report| is an:
    <dl class="switch">
    <dt>[=event-level report=]</dt>
    <dd>[=Queue a task=] to [=list/remove=] |report| from the [=event-level report cache=].</dd>

    <dt>[=aggregatable report=]</dt>
    <dd>[=Queue a task=] to [=list/remove=] |report| from the [=aggregatable report cache=].</dd>
    </dl>

To <dfn>attempt to deliver a report</dfn> given an [=attribution report=] |report|, run the following steps:

1. The user-agent MAY ignore the report; if so, return.
1. Let |url| be the result of executing [=generate an attribution report URL=] on |report|.
1. Let |data| be the result of executing [=serialize an attribution report=] on |report|.
1. If |data| is an error, run [=remove a report from the cache=] with |report| and return.
1. Let |headers| be the result of executing [=generate attribution report headers=].
1. Let |request| be the result of executing [=create a report request=] on |url|, |data|, and |headers|.
1. [=Queue a task=] to [=fetch=] |request| with [=fetch/processResponse=] being [=remove a report from the cache=] with |report|.

Issue(220): This fetch should use a network partition key for an opaque origin.

A user agent MAY retry this algorithm in the event that there was an error.

<h3 id="issue-debug-report-request">Issuing a debug report request</h3>

To <dfn>attempt to deliver a debug report</dfn> given an [=attribution report=] |report|:

1. The user-agent MAY ignore the report; if so, return. 
1. Let |url| be the result of executing [=generate an attribution report URL=] on |report| with
    [=generate an attribution report URL/isDebugReport=] set to true.
1. Let |data| be the result of executing [=serialize an attribution report=] on |report|.
1. If |data| is an error, return.
1. Let |headers| be the result of executing [=generate attribution report headers=].
1. Let |request| be the result of executing [=create a report request=] on |url|, |data|, and |headers|.
1. [=Fetch=] |request|.

<h3 id="issue-verbose-debug-report-request">Issuing a verbose debug request</h3>

To <dfn>attempt to deliver a verbose debug report</dfn> given an [=attribution debug report=] |report|:

1. The user-agent MAY ignore the report; if so, return.
1. Let |url| be the result of executing [=generate an attribution debug report URL=] on |report|.
1. Let |data| be the result of executing [=serialize an attribution debug report=] on |report|.
1. Let |request| be the result of executing [=create a report request=] on |url| and |data|.
1. [=Fetch=] |request|.

Issue(220): This fetch should use a network partition key for an opaque origin.

A user agent MAY retry this algorithm in the event that there was an error.

# Cross App and Web Algorithms # {#cross-app-and-web}

An <dfn>OS registration</dfn> is a [=struct=] with the following items:

<dl dfn-for="OS registration">
: <dfn>URL</dfn>
:: A [=URL=]
: <dfn>debug reporting enabled</dfn>
:: A [=boolean=]

</dl>

To <dfn noexport>get [=OS registrations=] from a header list</dfn> given a
[=header list=] |headers| and a [=header name=] |name|:

1. Let |values| be the result of
    [=header list/get a structured field value|getting=] |name| from |headers|
    with a type of "`list`".
1. If |values| is not a [=list=], return null.
1. Let |registrations| be a new [=list=].
1. [=list/iterate|For each=] |value| of |values|:
     1. If |value| is not a [=string=], [=iteration/continue=].
     1. Let |url| be the result of running the [=URL parser=] on |value|.
     1. If |url| is failure or null, [=iteration/continue=].
     1. Let |debugReporting| be false.
     1. Let |params| be the <a href="https://httpwg.org/specs/rfc8941.html#param">parameters</a>
         associated with |value|.
     1. If |params|["`debug-reporting`"] [=map/exists=] and |params|["`debug-reporting`"] is a [=boolean=],
         set |debugReporting| to |params|["`debug-reporting`"].
     1. Let |registration| be a new [=OS registration=] struct whose items are:
         : [=OS registration/URL=]
         :: |url|
         : [=OS registration/debug reporting enabled=]
         :: |debugReporting|
     1. [=list/Append=] |registration| to |registrations|.
1. Return |registrations|.

