index.bs

<pre class='metadata'>
Title: Attribution Reporting
Shortname: attribution-reporting
Level: 1
Status: CG-DRAFT
Group: wicg
Repository: WICG/attribution-reporting-api
URL: https://wicg.github.io/attribution-reporting-api
Editor: Charlie Harrison, Google Inc. https://google.com, csharrison@chromium.org
Editor: John Delaney, Google Inc. https://google.com, johnidel@chromium.org
Editor: Andrew Paseltiner, Google Inc. https://google.com, apaseltiner@chromium.org
Abstract: An API to report that an event may have been caused by another cross-site event. These reports are designed to transfer little enough data between sites that the sites can't use them to track individual users.

Markup Shorthands: markdown on
Complain About: accidental-2119 on, missing-example-ids on
Assume Explicit For: on
</pre>
<pre class=link-defaults>
spec:html; type:element; text:a
spec:html; type:element; text:script
spec:html; type:dfn; text:feature separators
spec:html; type:dfn; text:follow the hyperlink
spec:html; type:dfn; text:navigation params
spec:html; type:dfn; text:prepare the script element
spec:html; type:dfn; text:script fetch options
spec:html; type:dfn; text:set up the classic script request
spec:html; type:dfn; text:set up the module script request
spec:html; type:dfn; text:tokenize the features argument
spec:html; type:dfn; text:update the image data
spec:html; type:dfn; text:window open steps
spec:webdriver; type:dfn; text:error
</pre>
<pre class="anchors">
spec: clear-site-data; type: dfn; urlPrefix: https://w3c.github.io/webappsec-clear-site-data/
    text: clear DOM-accessible storage for origin; url: #abstract-opdef-clear-dom-accessible-storage-for-origin
spec: hr-time; type: dfn; urlPrefix: https://w3c.github.io/hr-time/
    text: current wall time; url: #dfn-current-wall-time
    text: duration; url: #dfn-duration
    text: moment; url: #dfn-moment
spec: idl; type: dfn; urlPrefix: https://webidl.spec.whatwg.org/
    text: throw; url: #dfn-throw
spec: webdriver; urlPrefix: https://w3c.github.io/webdriver/
    type: dfn
        text: getting a property; url: dfn-getting-properties
        text: error code; url: dfn-error-code
spec: uuid; type: dfn; urlPrefix: https://wicg.github.io/uuid/
    text: generate a random UUID; url: #dfn-generate-a-random-uuid
spec: private-state-token-api; type: dfn; urlPrefix: https://wicg.github.io/trust-token-api/
    text: look up the key commitments; url: #look-up-the-key-commitments
    text: generate masked tokens; url: #generate-masked-tokens
    text: unmask tokens; url: #unmask-tokens
    text: sec-private-state-token-crypto-version; url: #sec-private-state-token-crypto-version
spec: structured header; type: dfn; urlPrefix: https://httpwg.org/specs/rfc8941;
    text: structured header; url: #introduction
    for: structured header
        text: define new structured fields; url: #specify
        text: dictionary; url: #dictionary
        text: item; url: #item
        text: list; url: #list
        text: parameter; url: #param
        text: parse a list; url: #parse-list
        text: parse a string; url: #parse-string
        text: parse structured fields; url: #text-parse
        text: serialize a list; url: #ser-list
        text: serialize a string; url: #ser-string
        text: string; url: #string
        text: token; url: #token
spec: infra; type: dfn; urlPrefix: https://infra.spec.whatwg.org/
    text: starts with; url: #string-starts-with
spec: fenced-frame; type: dfn; urlPrefix: https://wicg.github.io/fenced-frame/;
    for: navigable
        text: top-level traversable; url: #navigable-top-level-traversable
    for: fenced navigable container
        text: fenced navigable; url:#fenced-navigable-container-fenced-navigable
spec: multipage; type: dfn; urlPrefix: https://html.spec.whatwg.org/multipage/;
    for: scheme and host
        text: host; url: #concept-scheme-and-host-host
</pre>
<pre class=biblio>
{
    "chan": {
        "title": "Channel capacity",
        "href": "https://en.wikipedia.org/wiki/Channel_capacity"
    },
     "dp": {
        "title": "Differential privacy",
        "href": "https://en.wikipedia.org/wiki/Differential_privacy"
    },
     "rr": {
        "title": "Randomized response",
        "href": "https://en.wikipedia.org/wiki/Randomized_response"
    },
     "bin-ent": {
        "title": "Binary entropy function",
        "href": "https://en.wikipedia.org/wiki/Binary_entropy_function"
    },
    "q-sc": {
        "authors": [
            "Claudio Weidmann",
            "Gottfried Lechner"
        ],
        "title": "q-ary symmetric channel",
        "href": "https://arxiv.org/pdf/0909.2009.pdf"
    }

}
</pre>

Introduction {#intro}
=====================

<em>This section is non-normative</em>

This specification describes how web browsers can provide a mechanism to the
web that supports measuring and attributing conversions (e.g. purchases) to ads
a user interacted with on another site. This mechanism should remove one need
for cross-site identifiers like third-party cookies.

## Overview ## {#overview}

Pages/embedded sites are given the ability to register [=attribution sources=] and
[=attribution triggers=], which can be linked by the User Agent to generate and
send [=attribution reports=] containing information from both of those events.

A reporter `https://reporter.example` embedded on `https://source.example` is able to
measure whether an interaction on the page lead to an action on `https://destination.example`
by registering an [=attribution source=] with [=attribution source/attribution destinations=]
of « `https://destination.example` ». Reporters are able to register sources through a variety
of surfaces, but ultimately the reporter is required to provide the User Agent with an
HTTP-response header which allows the source to be eligible for attribution.

At a later point in time, the reporter, now embedded on `https://destination.example`,
may register an [=attribution trigger=]. Reporters can register triggers by sending an
HTTP-response header containing information about the action/event that occurred. Internally,
the User Agent attempts to match the trigger to previously registered source events based on
where the sources/triggers were registered and configurations provided by the reporter.

If the User Agent is able to attribute the trigger to a source, it will generate and
send an [=attribution report=] to the reporter via an HTTP POST request at a later point
in time.

# HTML monkeypatches # {#html-monkeypatches}

<h3 id="monkeypatch-attributionsrc">API for elements</h3>

<pre class="idl">
interface mixin HTMLAttributionSrcElementUtils {
    [CEReactions, SecureContext] attribute USVString attributionSrc;
};

HTMLAnchorElement includes HTMLAttributionSrcElementUtils;
HTMLImageElement includes HTMLAttributionSrcElementUtils;
HTMLScriptElement includes HTMLAttributionSrcElementUtils;
</pre>

Add the following <a spec=html>content attributes</a>:

: <{a}>
:: <dfn for="a" element-attr>attributionsrc</dfn> - A [=string=] containing
    zero or more [=URLs=] to which a background attributionsrc request will be
    made when the <{a}> is navigated.
: <{img}>
:: <dfn for="img" element-attr>attributionsrc</dfn> - A [=string=] containing
    zero or more [=URLs=] to which a background attributionsrc request will be
    made when set.
: <{script}>
:: <dfn for="script" element-attr>attributionsrc</dfn> - A [=string=] containing
    zero or more [=URLs=] to which a background attributionsrc request will be
    made when set.

The IDL attribute {{HTMLAttributionSrcElementUtils/attributionSrc}}
must <a spec=html>reflect</a> the respective content attribute of the same
name.

Whenever an <{img}> or a <{script}> |element| is created or |element|'s
{{HTMLAttributionSrcElementUtils/attributionSrc}} attribute is set or changed,
run [=make background attributionsrc requests=] with |element| and
"<code>[=eligibility/event-source-or-trigger=]</code>" and the current state of
|element|'s <{img/referrerpolicy}> content attribute or
<{script/referrerpolicy}> content attribute.

Issue: More precisely specify which mutations are relevant for the
attributionsrc attribute.

Modify [=update the image data=] as follows:

After the step

> Set |request|'s [=request/priority=] to the current state...

add the step

1. If the element has an <{img/attributionsrc}> attribute, set
    |request|'s [=request/Attribution Reporting Eligibility=] to
    "<code>[=eligibility/event-source-or-trigger=]</code>".

A [=script fetch options=] has an associated <dfn for="script fetch options">
Attribution Reporting eligibility</dfn> (an [=eligibility=]). Unless otherwise
stated it is "<code>[=eligibility/unset=]</code>".

Modify [=prepare the script element=] as follows:

After the step

> Let <var ignore=''>fetch priority</var> be the current state of |el|'s <{script/fetchpriority}>
> content attribute.

add the step

1. Let |Attribution Reporting eligibility| be
    "<code>[=eligibility/event-source-or-trigger=]</code>" if |el| has an
    <{script/attributionsrc}> content attribute and
    "<code>[=eligibility/unset=]</code>" otherwise.

Add "and [=script fetch options/Attribution Reporting eligibility=] is
|Attribution Reporting eligibility|." to the step

> Let <var ignore=''>options</var> be a [=script fetch options=] whose...