To <dfn>get supported registrars</dfn>:

1. Let |supportedRegistrars| be an [=list/is empty|empty=] [=list=].
1. If the user agent supports web registrations, [=list/append=] "<code>[=registrar/web=]</code>"
    to |supportedRegistrars|.
1. If the user agent supports OS registrations, [=list/append=] "<code>[=registrar/os=]</code>"
    to |supportedRegistrars|.
1. Return |supportedRegistrars|.

"<code><dfn>Attribution-Reporting-Support</dfn></code>" is a
<a href="https://httpwg.org/specs/rfc8941.html#dictionary">Dictionary Structured
Header</a> set on a [=request=] that indicates which registrars, if
any, the corresponding [=response=] can use. Its values are not specified and
its allowed keys are the [=registrars=].

To <dfn noexport>set an OS-support header</dfn> given a [=header list=]
|headers|:

1. Let |supportedRegistrars| be the result of [=getting supported registrars=].
1. Let |dict| be the result of [=obtaining a dictionary structured header value=]
    with |supportedRegistrars| and the [=set=] containing all the [=registrars=].
1. [=header list/Set a structured field value=] given
    ("<code>[=Attribution-Reporting-Support=]</code>", |dict|) in |headers|.


# Report Verification Algorithms # {#report-verification}

"<dfn><code>Sec-Attribution-Reporting-Private-State-Token</code></dfn>" is a [=structured header=] used
to orchestrate report verification.

* When [=setting trigger verification request headers=], the field is a collection of unsigned masked tokens formatted as a [=structured header/list=] of [=structured header/string=].
* When [=receiving trigger verification tokens=], the field is a collection of signed masked tokens formatted as a [=structured header/list=] of [=structured header/string=].
* When [=generating attribution report headers=], the header field is a single signed unmasked token formatted as a [=structured header/string=].

<h3 id="initiate-trigger-verification">Initiate trigger verification</h3>

To <dfn noexport>set trigger verification request headers</dfn> given a [=request=] |request|
and a [=suitable origin=] |destination|:

1. Let |issuer| be |request|'s [=request/URL=]'s [=url/origin=].
1. If |issuer| is not [=check if an origin is suitable|suitable=], return.
1. Let (|issuerKeys|, |pretokens|, |cryptoProtocolVersion|) be the result of [=looking up the key commitments=] for |issuer|.
1. If |issuerKeys| is null, return.
1. Let |ids| be a new [=list=].
1. Let |base64EncodedMaskedMessages| be a new [=list=].
1. While |ids|'s [=list/size=] is less than [=verification tokens per trigger=]:
    1. Let |id| be the result of [=generating a random UUID=].
    1. [=list/Append=] |id| to |ids|.
    1. Let |message| be the [=string/concatenate|concatenation=] of |id| and |destination|.
    1. Let |maskedMessage| be the result of [=generating masked tokens=] with |issuerKeys| and |message|.
    1. Let |base64EncodedMaskedMessage| be the [=forgiving-base64 encoding=] of |maskedMessage|.
    1. Let |fieldValue| be the result of [=structured header/serializing a string=] with |base64EncodedMaskedMessage|.
    1. [=list/Append=] |fieldValue| to |base64EncodedMaskedMessages|.
1. Let |request|'s [=request/trigger verification metadata=] be a [=trigger verification metadata=] with the items:
    : [=trigger verification metadata/pretokens=]
    :: |pretokens|
    : [=trigger verification metadata/IDs=]
    :: |ids|
1. [=header list/Set a structured field value=] given
    ("<code>[=Sec-Attribution-Reporting-Private-State-Token=]</code>", |base64EncodedMaskedMessages|)
    in |request|'s [=request/header list=].
1. [=header list/Set a structured field value=] given
    ("<code>[=Sec-Private-State-Token-Crypto-Version=]</code>", |cryptoProtocolVersion|)
    in |request|'s [=request/header list=].

Issue: Link to a generating masked tokens algorithm that receives messages.

<h3 id="handle-trigger-verification">Handle trigger verification</h3>

To <dfn noexport>receive trigger verification tokens</dfn> given an
[=url/origin=] |issuer|, a [=header list=], |headers|, and a
[=request/trigger verification metadata=] |metadata|:

1. If |metadata| is null, return a new [=list=].
1. If |metadata|'s [=trigger verification metadata/IDs=]'s [=list/size=] is not equal to [=verification tokens per trigger=], return a new [=list=].
1. Let |pretokens| be |metadata|'s [=trigger verification metadata/pretokens=].
1. Let |issuerKeys| be the result of [=looking up the key commitments=] for |issuer|.
1. If |issuerKeys| is null, return a new [=list=].
1. Let |fieldValue| be the result of [=header list/getting a structured field value=] given
    ("<code>[=Sec-Attribution-Reporting-Private-State-Token=]</code>", "`list`") from |response|'s [=response/header list=].
1. Let |base64EncodedMaskedTokens| be the result of [=structured header/parsing a list=] with |fieldValue|.
1. [=header list/delete|Delete=] "<code>[=Sec-Attribution-Reporting-Private-State-Token=]</code>" from |response|'s [=response/header list=].
1. If |base64EncodedMaskedTokens|'s [=list/size=] is greater than |metadata|'s [=trigger verification metadata/IDs=]'s [=list/size=], return a new [=list=].
1. Let |base64EncodedPrivateStateTokens| be a new [=list=].
1. [=list/iterate|For each=] |base64EncodedMaskedToken| of |base64EncodedMaskedTokens|:
    1. Let |base64EncodedMaskedTokenValue| be the result of [=structured header/parsing a string=] with |base64EncodedMaskedToken|.
    1. Let |maskedToken| be the [=forgiving-base64 decoding=] of |base64EncodedMaskedTokenValue|.
    1. Let |token| be the result of [=unmasking tokens=] given |issuerKeys|, |pretokens|, and |maskedToken|.
    1. If |token| is null, return a new [=list=].
    1. Let |privateStateToken| be the result of running a cryptographic redemption procedure with |token|.
    1. If |privateStateToken| is null, return a new [=list=].
    1. Let |base64EncodedPrivateStateToken| be the [=forgiving-base64 encoding=] of |privateStateToken|.
    1. [=list/Append=] |base64EncodedPrivateStateToken| to |base64EncodedPrivateStateTokens|.
1. Let |triggerVerifications| be a new [=list=].
1. For each integer |i| between 0 (inclusive) and |base64EncodedPrivateStateTokens|'s [=list/size=] (exclusive):
    1. Let |triggerVerification| be a [=trigger verification=] with the items:
        : [=trigger verification/token=]
        :: |base64EncodedPrivateStateTokens|[i]
        : [=trigger verification/id=]
        :: |metadata|'s [=trigger verification metadata/IDs=][i]
    1. [=list/Append=] |triggerVerification| to |triggerVerifications|.
1. Return |triggerVerifications|.

Issue: Specify the cryptographic redemption procedure.

To <dfn>obtain and deliver debug reports on OS registrations</dfn> given an
[=OS debug data type=] |dataType|, a [=list=] of [=OS registrations=] |registrations|,
and an [=origin=] |contextOrigin|:

1. If |registrations| [=list/is empty=], return.
1. Let |contextSite| be the result of [=obtaining a site=] from |contextOrigin|.
1. [=list/iterate|For each=] |registration| of |registrations|:
    1. If |registration|'s [=OS registration/debug reporting enabled=] is false, [=iteration/continue=].
    1. Let |origin| be |registration|'s [=OS registration/URL=]'s [=url/origin=].
    1. If |origin| is not [=check if an origin is suitable|suitable=], [=iteration/continue=].
    1. Let |body| be a new [=map=] with the following key/value pairs:
        : "`context_site`"
        :: |contextSite|, <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
        : "`registration_url`"
        :: |registration|'s [=OS registration/URL=], [=url serializer|serialized=].

    1. Let |data| be a new [=attribution debug data=] with the items:
        : [=attribution debug data/data type=]
        :: |dataType|
        : [=attribution debug data/body=]
        :: |body|
    1. Run [=obtain and deliver a debug report=] with « |data| » and |origin|.

# User-Agent Automation # {#automation}
    
The user-agent has an associated boolean <dfn>automation local testing mode</dfn> (default false).
    
For the purposes of user-agent automation and website testing, this document
defines the below [[WebDriver]] [=extension commands=] to control the API
configuration.