Modify [=set up the classic script request=] and
[=set up the module script request=] as follows:

Add "and its [=request/Attribution Reporting eligibility=] is |options|'s
[=script fetch options/Attribution Reporting eligibility=]."

Modify [=follow the hyperlink=] as follows:

After the step

> If |subject|'s link types includes...

add the steps

1. Let |navigationSourceEligible| be false.
1. If |subject| has an `attributionsrc` attribute:
    1. Set |navigationSourceEligible| to true.
    1. [=Make background attributionsrc requests=] with |subject| and
        "<code>[=eligibility/navigation-source=]</code>", and |referrerPolicy|.

Add "and [=navigate/navigationSourceEligible=] set to
|navigationSourceEligible|" to the step

> [=Navigate=] <var ignore=''>targetNavigable</var>...

<h3 id="monkeypatch-window-open">Window open steps</h4>

Modify the [=tokenize the features argument=] as follows:

Replace the step

> [=Collect a sequence of code points=] that are not [=feature separators=] code
> points from |features| given |position|. Set |value| to the collected code
> points, [=ASCII lowercase|converted to ASCII lowercase=].

with

[=Collect a sequence of code points=] that are not [=feature separators=] code
points from |features| given |position|. Set |value| to the collected code
points, [=ASCII lowercase|converted to ASCII lowercase=]. Set
|originalCaseValue| to the collected code points.

Replace the step

> If |name| is not the empty string, then set |tokenizedFeatures|[|name|] to
> |value|.

with the steps

1. If |name| is not the empty string:
    1. Switch on |name|:
        <dl class="switch">
        : "`attributionsrc`"
        :: Run the following steps:
            1. If |tokenizedFeatures|[|name|] does not [=map/exists|exist=],
                [=map/set=] |tokenizedFeatures|[|name|] to a new [=list=].
            1. [=list/Append=] |originalCaseValue| to |tokenizedFeatures|[|name|].
        : Anything else
        :: [=map/Set=] |tokenizedFeatures|[|name|] to |value|.

        </dl>

Modify the [=window open steps=] as follows:

After the step

> Let |tokenizedFeatures| be the result of
> [=tokenize the features argument|tokenizing=] |features|.

add the steps

1. Let |navigationSourceEligible| be false.
1. If |tokenizedFeatures|["`attributionsrc`"] [=map/exists=]:
    1. [=Assert=]: |tokenizedFeatures|["`attributionsrc`"] is a [=list=].
    1. Set |navigationSourceEligible| to true.
    1. Set |attributionSrcUrls| to a new [=list=].
    1. [=list/iterate|For each=] |value| of
        |tokenizedFeatures|["`attributionsrc`"]:
        1. If |value| is the empty string, [=iteration/continue=].
        1. Let |decodedSrcBytes| be the result of
            [=string/percent-decode|percent-decoding=] |value|.
        1. Let |decodedSrc| be the [=UTF-8 decode without BOM=] of
            |decodedSrcBytes|.
        1. <a spec="HTML" lt="parse a URL">Parse</a> |decodedSrc| relative to
            the <a spec="HTML" lt="entry settings object">entry settings object</a>,
            and set |urlRecord| to the resulting [=URL record=], if any. If
            parsing failed, [=iteration/continue=].
        1. [=list/Append=] |urlRecord| to |attributionSrcUrls|.

Issue: Use |attributionSrcUrls| and |referrerPolicy| with
[=make a background attributionsrc request=].

In each step that calls [=navigate=], set [=navigate/navigationSourceEligible=]
to |navigationSourceEligible|.

## Navigation monkeypatches ## {#navigation-monkeypatches}

Add the following item to [=navigation params=]:

: <dfn for="navigation params">navigationSourceEligible</dfn>
:: A boolean indicating whether the navigation can register a
    [=source type/navigation=] [=attribution source|source=] in its response.
    Defaults to false.

Modify [=navigate=] as follows:

Add an optional boolean parameter called <dfn for="navigate">
<var>navigationSourceEligible</var></dfn>, defaulting to false.

In the step

> Set <var ignore=''>navigationParams</var> to a new [=navigation params=]
> with...

add the property

: [=navigation params/navigationSourceEligible=]
:: |navigationSourceEligible|

Issue: Use/propagate [=navigation params/navigationSourceEligible=] to the
[=navigation request=]'s [=request/Attribution Reporting eligibility=].

# Network monkeypatches # {#network-monkeypatches}

<pre class="idl">
dictionary AttributionReportingRequestOptions {
  required boolean eventSourceEligible;
  required boolean triggerEligible;
};

partial dictionary RequestInit {
  AttributionReportingRequestOptions attributionReporting;
};

partial interface XMLHttpRequest {
  [SecureContext]
  undefined setAttributionReporting(AttributionReportingRequestOptions options);
};
</pre>

A [=request=] has an associated
<dfn export for=request>Attribution Reporting eligibility</dfn> (an [=eligibility=]).
Unless otherwise stated it is "<code>[=eligibility/unset=]</code>".

A [=request=] has an associated
<dfn for=request>trigger verification metadata</dfn> which is null or a [=trigger verification metadata=].

To <dfn>get an eligibility from {{AttributionReportingRequestOptions}}</dfn>
given an optional {{AttributionReportingRequestOptions}} |options|:

1. If |options| is null, return "<code>[=eligibility/unset=]</code>".
1. Let |eventSourceEligible| be |options|'s
    {{AttributionReportingRequestOptions/eventSourceEligible}}.
1. Let |triggerEligible| be |options|'s
    {{AttributionReportingRequestOptions/triggerEligible}}.
1. If (|eventSourceEligible|, |triggerEligible|) is:
    <dl class="switch">
    : (false, false)
    :: Return "<code>[=eligibility/empty=]</code>".
    : (false, true)
    :: Return "<code>[=eligibility/trigger=]</code>".
    : (true, false)
    :: Return "<code>[=eligibility/event-source=]</code>".
    : (true, true)
    :: Return "<code>[=eligibility/event-source-or-trigger=]</code>".

    </dl>

Issue: Check permissions policy.

"<code><dfn>Attribution-Reporting-Eligible</dfn></code>" is a
[=structured header/dictionary|Dictionary Structured Header=]
set on a [=request=] that indicates which registrations, if
any, are allowed on the corresponding [=response=]. Its values are not specified
and its <dfn lt="eligible key">allowed keys</dfn> are:

<dl dfn-for="eligible key">
: "<dfn><code>event-source</code></dfn>"
:: An [=source type/event=] [=attribution source|source=] may be registered.
: "<dfn><code>navigation-source</code></dfn>"
:: A [=source type/navigation=] [=attribution source|source=] may be registered.
: "<dfn><code>trigger</code></dfn>"
:: A [=attribution trigger|trigger=] may be registered.

</dl>

To <dfn>obtain a dictionary structured header value</dfn> given a [=list=] of [=strings=] |keys| and
a [=set=] of [=strings=] |allowedKeys|:

1. [=set/iterate|For each=] |key| of |allowedKeys|, optionally [=list/append=] the
    [=string/concatenation=] of « "`not-`", |key| » to |keys|.
1. Optionally, [=shuffle a list|shuffle=] |keys|.
1. Let |entries| be a new [=list=].
1. [=list/iterate|For each=] |key| of |keys|:
    1. Let |value| be true.
    1. Optionally, set |value| to a [=structured header/token=]
        corresponding to one of [=strings=] in |allowedKeys|.
    1. Let |params| be a new [=map=].
    1. [=set/iterate|For each=] |key| of |allowedKeys|, optionally [=map/set=] |params|[|key|] to an
        arbitrary [=structured header/item|bare item=].
    1. [=list/Append=] a structured dictionary member with the key |key|, the
        value |value|, and the parameters |params| to |entries|.
1. Return a [=structured header/dictionary=] containing |entries|.

Note: The user agent MAY "[=structured header/define new structured fields|grease=]" the
dictionary structured headers according to the preceding algorithm to help ensure that recipients
use a proper structured header parser, rather than naive string equality or
`contains` operations, which makes it easier to introduce backwards-compatible
changes to the header definition in the future. Including the allowed keys
as dictionary *values* or *parameters* helps ensure that only the dictionary's
keys are interpreted by the recipient. Likewise, shuffling the dictionary
members helps ensure that, e.g., "`key1, key2`" is treated equivalently to "`key2, key1`".