## Set local testing mode ## {#webdriver-setlocaltestingmode}

<figure id="table-webdriver-setlocaltestingmode" class="table">
    <table class="data">
        <thead>
            <tr>
                <th>HTTP Method</th>
                <th>URI Template</th>
            </tr>
        </thead>
        <tbody>
            <tr>
                <td>POST</td>
                <td>`/session/{session id}/ara/`<dfn>`localtestingmode`</dfn></td>
            </tr>
        </tbody>
    </table>
</figure>

The [=remote end steps=] are:

1. If |parameters| is not a JSON-formatted [[ECMASCRIPT#sec-objects|Object]],
    return a [=error|WebDriver error=] with [=error code=] [=invalid argument=].

1. Let |enabled| be the result of [=getting a property=] named `"enabled"` from
    |parameters|.

1. If |enabled| is {{undefined}} or is not a boolean, return a [=error|WebDriver error=]
    with [=error code=] [=invalid argument=].

1. Set [=automation local testing mode=] to |enabled|.

1. Return [=success=] with data `null`.

Note: Without this, reports would be subject to noise and delays, making testing difficult.

# Security considerations # {#security-considerations}

## Same-Origin Policy ## {#same-origin-policy}

*This section is non-normative.*

Writes to the [=attribution source cache=], [=event-level report cache=], and
[=aggregatable report cache=] are separated by the reporting [=origin=], and reports sent
to a given [=origin=] are generated via data only written to by that [=origin=], via
HTTP response headers.

However, the [=attribution rate-limit cache=] is not fully partitioned by [=origin=]. Reads
to that cache involve grouping together data submitted by multiple origins. This is the case
for the following limits:
- [=max destinations per rate-limit window=][0]
- [=max source reporting origins per rate-limit window=]
- [=max source reporting origins per source reporting site=]
- [=max attribution reporting origins per rate-limit window=]

These limits are explicit relaxations of the Same-Origin Policy, in that they allow
different origins to influence the API's behavior. In particular, one risk that is
introduced with these shared limits is denial of service attacks, where a group of
origins could collude to intentionally hit a rate-limit, causing subsequent origins to
be unable to access the API.

This trades off security for privacy, in that the limits are there to reduce the efficacy
of many origins colluding together to violate privacy. API deployments should monitor
for abuse using these vectors to evaluate the trade-off.

The generation of [=attribution debug reports=] involves reads to the [=attribution source cache=],
[=event-level report cache=], [=aggregatable report cache=], and [=attribution rate-limit cache=],
and the [=attribution debug data=] sent to a given [=origin=] may encode non-Same-Origin
data that are generated from grouping together data submitted by multiple [=origins=],
e.g. failures due to rate-limits that are not fully compliant with the Same-Origin Policy.
This is of greater concern for source registrations as the [=attribution source/source origin=]
could intentionally hit a rate-limit to identify sensitive user data. These [=attribution debug data=]
cannot be reported explicitly and may be reported as a [=source debug data type/source-success=]
[=attribution debug report=]. This is a tradeoff between security and utility, and mitigates the
security concern with respect to the Same-Origin Policy. The risk is of less concern for
trigger registrations as [=attribution sources=] have to be registered to start with and
it requires browsing activity on multiple sites.

## Opting in to the API ## {#opting-in-to-the-api}

*This section is non-normative.*

As a general principle, the API cannot be used purely at the HTTP layer without some level of
opt-in from JavaScript or HTML. For HTML, this opt-in is in the form of the
{{HTMLAttributionSrcElementUtils/attributionSrc}} attribute, and for JavaScript, it is
the various modifications to [=fetch=], {{XMLHttpRequest}}, and the [=window open steps=].

However, this principle is only strictly applied to registering [=attribution sources=]. For
[=triggering attribution=], we waive this requirement for the sake of compatibility with existing
systems, see <a href="https://github.com/WICG/attribution-reporting-api/issues/347">347</a> for
context.

# Privacy considerations # {#privacy-considerations}

## Clearing site data ## {#clearing-site-data}

The [=attribution caches=] contain data about a user's web activity. As such,
the user agent MAY expose controls that allow the user to delete data from them.

## Cross-site information disclosure ## {#cross-site-information-disclosure}

*This section is non-normative.*

The API is concerned with protecting arbitrary cross-site information from being passed
from one site to another. For a given [=attribution source=], any outcome associated with it
is considered cross-site information. This includes:
* Whether the [=attribution source=] generates any [=attribution reports=] or not
* The contents of the associated [=attribution reports=], if present

The information embedded in the API output is arbitrary but can include things like browsing
history and other cross-site activity. The API aims to provide some protection for this information:

### Event-level reports ### {#cross-site-information-disclosure-event-level-reports}

Any given [=attribution source=] has a [=obtain a set of possible trigger states|set of possible trigger states=].
The choice of trigger state may encode cross-site information. To protect the cross-site information disclosure,
each [=attribution source=] is subject to a [=obtain a randomized response|randomized response mechanism=] [[RR]],
which will choose a state at random with [=obtain a randomized source response pick rate|pick rate=]
dependent on the user agent's [=randomized response epsilon=].

This introduces some level of plausible deniability into the resulting [=event-level reports=] (or lack thereof),
as there is always a chance that the output was generated from a random process. We can reason about the
protection this gives an individual [=attribution source=] from the lens of differential privacy [[DP]].

Additionally, [=event-level reports=] limit the *amount* of relative cross-site information associated with
a particular [=attribution source=]. We model this using the notion of channel capacity [[CHAN]].  For every [=attribution source=],
it is possible to model its output as a noisy channel. The number of input/output symbols is governed by its associated
[=obtain a set of possible trigger states|set of possible trigger states=]. With the randomized response mechanism,
this allows us to analyze the output as a q-ary symmetric channel [[Q-SC]], with `q` equal to the [=set/size=] of the
[=obtain a set of possible trigger states|set of possible trigger states=]. This is normatively defined in the
[=compute the channel capacity of a source=] algorithm.

Note that [=source type/navigation=] [=attribution sources=] and [=source type/event=] [=attribution sources=] may
have different channel capacities, given that [=source type/event=] [=attribution sources=] can be registered without
[=user activation=] or top-level navigation. Maximum capacity for each type is governed by the vendor-defined
[=max event-level channel capacity per source=].

### Aggregatable reports ### {#cross-site-information-disclosure-aggregatable-reports}

Aggregatable reports protect against cross-site information disclosure in two primary ways:
1. For a given [=attribution trigger=], whether it is [=triggering attribution|attributed=] to a
    source is subject to one-way noise via [=generate null reports|generating null reports=] with
    some probability. Note that because the noise does not drop true reports, this is only a partial
    mitigation, as if an [=attribution source=] never generates an [=aggregatable report=], an
    adversary can learn with 100% certainty that an [=attribution source=] was never matched with
    an [=attribution trigger=].
1. Cross-site information embedded in an [=aggregatable report=]'s [=aggregatable report/contributions=]
    is encrypted with a [=obtain the public key for encryption|public key=], ensuring that individual
    contributions cannot be accessed until an aggregation service subjects them to aggregation
    and an additive noise process.

Issue: add links to the aggregation service noise addition algorithm.

Issue: model the channel capacity of a trigger registration.

### Debug reports ### {#cross-site-information-disclosure-debug-reports}

Fine-grained cross-site information may be embedded in [=attribution reports=] sent with
[=generate an attribution report URL/isDebugReport=] being true and certain [=debug data type|types=]
of [=attribution debug reports=]. These reports will only be [=check if cookie-based debugging is allowed|allowed=]
when third-party cookies are available, in which case the API caller
had the capability to learn the underlying information.

## Protecting against cross-site recognition ## {#protecting-against-cross-site-recognition}

*This section is non-normative.*

A primary privacy goal of the API is to make linking identity between two different top-level sites
difficult. This happens when either a request or a JavaScript environment has two user IDs from two
different sites simultaneously. Both [=event-level reports=] and [=aggregatable reports=] were
designed to make this kind of recognition difficult:

### Event-level reports ### {#cross-site-recognition-event-level-reports}

[=Event-level reports=] come bearing a fine-grained [=event-level report/event id=] that can
uniquely identify the source event, which may be joinable with a user's identity. As such, for
[=event-level reports=] to protect the cross-site recognition risk, they contain only a small
amount (measured via channel capacity) of relative cross-site information from any of the
[=attribution source/attribution destinations=]. By limiting the amount of relative cross-site
information embedded in [=event-level reports=], we make it difficult for an identifier to be passed
through this channel to enable cross-site recognition alone.