In the following example, only the "`trigger`" key should be interpreted by the
recipient after the header has been parsed as a structured dictionary:

<pre class="example" heading="Greased Attribution-Reporting-Eligible header">
Attribution-Reporting-Eligible: not-event-source, trigger=event-source;navigation-source=3
</pre>

In the following example, only the "`os`" key should be interpreted by the
recipient after the header has been parsed as a structured dictionary:

<pre class="example" heading="Greased Attribution-Reporting-Support header">
Attribution-Reporting-Support: os=web
</pre>

To <dfn>set Attribution Reporting headers</dfn> given a [=request=] |request|
and an [=origin=] |contextOrigin|:

1. Let |headers| be |request|'s [=request/header list=].
1. Let |eligibility| be |request|'s [=request/Attribution Reporting eligibility=].
1. [=header list/Delete=] "<code>[=Attribution-Reporting-Eligible=]</code>" from
    |headers|.
1. [=header list/Delete=] "<code>[=Attribution-Reporting-Support=]</code>" from
    |headers|.
1. If |eligibility| is "<code>[=eligibility/unset=]</code>", return.
1. Let |keys| be a new [=list=].
1. If |eligibility| is:
    <dl class="switch">
    : "<code>[=eligibility/empty=]</code>"
    :: Do nothing.
    : "<code>[=eligibility/event-source=]</code>"
    :: [=list/Append=] "<code>[=eligible key/event-source=]</code>" to |keys|.
    : "<code>[=eligibility/navigation-source=]</code>"
    :: [=list/Append=] "<code>[=eligible key/navigation-source=]</code>" to
        |keys|.
    : "<code>[=eligibility/trigger=]</code>"
    :: 1. [=list/Append=] "<code>[=eligible key/trigger=]</code>" to |keys|.
    :: 1. [=Set trigger verification request headers=] with |request| and |contextOrigin|.
    : "<code>[=eligibility/event-source-or-trigger=]</code>"
    :: [=list/Append=] "<code>[=eligible key/event-source=]</code>" and
        "<code>[=eligible key/trigger=]</code>" to |keys|.
1. Let |dict| be the result of [=obtaining a dictionary structured header value=] with
    |keys| and the [=set=] containing all the [=eligible keys=].
1. [=header list/Set a structured field value=] given
    ("<code>[=Attribution-Reporting-Eligible=]</code>", |dict|) in |headers|.
1. [=Set an OS-support header=] in |headers|.

<h3 id="monkeypatch-fetch">Fetch monkeypatches</h4>

Modify [=fetch=] as follows:

Add a [=Document=] parameter called |document|.

After the step

> If |request|'s [=request/header list=] does not contain `Accept`...

add the step

1. [=Set Attribution Reporting headers=] with |request| and |document|'s [=node/context origin=].

Modify {{Request/constructor(input, init)}} as follows:

In the step

> Set |request| to a new [=request=] with the following properties:

add the property

: [=request/Attribution Reporting eligibility=]
:: |request|'s [=request/Attribution Reporting eligibility=].

After the step

> If |init|["`priority`"] [=map/exists=], then:

add the step

1. If |init|["{{RequestInit/attributionReporting}}"] [=map/exists=], then set
    |request|'s [=request/Attribution Reporting eligibility=] to the result of
    [=get an eligibility from AttributionReportingRequestOptions=] with it.

<h3 id="monkeypatch-xmlhttprequest">XMLHttpRequest monkeypatches</h4>

An {{XMLHttpRequest}} object has an associated
<dfn id="xmlhttprequest-eligibility">Attribution Reporting eligibility</dfn> (an
[=eligibility=]). Unless otherwise stated it is
"<code>[=eligibility/unset=]</code>".

The {{XMLHttpRequest/setAttributionReporting(options)}} method must run these
steps:

1. If <a>this</a>'s
    <a href="https://xhr.spec.whatwg.org/#concept-xmlhttprequest-state">state</a>
    is not <i>opened</i>, then [=throw=] an
    "{{InvalidStateError!!exception}}" {{DOMException}}.
1. If <a>this</a>'s
    <a href="https://xhr.spec.whatwg.org/#send-flag">`send()` flag</a> is set,
    then [=throw=] an "{{InvalidStateError!!exception}}" {{DOMException}}.
1. Set <a>this</a>'s <a href=#xmlhttprequest-eligibility>Attribution Reporting
    eligibility</a> to the result of
    [=get an eligibility from AttributionReportingRequestOptions=] with
    |options|.

Modify {{XMLHttpRequest/send(body)}} as follows:

Add a [=Document=] parameter called |document|.

After the step:

> Let |req| be a new [=request=], initialized as follows...

Add the step:

1. Set |req|'s [=request/Attribution Reporting eligibility=] to <a>this</a>'s <a href=#xmlhttprequest-eligibility>Attribution Reporting
    eligibility</a>.
1. [=Set Attribution Reporting headers=] with |req| and |document|'s [=node/context origin=].

# Permissions Policy integration # {#permission-policy-integration}

This specification defines a [=policy-controlled feature=] identified by the string "<code><dfn export for="PermissionPolicy" enum-value>attribution-reporting</dfn></code>".
Its [=policy-controlled feature/default allowlist=] is <a href="https://w3c.github.io/webappsec-permissions-policy/#default-allowlist">`*`</a>.

# Clear Site Data integration # {#clear-site-data-integration}

In [=clear DOM-accessible storage for origin=], add the following step:

> 7. Run [=clear site data=] with |origin|.

To <dfn>clear site data</dfn> given an [=origin=] |origin|:

1. [=set/iterate|For each=] [=attribution source=] |source| of the [=attribution source cache=]:
    1. If |source|'s [=attribution source/reporting origin=] and |origin| are [=same origin=],
        [=set/remove=] |source| from the [=attribution source cache=].
1. [=set/iterate|For each=] [=event-level report=] |report| of the [=event-level report cache=]:
    1. If |report|'s [=event-level report/reporting origin=] and |origin| are [=same origin=],
        [=set/remove=] |report| from the [=event-level report cache=].
1. [=set/iterate|For each=] [=aggregatable attribution report=] |report| of the [=aggregatable attribution report cache=]:
    1. If |report|'s [=aggregatable attribution report/reporting origin=] and |origin| are [=same origin=],
        [=set/remove=] |report| from the [=aggregatable attribution report cache=].

Note: We deliberately do *not* remove matching entries from the
[=attribution rate-limit cache=] and [=aggregatable debug rate-limit cache=], as doing so would allow a site to reset and
therefore exceed the intended rate limits at will.

# Structures # {#structures}

<h3 dfn-type=dfn>Registration info</h3>

A registration info is a [=struct=] with the following items:

<dl dfn-for="registration info">
: <dfn>preferred platform</dfn>
:: Null or a [=registrar=].
: <dfn>report header errors</dfn>
:: A [=boolean=].

</dl>

<h3 dfn-type=dfn>Trigger state</h3>

A trigger state is a [=struct=] with the following items:

<dl dfn-for="trigger state">
: <dfn>trigger data</dfn>
:: A non-negative 64-bit integer.
: <dfn>report window</dfn>
:: A [=report window=].

</dl>

<h3 dfn-type=dfn>Randomized response output configuration</h3>

A randomized response output configuration is a [=struct=] with the following items:

<dl dfn-for="randomized response output configuration">
: <dfn>max attributions per source</dfn>
:: A positive integer.
: <dfn>trigger specs</dfn>
:: A [=trigger spec map=].

</dl>

<h3 dfn-type=dfn>Randomized source response</h3>

A randomized source response is null or a [=list=] of [=trigger states=].

<h3 id="attribution-filtering">Attribution filtering</h3>

A <dfn>filter value</dfn> is a [=set=] of [=strings=].

A <dfn>filter map</dfn> is a [=map=] whose [=map/key|keys=] are [=strings=] and whose
[=map/value|values=] are [=filter values=].

A <dfn>filter config</dfn> is a [=struct=] with the following items:

<dl dfn-for="filter config">
: <dfn>map</dfn>
:: A [=filter map=].
: <dfn>lookback window</dfn>
:: Null or a positive [=duration=].

</dl>

<h3 dfn-type=dfn>Suitable origin</h3>

A suitable origin is an [=origin=] that is [=check if an origin is suitable|suitable=].

<h3 id="source-type-header">Source type</h3>

A <dfn>source type</dfn> is one of the following:

<dl dfn-for="source type">
: "<dfn><code>navigation</code></dfn>"
:: The source was associated with a top-level navigation.
: "<dfn><code>event</code></dfn>"
:: The source was not associated with a top-level navigation.

</dl>

<h3 id="report-window-header">Report window</h3>

A <dfn>report window</dfn> is a [=struct=] with the following items:

<dl dfn-for="report window">
: <dfn>start</dfn>
:: A [=moment=].
: <dfn>end</dfn>
:: A [=moment=], strictly greater than [=report window/start=].

</dl>

A <dfn>report window list</dfn> is a [=list=] of [=report windows=].
It has the following constraints:

* Elements are in ascending order based on their [=report window/start=].
* Every element's [=report window/start=] is equal to the previous element's [=report window/end=], if it exists.
* There is at least one element in the list.

A [=report window list=] |list|'s <dfn for="report window list">total window</dfn> is
a [=report window=] [=struct=] with the following fields:

: [=report window/start=]
:: The [=report window/start=] of |list|[0].
: [=report window/end=]
:: The [=report window/end=] of |list|[|list|'s [=list/size=] - 1].

Note: The [=report window list/total window=] is conceptually a union of
[=report windows=], because there are no gaps in time between any of the
[=report windows|windows=].

<h3 id="summary-windows-operator-header">Summary window operator</h3>

A <dfn>summary window operator</dfn> summarizes the triggers within a
[=report window=]. Its value is one of the following:

<dl dfn-for="summary window operator">
: "<dfn><code>count</code></dfn>"
:: Number of triggers attributed.
: "<dfn><code>value_sum</code></dfn>"
:: Sum of the value of triggers.

</dl>

<h3 id="summary-bucket-header">Summary bucket</h3>

A <dfn>summary bucket</dfn> is a [=struct=] with the following items:

<dl dfn-for="summary bucket">
: <dfn>start</dfn>
:: An unsigned 32-bit integer.
: <dfn>end</dfn>
:: An unsigned 32-bit integer.

</dl>

A <dfn>summary bucket list</dfn> is a [=list=] of [=summary buckets=].
It has the following constraints:

* Elements are strictly in ascending order based on their [=summary bucket/start=].
* Every element's [=summary bucket/end=] is equal to the next element's [=summary bucket/start=] - 1, if it exists.
* There is at least one element in the list.

<h3 id="trigger-data-matching-mode-header">Trigger-data matching mode</h3>

A <dfn>trigger-data matching mode</dfn> is one of the following:

<dl dfn-for="trigger-data matching mode">
: "<dfn><code>exact</code></dfn>"
:: [=event-level trigger configuration/Trigger data=] must be less than the
    [=default trigger data cardinality=]. Otherwise, no event-level attribution
    takes place.
: "<dfn><code>modulus</code></dfn>"
:: [=event-level trigger configuration/Trigger data=] is taken modulo the
    [=default trigger data cardinality=].

</dl>

<h3 id="trigger-specs-header">Trigger specs</h3>

A <dfn>trigger spec</dfn> is a [=struct=] with the following items:

<dl dfn-for="trigger spec">
: <dfn>event-level report windows</dfn>
:: A [=report window list=].

</dl>

A <dfn>trigger spec map</dfn> is a [=map=] whose keys are unsigned 32-bit
integers and values are [=trigger specs=].

To <dfn>find a matching trigger spec</dfn> given an [=attribution source=]
|source| and an unsigned 64-bit integer |triggerData|:

1. Let |specs| be |source|'s [=attribution source/trigger specs=].
1. If |source|'s [=attribution source/trigger-data matching mode=] is:
    <dl class="switch">
    : "<code>[=trigger-data matching mode/exact=]</code>"
    :: Run the following steps:
        1. If |specs|[|triggerData|] [=map/exists=], return its [=map/entry=].
        1. Return null.
    : "<code>[=trigger-data matching mode/modulus=]</code>"
    :: Run the following steps:
        1. If |specs| [=map/is empty=], return null.
        1. Let |keys| be |specs|'s [=map/get the keys|keys=].
        1. Let |index| be the remainder when dividing |triggerData| by |keys|'s
            [=set/size=].
        1. Return the [=map/entry=] for |specs|[|keys|[|index|]].

    </dl>

<h3 dfn-type=dfn>Aggregatable debug reporting config</h3>

An aggregatable debug reporting config is a [=struct=] with the following items:

<dl dfn-for="aggregatable debug reporting config">
: <dfn>key piece</dfn> (default 0)
:: A non-negative 128-bit integer.
: <dfn>debug data</dfn> (default an [=map/is empty|empty=] [=map=])
:: A [=map=] whose [=map/keys=] are [=debug data types=] and whose [=map/values=]
    are [=aggregatable contributions=].
: <dfn>aggregation coordinator</dfn> (default [=default aggregation coordinator=])
:: An [=aggregation coordinator=].

</dl>

<h3 dfn-type=dfn>Attribution source</h3>

An attribution source is a [=struct=] with the following items:

<dl dfn-for="attribution source">
: <dfn>source identifier</dfn>
:: A [=string=].
: <dfn>source origin</dfn>
:: A [=suitable origin=].
: <dfn>event ID</dfn>
:: A non-negative 64-bit integer.
: <dfn>attribution destinations</dfn>
:: A [=set=] of [=sites=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>source type</dfn>
:: A [=source type=].
: <dfn>expiry</dfn>
:: A [=duration=].
: <dfn>trigger specs</dfn>
:: A [=trigger spec map=].
: <dfn>aggregatable report window</dfn>
:: A [=report window=].
: <dfn>priority</dfn>
:: A 64-bit integer.
: <dfn>source time</dfn>
:: A [=moment=].
: <dfn>number of event-level reports</dfn>
:: Number of [=event-level reports=] created for this [=attribution source=].
: <dfn>max number of event-level reports</dfn>
:: The maximum number of [=event-level reports=] that can be created for this [=attribution source=].
: <dfn>event-level attributable</dfn> (default true)
:: A [=boolean=].
: <dfn>dedup keys</dfn>
:: A [=set=] of [=event-level trigger configuration/dedup keys=] associated with this [=attribution source=].
: <dfn>randomized response</dfn> (default null)
:: A [=randomized source response=].
: <dfn>randomized trigger rate</dfn> (default 0)
:: A number between 0 and 1 (both inclusive).
: <dfn>event-level epsilon</dfn>
:: A double.
: <dfn>filter data</dfn>
:: A [=filter map=].
: <dfn>debug key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>aggregation keys</dfn>
:: A [=map=] whose [=map/key|keys=] are [=strings=] and whose [=map/value|values=] are
    non-negative 128-bit integers.
: <dfn>remaining aggregatable attribution budget</dfn>
:: A non-negative integer.
: <dfn>aggregatable dedup keys</dfn>
:: A [=set=] of [=aggregatable dedup key/dedup key|aggregatable dedup key values=] associated with this [=attribution source=].
: <dfn>debug reporting enabled</dfn>
:: A [=boolean=].
: <dfn>number of aggregatable attribution reports</dfn>
:: Number of [=aggregatable attribution reports=] created for this [=attribution source=].
: <dfn>trigger-data matching mode</dfn>
:: A [=trigger-data matching mode=].
: <dfn>debug cookie set</dfn> (default false)
:: A [=boolean=].
: <dfn>fenced</dfn>
:: A [=boolean=].
: <dfn>remaining aggregatable debug budget</dfn>
:: A non-negative integer.
: <dfn>number of aggregatable debug reports</dfn>
:: Number of [=aggregatable debug reports=] created for this [=attribution source=].
: <dfn>aggregatable debug reporting config</dfn>
:: An [=aggregatable debug reporting config=].
: <dfn>destination limit priority</dfn>
:: A 64-bit integer.

</dl>

An [=attribution source=] |source|'s <dfn for="attribution source">expiry time</dfn> is |source|'s [=attribution source/source time=] + |source|'s [=attribution source/expiry=].

An [=attribution source=] |source|'s <dfn for="attribution source">source site</dfn> is the result
of [=obtain a site|obtaining a site=] from |source|'s [=attribution source/source origin=].

<h3 dfn-type=dfn>Aggregatable trigger data</h3>

An aggregatable trigger data is a [=struct=] with the following items:

<dl dfn-for="aggregatable trigger data">
: <dfn>key piece</dfn>
:: A non-negative 128-bit integer.
: <dfn>source keys</dfn>
:: A [=set=] of [=strings=].
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].

</dl>

<h3 dfn-type=dfn>Aggregatable values configuration</h3>

An <dfn>aggregatable key value</dfn> is a [=struct=] with the following items:

<dl dfn-for="aggregatable key value">
: <dfn>value</dfn>
:: A non-negative 32-bit integer.
: <dfn>filtering ID</dfn>
:: A non-negative integer.

</dl>

An aggregatable values configuration is a [=struct=] with the following items:

<dl dfn-for="aggregatable values configuration">
: <dfn>values</dfn>
:: A [=map=] whose [=map/key|keys=] are [=strings=] and whose [=map/value|values=] are [=aggregatable key values=].
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].

</dl>

<h3 dfn-type=dfn>Aggregatable dedup key</h3>

An aggregatable dedup key is a [=struct=] with the following items:

<dl dfn-for="aggregatable dedup key">
: <dfn>dedup key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].

</dl>

<h3 dfn-type=dfn>Event-level trigger configuration</h3>

An event-level trigger configuration is a [=struct=] with the following items:

<dl dfn-for="event-level trigger configuration">
: <dfn>trigger data</dfn>
:: A non-negative 64-bit integer.
: <dfn>dedup key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>priority</dfn>
:: A 64-bit integer.
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>value</dfn>
:: A positive unsigned 32-bit integer.

</dl>

<h3 id="aggregation-coordinator-header">Aggregation coordinator</h3>

An <dfn>aggregation coordinator</dfn> is one of a user-agent-determined [=set=]
of [=suitable origins=] that specifies which aggregation service deployment to use.

<h3 id="aggregatable-source-registration-time-configuration-header">Aggregatable source registration time configuration</h3>

An <dfn>aggregatable source registration time configuration</dfn> is one of the following:

<dl dfn-for="aggregatable source registration time configuration">
: "<dfn><code>exclude</code></dfn>"
:: "`source_registration_time`" is excluded from an [=aggregatable attribution report=]'s [=aggregatable attribution report/shared info=].
: "<dfn><code>include</code></dfn>"
:: "`source_registration_time`" is included in an [=aggregatable attribution report=]'s [=aggregatable attribution report/shared info=].