### Aggregatable reports ### {#cross-site-recognition-aggregatable-reports}

[=Aggregatable reports=] only contain fine-grained cross-site information in encrypted form.
In cleartext, they contain only coarse-grained information from the [=attribution source/source site=]
and [=aggregatable report/effective attribution destination=]. This makes it difficult for an
[=aggregatable report=] to be associated with a user from either site.

The cross-site recognition risk of the data encrypted in "`aggregation_service_payloads`" is
mitigated by the additive noise addition in the aggregation service.

## Mitigating against repeated API use ## {#mitigating-against-repeated-API-use}

Issue: fill in this section

## Protecting against browsing history reconstruction ## {#protecting-against-browsing-history-reconstruction}

Issue: fill in this section

## Reporting-delay concerns ## {#reporting-delay-concerns}

*This section is non-normative.*

Sending reports some time after attribution occurs enables side-channel leakage
in some situations.

### Cross-network reporting-origin leakage ### {#cross-network-reporting-origin-leakage}

A report may be *stored* while the browser is connected to one network but
*sent* while the browser is connected to a different network, potentially
enabling cross-network leakage of the reporting origin.

Example: A user runs the browser with a particular browsing profile on their
home network. An attribution report with a particular reporting origin is stored
with a scheduled report time in the future. After the scheduled report time is
reached, the user runs the browser with the same browsing profile on their
employer's network, at which point the browser sends the report to the reporting
origin. Although the report itself may be sent over HTTPS, the reporting origin
may be visible to the network administrator via DNS or the TLS client hello
(which can be mitigated with
<a href="https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni">ECH</a>).
Some reporting origins may be known to operate only or primarily on sensitive sites,
so this could leak information about the user's browsing activity to the user's
employer without their knowledge or consent.

Possible mitigations:

1. Only send reports with a given reporting origin when the browser has already
    made a request to that origin on the same network. This prevents the network
    administrator from gaining additional information from the Attribution
    Reporting API. However, it increases report loss and report delays, which
    reduces the utility of the API for the reporting origin. It might also
    increase the effectiveness of timing attacks, as the origin may be able to
    better link the report with the user's request that allowed the report to be released.
1. Send reports immediately: This reduces the likelihood of a report being
    stored and sent on different networks. However, it increases the likelihood
    that the reporting origin can correlate the original request made to the
    reporting origin for attribution to the report, which weakens the
    attribution-side privacy controls of the API. In particular,
    this destroys the differential privacy framework we have
    for event-level reports. It would also make the
    [=event-level report/trigger priority=] functionality impossible, as there
    would be no way to replace a lower-priority report that was already sent.
1. Use a trusted proxy server to send reports: This effectively moves the
    reporting origin into the report body, so only the proxy server would be
    visible to the network administrator.
1. Require <a href="https://datatracker.ietf.org/doc/html/rfc8484">DNS over HTTPS</a>:
    This effectively hides the reporting origin from the network administrator, but is
    likely impractical to enforce and is itself perhaps circumventable by the network
    administrator.

### User-presence tracking ### {#user-presence-tracking}

The browser only tries to send reports while it is running and while it has
internet connectivity (even without an explicit check for connectivity,
naturally the report will fail to be sent if there is none), so receiving or not
receiving an [=event-level report=] at the expected time leaks information about the user's
presence. Additionally, because the report request inherently includes an IP
address, this could reveal the user's IP-derived whereabouts to the reporting
origin, including at-home vs. at-work or approximate real-world geolocation,
or reveal patterns in the user's browsing activity.

Possible mitigations:

1. Send reports immediately: This effectively eliminates the presence tracking,
    as the original request made to the reporting origin is in close temporal
    proximity to the report request. However, it increases the likelihood that
    the reporting origin can correlate the two requests, which weakens the
    attribution-side privacy controls of the API. It would also make the
    [=event-level report/trigger priority=] functionality impossible, as there
    would be no way to replace a lower-priority report that was already sent.
1. Send reports immediately to a trusted proxy server, which would itself send
    the report to the reporting origin with additional delay. This would
    effectively hide both the user's IP address and their online-offline
    presence from the reporting origin. Compared to the previous mitigation, the
    proxy server could itself handle the [=event-level report/trigger priority=]
    functionality, at the cost of increased complexity in the proxy.