</dl>

<h3 dfn-type=dfn>Attribution trigger</h3>

An attribution trigger is a [=struct=] with the following items:

<dl dfn-for="attribution trigger">
: <dfn>attribution destination</dfn>
:: A [=site=].
: <dfn>trigger time</dfn>
:: A [=moment=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>negated filters</dfn>
:: A [=list=] of [=filter configs=].
: <dfn>debug key</dfn>
:: Null or a non-negative 64-bit integer.
: <dfn>event-level trigger configurations</dfn>
:: A [=set=] of [=event-level trigger configuration=].
: <dfn>aggregatable trigger data</dfn>
:: A [=list=] of [=aggregatable trigger data=].
: <dfn>aggregatable values configurations</dfn>
:: A [=list=] of [=aggregatable values configuration=].
: <dfn>aggregatable dedup keys</dfn>
:: A [=list=] of [=aggregatable dedup key=].
: <dfn>verifications</dfn>
:: A [=list=] of [=trigger verification=].
: <dfn>debug reporting enabled</dfn>
:: A [=boolean=].
: <dfn>aggregation coordinator</dfn>
:: An [=aggregation coordinator=].
: <dfn>aggregatable source registration time configuration</dfn>
:: An [=aggregatable source registration time configuration=].
: <dfn>trigger context ID</dfn>
:: Null or a [=string=].
: <dfn>fenced</dfn>
:: A [=boolean=].
: <dfn>aggregatable filtering ID max bytes</dfn>
:: A positive integer.
: <dfn>aggregatable debug reporting config</dfn>
:: An [=aggregatable debug reporting config=].

</dl>

<h3 dfn-type=dfn>Attribution report</h3>

An attribution report is a [=struct=] with the following items:

<dl dfn-for="attribution report, aggregatable attribution report, event-level report, aggregatable report, aggregatable debug report">
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>report time</dfn>
:: A [=moment=].
: <dfn>report ID</dfn>
:: A [=string=].

</dl>

An <dfn>attribution debug info</dfn> is a [=tuple=] with the following items:

<dl dfn-for="attribution debug info">
: <dfn>source debug key</dfn>
:: Null or a [=string=].
: <dfn>trigger debug key</dfn>
:: Null or a [=string=].

</dl>

<h3 dfn-type=dfn>Event-level report</h3>

An event-level report is an [=attribution report=] with the following additional items:

<dl dfn-for="event-level report">
: <dfn>event ID</dfn>
:: A non-negative 64-bit integer.
: <dfn>source type</dfn>
:: A [=source type=].
: <dfn>trigger data</dfn>
:: A non-negative 64-bit integer.
: <dfn>randomized trigger rate</dfn>
:: A number between 0 and 1 (both inclusive).
: <dfn>trigger priority</dfn>
:: A 64-bit integer.
: <dfn>trigger time</dfn>
:: A [=moment=].
: <dfn>source identifier</dfn>
:: A string.
: <dfn>attribution destinations</dfn>
:: A [=set=] of [=sites=].
: <dfn>attribution debug info</dfn>
:: An [=attribution debug info=].

</dl>

<h3 id="aggregatable-report-header">Aggregatable report</h3>

An <dfn>aggregatable contribution</dfn> is a [=struct=] with the following items:

<dl dfn-for="aggregatable contribution">
: <dfn>key</dfn>
:: A non-negative 128-bit integer.
: <dfn>value</dfn>
:: A non-negative 32-bit integer.
: <dfn>filtering ID</dfn>
:: A non-negative integer.

</dl>

An <dfn>aggregatable report</dfn> is an [=attribution report=] with the following additional items:

<dl dfn-for="aggregatable report, aggregatable attribution report, aggregatable debug report">
: <dfn>contributions</dfn>
:: A [=list=] of [=aggregatable contributions=].
: <dfn>effective attribution destination</dfn>
:: A [=site=].
: <dfn>aggregation coordinator</dfn>
:: An [=aggregation coordinator=].

</dl>

An <dfn>aggregatable attribution report</dfn> is an [=aggregatable report=] with the following additional items:

<dl dfn-for="aggregatable attribution report">
: <dfn>source time</dfn>
:: A [=moment=].
: <dfn>serialized private state token</dfn>
:: A [=serialized private state token=].
: <dfn>source registration time configuration</dfn>
:: An [=aggregatable source registration time configuration=].
: <dfn>is null report</dfn> (default false)
:: A [=boolean=].
: <dfn>trigger context ID</dfn>
:: Null or a [=string=].
: <dfn>filtering ID max bytes</dfn>
:: A positive integer.
: <dfn>attribution debug info</dfn>
:: An [=attribution debug info=].
: <dfn>source identifier</dfn>
:: A [=string=].

</dl>

An <dfn>aggregatable debug report</dfn> is an [=aggregatable report=].

<h3 id="attribution-rate-limits">Attribution rate-limits</h3>

A <dfn>rate-limit scope</dfn> is one of the following:

<ul dfn-for="rate-limit scope">
<li>"<dfn><code>source</code></dfn>"
<li>"<dfn><code>event-attribution</code></dfn>"
<li>"<dfn><code>aggregatable-attribution</code></dfn>"
</ul>

An <dfn>attribution rate-limit record</dfn> is a [=struct=] with the following items:

<dl dfn-for="attribution rate-limit record">
: <dfn>scope</dfn>
:: A [=rate-limit scope=].
: <dfn>source site</dfn>
:: A [=site=].
: <dfn>attribution destination</dfn>
:: A [=site=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].
: <dfn>time</dfn>
:: A [=moment=].
: <dfn>expiry time</dfn>
:: Null or a [=moment=].
: <dfn>entity ID</dfn>
:: Null for [=obtain a fake report|fake reports=] or an [=event-level report=]'s [=event-level report/report ID=] or an
    [=aggregatable attribution report=]'s [=aggregatable attribution report/report ID=] or an
    [=attribution source=]'s [=attribution source/source identifier=].
: <dfn>deactivated for unexpired destination limit</dfn> (default false)
:: A [=boolean=].
: <dfn>destination limit priority</dfn> (default null)
:: Null or a 64-bit integer.

</dl>

<h3 id="aggregatable-debug-rate-limits">Aggregatable debug rate-limits</h3>

An <dfn>aggregatable debug rate-limit record</dfn> is a [=struct=] with the following items:

<dl dfn-for="aggregatable debug rate-limit record">
: <dfn>context site</dfn>
:: A [=site=].
: <dfn>reporting site</dfn>
:: A [=site=].
: <dfn>time</dfn>
:: A [=moment=].
: <dfn>consumed budget</dfn>
:: A positive integer.

</dl>

<h3 id="attribution-debug-data-header">Attribution debug data</h3>

A <dfn>debug data type</dfn> is a non-empty string that specifies the set of data that is
contained in a [=verbose debug report=] or in an [=aggregatable debug report=].

A <dfn>source debug data type</dfn> is a [=debug data type=] for source registrations.
Possible values are:

<ul dfn-for="source debug data type">
<li>"<dfn><code>source-channel-capacity-limit</code></dfn>"
<li>"<dfn><code>source-destination-global-rate-limit</code></dfn>"
<li>"<dfn><code>source-destination-limit</code></dfn>"
<li>"<dfn><code>source-destination-limit-replaced</code></dfn>"
<li>"<dfn><code>source-destination-per-day-rate-limit</code></dfn>"
<li>"<dfn><code>source-destination-rate-limit</code></dfn>"
<li>"<dfn><code>source-noised</code></dfn>"
<li>"<dfn><code>source-reporting-origin-limit</code></dfn>"
<li>"<dfn><code>source-reporting-origin-per-site-limit</code></dfn>"
<li>"<dfn><code>source-storage-limit</code></dfn>"
<li>"<dfn><code>source-success</code></dfn>"
<li>"<dfn><code>source-trigger-state-cardinality-limit</code></dfn>"
<li>"<dfn><code>source-unknown-error</code></dfn>"
</ul>

A <dfn>trigger debug data type</dfn> is a [=debug data type=] for trigger registrations.
Possible values are:

<ul dfn-for="trigger debug data type">
<li>"<dfn><code>trigger-aggregate-attributions-per-source-destination-limit</code></dfn>"
<li>"<dfn><code>trigger-aggregate-deduplicated</code></dfn>"
<li>"<dfn><code>trigger-aggregate-excessive-reports</code></dfn>"
<li>"<dfn><code>trigger-aggregate-insufficient-budget</code></dfn>"
<li>"<dfn><code>trigger-aggregate-no-contributions</code></dfn>"
<li>"<dfn><code>trigger-aggregate-report-window-passed</code></dfn>"
<li>"<dfn><code>trigger-aggregate-storage-limit</code></dfn>"
<li>"<dfn><code>trigger-event-attributions-per-source-destination-limit</code></dfn>"
<li>"<dfn><code>trigger-event-deduplicated</code></dfn>"
<li>"<dfn><code>trigger-event-excessive-reports</code></dfn>"
<li>"<dfn><code>trigger-event-low-priority</code></dfn>"
<li>"<dfn><code>trigger-event-no-matching-configurations</code></dfn>"
<li>"<dfn><code>trigger-event-no-matching-trigger-data</code></dfn>"
<li>"<dfn><code>trigger-event-noise</code></dfn>"
<li>"<dfn><code>trigger-event-report-window-not-started</code></dfn>"
<li>"<dfn><code>trigger-event-report-window-passed</code></dfn>"
<li>"<dfn><code>trigger-event-storage-limit</code></dfn>"
<li>"<dfn><code>trigger-no-matching-filter-data</code></dfn>"
<li>"<dfn><code>trigger-no-matching-source</code></dfn>"
<li>"<dfn><code>trigger-reporting-origin-limit</code></dfn>"
<li>"<dfn><code>trigger-unknown-error</code></dfn>"
</ul>

An <dfn>OS debug data type</dfn> is a [=debug data type=] for OS registrations.
Possible values are:

<ul dfn-for="OS debug data type">
<li>"<dfn><code>os-source-delegated</code></dfn>"
<li>"<dfn><code>os-trigger-delegated</code></dfn>"
</ul>

A <dfn>header errors debug data type</dfn> is a [=debug data type=] for
registration header errors. Possible values are:

<ul dfn-for="header errors debug data type">
<li>"<dfn><code>header-parsing-error</code></dfn>"
</ul>

<h3 dfn-type=dfn>Verbose debug report</h3>

A <dfn>verbose debug data</dfn> is a [=struct=] with the following items:

<dl dfn-for="verbose debug data">
: <dfn>data type</dfn>
:: A [=debug data type=].
: <dfn>body</dfn>
:: A [=map=] whose fields are determined by the [=verbose debug data/data type=].

</dl>

A verbose debug report is a [=struct=] with the following items:

<dl dfn-for="verbose debug report">
: <dfn>data</dfn>
:: A [=list=] of [=verbose debug data=].
: <dfn>reporting origin</dfn>
:: A [=suitable origin=].

</dl>

<h3 dfn-type=dfn>Serialized private state token</h3>

A serialized private state token is a [=forgiving-base64 encoding=] of a [=byte sequence=].

<h3 dfn-type=dfn>Trigger verification</h3>

A trigger verification is a [=struct=] with the following items:

<dl dfn-for="trigger verification">
: <dfn>token</dfn>
:: A [=serialized private state token=].
: <dfn>id</dfn>
:: The result of [=generating a random UUID=] over which the [=trigger verification/token=] is signed.

</dl>

<h3 dfn-type=dfn>Trigger verification metadata</h3>

A trigger verification metadata is a [=struct=] with the following items:

<dl dfn-for="trigger verification metadata">
: <dfn>pretokens</dfn>
:: A [=byte sequence=].
: <dfn>IDs</dfn>
:: A [=list=] of [=string=] generated using [=generating a random UUID=].

</dl>

<h3 dfn-type=dfn>Triggering result</h3>

A <dfn>triggering status</dfn> is one of the following:

<ul dfn-for="triggering status">
<li>"<dfn><code>dropped</code></dfn>"
<li>"<dfn><code>noised</code></dfn>"
<li>"<dfn><code>attributed</code></dfn>"
</ul>

Note: "<code>[=triggering status/noised=]</code>" only applies for [=triggering event-level attribution=] when it is attributed
successfully but dropped as the noise was applied to the source.

A <dfn>trigger debug data</dfn> is [=tuple=] with the following items:

<dl dfn-for="trigger debug data">
: <dfn>data type</dfn>
:: A [=trigger debug data type=].
: <dfn>report</dfn>
:: Null or an [=attribution report=].

</dl>

A triggering result is a [=tuple=] with the following items:

<dl dfn-for="triggering result">
: <dfn>status</dfn>
:: A [=triggering status=].
: <dfn>debug data</dfn>
:: Null or a [=trigger debug data=].

</dl>

<h3 dfn-type=dfn>Destination rate-limit result</h3>

A destination rate-limit result is one of the following:

<ul dfn-for="destination rate-limit result">
<li>"<dfn><code>allowed</code></dfn>"
<li>"<dfn><code>hit global limit</code></dfn>"
<li>"<dfn><code>hit reporting limit</code></dfn>"
</ul>

# Storage # {#storage}

A user agent holds an <dfn>attribution source cache</dfn>, which is a [=set=] of [=attribution sources=].

A user agent holds an <dfn>event-level report cache</dfn>, which is a [=set=] of [=event-level reports=].

A user agent holds an <dfn>aggregatable attribution report cache</dfn>, which is a [=set=] of [=aggregatable attribution reports=].

A user agent holds an <dfn>attribution rate-limit cache</dfn>, which is a [=set=] of [=attribution rate-limit records=].

A user agent holds an <dfn>aggregatable debug rate-limit cache</dfn>, which is a [=set=] of [=aggregatable debug rate-limit records=].

The above caches are collectively known as the <dfn>attribution caches</dfn>. The [=attribution caches=] are
shared among all [=environment settings objects=].

Note: This would ideally use <a spec=storage>storage bottles</a> to provide access to the attribution caches.
However attribution data is inherently cross-site, and operations on storage would need to span across all storage bottle maps.

# Constants # {#constants}

<dfn>Valid source expiry range</dfn> is a 2-tuple of positive [=durations=] that controls the
minimum and maximum value that can be used as an [=attribution source/expiry=], respectively.
Its value is (1 day, 30 days).

<dfn>Min report window</dfn> is a positive [=duration=] that controls the
minimum [=duration from=] an [=attribution source's=] [=attribution source/source time=]
and any [=report window/end=] in [=attribution source/aggregatable report window=] or
[=trigger spec/event-level report windows=].
Its value is 1 hour.

<dfn>Max entries per filter data</dfn> is a positive integer that controls the
maximum [=map/size=] of an [=attribution source=]'s [=attribution source/filter data=].
Its value is 50.

<dfn>Max values per filter data entry</dfn> is a positive integer that
controls the maximum [=set/size=] of each [=map/value=] of an
[=attribution source=]'s [=attribution source/filter data=]. Its value is 50.

<dfn>Max length per filter string</dfn> is a positive integer that controls the
maximum [=string/length=] of an [=attribution source=]'s [=attribution source/filter data=]'s
[=map/keys=] and its [=map/values=]'s [=set/items=].
Its value is 25.

<dfn>Attribution rate-limit window</dfn> is a positive [=duration=] that
controls the rate-limiting window for attribution. Its value is 30 days.

<dfn>Max destinations per source</dfn> is a positive integer that controls the
maximum [=set/size=] of an [=attribution source=]'s
[=attribution source/attribution destinations=]. Its value is 3.

<dfn>Max settable event-level attributions per source</dfn> is a positive integer that
controls the maximum value of [=attribution source/max number of event-level reports=].
Its value is 20.

<dfn>Max settable event-level report windows</dfn> is a positive integer that
controls the maximum [=list/size=] of [=trigger spec/event-level report windows=].
Its value is 5.

<dfn>Default event-level attributions per source</dfn> is a [=map=] that
controls how many times a single [=attribution source=] can create an [=event-level report=] by default.
Its value is «[ [=source type/navigation=] → 3, [=source type/event=] → 1 ]».

<dfn>Allowed aggregatable budget per source</dfn> is a positive integer that controls the total
[=aggregatable report/required aggregatable budget=] of all [=aggregatable reports=]
created for an [=attribution source=]. Its value is 65536.

<dfn>Max aggregation keys per source registration</dfn> is a positive integer that
controls the maximum [=map/size=] of an [=attribution source=]'s
[=attribution source/aggregation keys=]. Its value is 20.

<dfn>Max length per aggregation key identifier</dfn> is a positive integer that controls
the maximum [=string/length=] of an [=attribution source=]'s [=attribution source/aggregation keys=]'s
[=map/keys=], an [=attribution trigger=]'s [=attribution trigger/aggregatable values configurations=]'s [=list/item=]'s
[=aggregatable values configuration/values=]'s [=map/keys=], and an [=aggregatable trigger data=]'s
[=aggregatable trigger data/source keys=]'s [=set/items=]. Its value is 25.

<dfn>Default trigger data cardinality</dfn> is a [=map=] that
controls the valid range of [=event-level trigger configuration/trigger data=].
Its value is «[=source type/navigation=] → 8, [=source type/event=] → 2».

<dfn>Max distinct trigger data per source</dfn> is a positive integer that
controls the maximum [=map/size=] of a [=trigger spec map=] for an
[=attribution source=]. Its value is 32.

<dfn>Max length per trigger context ID</dfn> is a positive integer that controls
the maximum [=string/length=] of an [=attribution trigger=]'s [=attribution trigger/trigger context ID=].
Its value is 64.

<dfn>Default filtering ID value</dfn> is a non-negative integer. Its value is 0.
It is the default value for flexible contribution filtering of [=aggregatable reports=].

<dfn>Default filtering ID max bytes</dfn> is a positive integer that controls the
max bytes used if none is explicitly chosen. Its value is 1. The max bytes value
limits the size of filtering IDs within an [=aggregatable attribution report=].

<dfn>Valid filtering ID max bytes range</dfn> is a [=set=] of positive integers
that controls the allowable values of max bytes. Its value is [=the inclusive
range|the range=] 1 to 8, inclusive.

<dfn>Max contributions per aggregatable debug report</dfn> is a positive
integer that controls the maximum [=list/size=] of an [=aggregatable debug report=]'s
[=aggregatable debug report/contributions=]. Its value is 2.

<dfn>Aggregatable debug rate-limit window</dfn> is a positive [=duration=] that
controls the rate-limiting window for aggregatable debug reporting. Its value is
1 day.

<dfn>Max aggregatable debug budget per rate-limit window</dfn> is a [=tuple=]
consisting of two positive integers. The first controls the total [=aggregatable debug report/required aggregatable budget=]
of all [=aggregatable debug reports=] with a given [=aggregatable debug rate-limit record/context site=]
per [=aggregatable debug rate-limit window=]. The second controls the total
[=aggregatable debug report/required aggregatable budget=] of all [=aggregatable debug reports=]
with a given ([=aggregatable debug rate-limit record/context site=], [=aggregatable debug rate-limit record/reporting site=])
per [=aggregatable debug rate-limit window=]. Its value is (2<sup>20</sup>, 65536).

# Vendor-Specific Values # {#vendor-specific-values}

<dfn>Max pending sources per source origin</dfn> is a positive integer that
controls how many [=attribution sources=] can be in the
[=attribution source cache=] per [=attribution source/source origin=].

<dfn>Max settable event-level epsilon</dfn> is a non-negative double that
controls the default and maximum values that a source registration can specify
for the epsilon parameter used by [=compute the channel capacity of a source=]
and [=obtain a randomized source response=].

<dfn>Max trigger-state cardinality</dfn> is a positive integer that controls the maximum [=set/size=] of [=obtain a set of possible trigger states|the set of possible trigger states=] for any one [=attribution source=].

<dfn>Randomized null attribution report rate excluding source registration time</dfn> is a
double between 0 and 1 (both inclusive) that controls the randomized number of null attribution reports
generated for an [=attribution trigger=] whose [=attribution trigger/aggregatable source registration time configuration=]
is "<code>[=aggregatable source registration time configuration/exclude=]</code>". If [=automation local testing mode=] is true,
this is 0.

<dfn>Randomized null attribution report rate including source registration time</dfn> is a
double between 0 and 1 (both inclusive) that controls the randomized number of null attribution reports
generated for an [=attribution trigger=] whose [=attribution trigger/aggregatable source registration time configuration=]
is "<code>[=aggregatable source registration time configuration/include=]</code>". If [=automation local testing mode=] is true,
this is 0.

<dfn>Max event-level reports per attribution destination</dfn> is a positive integer that
controls how many [=event-level reports=] can be in the
[=event-level report cache=] per [=site=] in
[=event-level report/attribution destinations=].

<dfn>Max aggregatable attribution reports per attribution destination</dfn> is a positive integer that controls how
many [=aggregatable attribution reports=] can be in the [=aggregatable attribution report cache=] per
[=aggregatable attribution report/effective attribution destination=].

<dfn>Max event-level channel capacity per source</dfn> is a [=map=] that
controls how many bits of information can be exposed associated with a single [=attribution source=].
The keys are «[=source type/navigation=], [=source type/event=]». The values are non-negative doubles.

<dfn>Max aggregatable reports per source</dfn> is a [=tuple=] consisting of two
positive integers. The first controls how many [=aggregatable attribution reports=]
can be created by [=attribution triggers=] attributed to a single [=attribution source=].
The second controls how many [=aggregatable debug reports=] can be created for an [=attribution source=].

<dfn>Max destinations covered by unexpired sources</dfn> is a positive
integer that controls the maximum number of distinct [=sites=] across all [=attribution source/attribution destinations=]
for unexpired [=attribution sources=] with a given ([=attribution source/source site=], [=attribution source/reporting origin=] [=site=]).

<dfn>Destination rate-limit window</dfn> is a positive [=duration=] that
controls the rate-limiting window for destinations.

<dfn>Max destinations per rate-limit window</dfn> is a [=tuple=] consisting of two integers. The first
controls the maximum number of distinct [=sites=] across all [=attribution source/attribution destinations=]
for [=attribution sources=] with a given [=attribution source/source site=] per [=destination rate-limit window=].
The second controls the maximum number of distinct [=sites=] across all [=attribution source/attribution destinations=]
for [=attribution sources=] with a given ([=attribution source/source site=], [=attribution source/reporting origin=] [=site=])
per [=destination rate-limit window=].

<dfn>Max destinations per source reporting site per day</dfn> is an integer that controls
the maximum number of distinct [=sites=] across all [=attribution source/attribution destinations=]
for [=attribution sources=] with a given ([=attribution source/source site=], [=attribution source/reporting origin=] [=site=])
per day.

<dfn>Max source reporting origins per rate-limit window</dfn> is a positive
integer that controls the maximum number of distinct
[=attribution source/reporting origin|reporting origins=] for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/attribution destination=]) that can create
[=attribution sources=] per [=attribution rate-limit window=].

<dfn>Max source reporting origins per source reporting site</dfn> is a positive
integer that controls the maximum number of distinct
[=attribution source/reporting origin|reporting origins=] for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/reporting origin=] [=site=]) that can create
[=attribution sources=] per [=origin rate-limit window=].

<dfn>Origin rate-limit window</dfn> is a positive [=duration=] that
controls the rate-limiting window for
[=max source reporting origins per source reporting site=].

<dfn>Max attribution reporting origins per rate-limit window</dfn> is a
positive integer that controls the maximum number of distinct
[=attribution trigger/reporting origin|reporting origins=] for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/attribution destination=]) that can create
[=event-level reports=] per [=attribution rate-limit window=].

<dfn>Max attributions per rate-limit window</dfn> is a positive integer that
controls the maximum number of attributions for a
([=attribution rate-limit record/source site=],
[=attribution rate-limit record/attribution destination=],
[=attribution rate-limit record/reporting origin=] [=site=]) per
[=attribution rate-limit window=]. This attribution limit is separate for event-level and aggregate reporting.

<dfn>Randomized aggregatable attribution report delay</dfn> is a positive [=duration=] that controls the
random delay to deliver an [=aggregatable attribution report=]. If [=automation local testing mode=] is true,
this is 0.

<dfn>Default aggregation coordinator</dfn> is the [=aggregation coordinator=] that controls how to
obtain the public key for encrypting an [=aggregatable report=] by default.

<dfn>Verification tokens per trigger</dfn> is a positive integer that controls the number of
encoded masked messages sent for signature when [=set trigger verification request headers|initiating trigger verification=]
and the maximum number of [=serialized private state tokens=] that can be attached to an [=attribution trigger=].

# General Algorithms # {#general-algorithms}

<h3 id="serialize-integer">Serialize an integer</h3>

To <dfn>serialize an integer</dfn>, represent it as a string of the shortest possible decimal number.

Issue: This would ideally be replaced by a more descriptive algorithm in Infra. See
<a href="https://github.com/whatwg/infra/issues/201">infra/201</a>

<h3 id="parsing-json-fields">Parsing JSON fields</h3>

Note: The "`Attribution-Reporting-Register-Source`" and
"`Attribution-Reporting-Register-Trigger`" response headers contain JSON-encoded
data, rather than [=structured header|structured values=],
because of limitations on nesting in the latter. The recursive
nature of JSON makes it more amenable to future extensions.

To <dfn>parse an optional 64-bit signed integer</dfn> given a [=map=] |map|, a
[=string=] |key|, and a possibly null 64-bit signed integer |default|:

1. If |map|[|key|] does not [=map/exists|exist=], return |default|.
1. If |map|[|key|] is not a [=string=], return an error.
1. Let |value| be the result of applying the
    <a spec="html">rules for parsing integers</a> to |map|[|key|].
1. If |value| is an error, return an error.
1. If |value| cannot be represented by a 64-bit signed integer, return an error.
1. Return |value|.

To <dfn>parse an optional 64-bit unsigned integer</dfn> given a [=map=] |map|,
a [=string=] |key|, and a possibly null 64-bit unsigned integer |default|:

1. If |map|[|key|] does not [=map/exists|exist=], return |default|.
1. If |map|[|key|] is not a [=string=], return an error.
1. Let |value| be the result of applying the
    <a spec="html">rules for parsing non-negative integers</a> to |map|[|key|].
1. If |value| is an error, return an error.
1. If |value| cannot be represented by a 64-bit unsigned integer, return an
    error.
1. Return |value|.

<h3 id="serialize-destinations">Serialize attribution destinations</h3>

To <dfn>serialize [=event-level report/attribution destinations=]</dfn> |destinations|, run the following steps:

1. [=Assert=]: |destinations| is not [=set/is empty|empty=].
1. [=Assert=]: |destinations| is [=list/sort in ascending order|sorted=] in
    ascending order, with |a| being less than |b| if |a|,
    <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>,
    is less than |b|, <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
1. Let |destinationStrings| be a [=list=].
1. [=list/iterate|For each=] |destination| in |destinations|:
    1. [=Assert=]: |destination| is not an [=opaque origin=].
    1. [=list/Append=] |destination| <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a> to |destinationStrings|.
1. If |destinationStrings|'s [=set/size=] is equal to 1, return |destinationStrings|[0].
1. Return |destinationStrings|.

Note: |destinations| is required to be sorted to avoid revealing extra
information about the original source registration, namely the order of the
"<code>[=source-registration JSON key/destination=]</code>" field in the
original JSON registration, which can be used to distinguish semantically
equivalent registrations.

To <dfn>check if a scheme is suitable</dfn> given a [=string=] |scheme|:

1. If |scheme| is "`http`" or "`https`", return true.
1. Return false.

To <dfn export>check if an origin is suitable</dfn> given an [=origin=] |origin|:

1. If |origin| is not a [=potentially trustworthy origin=], return false.
1. If |origin|'s [=origin/scheme=] is not
    [=check if a scheme is suitable|suitable=], return false.
1. Return true.

<h3 id="parsing-filter-data">Parsing filter data</h3>

To <dfn>parse filter values</dfn> given a |value|:

1. If |value| is not a [=map=], return null.
1. Let |result| be a new [=filter map=].
1. [=map/iterate|For each=] |filter| → |data| of |value|:
    1. If |filter| [=starts with=] "`_`", return null.
    1. If |data| is not a [=list=], return null.
    1. Let |set| be a new [=set=].
    1. [=list/iterate|For each=] |d| of |data|:
        1. If |d| is not a [=string=], return null.
        1. [=set/Append=] |d| to |set|.
    1. [=map/Set=] |result|[|filter|] to |set|.
1. Return |result|.

To <dfn>parse filter data</dfn> given a |value|:

1. Let |map| be the result of running [=parse filter values=] with |value|.
1. If |map| is null, return null.
1. If |map|'s [=map/size=] is greater than the [=max entries per filter data=],
    return null.
1. [=map/iterate|For each=] |filter| → |set| of |map|:
    1. If |filter|'s [=string/length=] is greater than the [=max length per filter string=],
        return null.
    1. If |set|'s [=set/size=] is greater than the
        [=max values per filter data entry=], return null.
    1. [=set/iterate|For each=] |s| of |set|:
        1. If |s|'s [=string/length=] is greater than the [=max length per filter string=],
            return null.
1. Return |map|.

To <dfn>parse filter config</dfn> given a |value|:

1. If |value| is not a [=map=], return null.
1. Let |lookbackWindow| be null.
1. If |value|["`_lookback_window`"] [=map/exists=]:
    1. If |value|["`_lookback_window`"] is not a positive integer, return null.
    1. Set |lookbackWindow| to the [=duration=] of |value|["`_lookback_window`"] seconds.
    1. [=map/Remove=] |value|["`_lookback_window`"].
1. Let |map| be the result of running [=parse filter values=] with |value|.
1. If |map| is null, return null.
1. Let |filter| be a [=filter config=] with the items:
    : [=filter config/map=]
    :: |map|
    : [=filter config/lookback window=]
    :: |lookbackWindow|
1. Return |filter|.

<h3 id="parsing-filters">Parsing filters</h3>

To <dfn>parse filters</dfn> given a |value|:

1. Let |filtersList| be a new [=list=].
1. If |value| is a [=map=], then:
    1. Let |filterConfig| be the result of running [=parse filter config=] with |value|.
    1. If |filterConfig| is null, return null.
    1. [=list/Append=] |filterConfig| to |filtersList|.
    1. Return |filtersList|.
1. If |value| is not a [=list=], return null.
1. [=list/iterate|For each=] |data| of |value|:
    1. Let |filterConfig| be the result of running [=parse filter config=] with |data|.
    1. If |filterConfig| is null, return null.
    1. [=list/Append=] |filterConfig| to |filtersList|.
1. Return |filtersList|.

To <dfn>parse a filter pair</dfn> given a [=map=] |map|:

1. Let |positive| be a [=list=] of [=filter configs=], initially empty.
1. If |map|["<code>[=trigger-registration JSON key/filters=]</code>"] [=map/exists=], set |positive| to the result of running
    [=parse filters=] with |map|["<code>[=trigger-registration JSON key/filters=]</code>"].
1. If |positive| is null, return null.
1. Let |negative| be a [=list=] of [=filter configs=], initially empty.
1. If |map|["<code>[=trigger-registration JSON key/not_filters=]</code>"] [=map/exists=], set |negative| to the result of
    running [=parse filters=] with |map|["<code>[=trigger-registration JSON key/not_filters=]</code>"].
1. If |negative| is null, return null.
1. Return the [=tuple=] (|positive|, |negative|).

<h3 id="parsing-aggregation-coordinator">Parsing aggregation coordinator</h3>

To <dfn>parse an aggregation coordinator</dfn> given |value|:

1. If |value| is not a [=string=], return null.
1. Let |url| be the result of running the [=URL parser=] on |value|.
1. If |url| is failure or null, return null.
1. If |url|'s [=url/origin=] is not an [=aggregation coordinator=], return null.
1. Return |url|'s [=url/origin=].

<h3 id="parsing-aggregatable-debug-reporting-config">Parsing aggregatable debug reporting config</h3>

An <dfn>aggregatable-debug-reporting JSON key</dfn> is one of the following:

<ul dfn-for="aggregatable-debug-reporting JSON key">
<li>"<dfn><code>aggregation_coordinator_origin</code></dfn>"
<li>"<dfn><code>debug_data</code></dfn>"
<li>"<dfn><code>key_piece</code></dfn>"
<li>"<dfn><code>types</code></dfn>"
<li>"<dfn><code>value</code></dfn>"
</ul>

To <dfn>parse aggregatable debug reporting data</dfn> given a |dataList|, a
positive integer |maxValue|, and a [=set=] of [=debug data types=]
|supportedTypes|:

1. [=Assert=]: |maxValue| is less than or equal to [=allowed aggregatable budget per source=].
1. If |dataList| is not a [=list=], return null.
1. Let |debugDataMap| be a new [=map=].
1. Let |unknownTypes| be a new [=set=].
1. Let |unspecifiedContribution| be null.
1. [=list/iterate|For each=] |data| of |dataList|:
    1. If |data| is not a [=map=], return null.
    1. If |data|["<code>[=aggregatable-debug-reporting JSON key/key_piece=]</code>"]
        does not [=map/exist=], return null.
    1. If |data|["<code>[=aggregatable-debug-reporting JSON key/key_piece=]</code>"]
        is not a [=string=], return null.
    1. Let |dataKeyPiece| be the result of running [=parse an aggregation key piece=]
        with |data|["<code>[=aggregatable-debug-reporting JSON key/key_piece=]</code>"].
    1. If |dataKeyPiece| is an error, return null.
    1. If |data|["<code>[=aggregatable-debug-reporting JSON key/value=]</code>"]
        does not [=map/exist=], return null.
    1. If |data|["<code>[=aggregatable-debug-reporting JSON key/value=]</code>"] is
        not an integer or is less than or equal to 0 or is greater than |maxValue|, return null.
    1. Let |contribution| be a new [=aggregatable contribution=] with the items:
        : [=aggregatable contribution/key=]
        :: |dataKeyPiece|
        : [=aggregatable contribution/value=]
        :: |data|["<code>[=aggregatable-debug-reporting JSON key/value=]</code>"]
        : [=aggregatable contribution/filtering ID=]
        :: [=default filtering ID value=]
    1. If |data|["<code>[=aggregatable-debug-reporting JSON key/types=]</code>"] does
        not [=map/exist=], return null.
    1. Let |dataTypes| be |data|["<code>[=aggregatable-debug-reporting JSON key/types=]</code>"].
    1. If |dataTypes| is not a [=list=] or [=list/is empty=], return null.
    1. [=list/iterate|For each=] |type| of |dataTypes|:
        1. If |type| is not a [=string=], return null.
        1. If |type| is "`unspecified`":
            1. If |unspecifiedContribution| is not null, return null.
            1. Set |unspecifiedContribution| to |contribution|.
            1. [=iteration/Continue=].
        1. If |supportedTypes| [=set/contains=] |type|:
            1. If |debugDataMap|[|type|] [=map/exists=], return null.
            1. [=map/Set=] |debugDataMap|[|type|] to |contribution|.
        1. Otherwise:
            1. If |unknownTypes| [=set/contains=] |type|, return null.
            1. [=set/Append=] |type| to |unknownTypes|.
1. If |unspecifiedContribution| is null, return |debugDataMap|.
1. [=set/iterate|For each=] |type| of |supportedTypes|:
    1. If |debugDataMap|[|type|] does not [=map/exist=], [=map/set=]
        |debugDataMap|[|type|] to |unspecifiedContribution|.
1. Return |debugDataMap|.

To <dfn>parse an aggregatable debug reporting config</dfn> given a [=map=] |map|, a
positive integer |maxValue|, a [=set=] of [=debug data types=] |supportedTypes|,
and an [=aggregatable debug reporting config=] |default|:

1. If |map|["<code>[=aggregatable-debug-reporting JSON key/key_piece=]</code>"] does not
    [=map/exist=], return |default|.
1. If |map|["<code>[=aggregatable-debug-reporting JSON key/key_piece=]</code>"] is not a
    [=string=], return |default|.
1. Let |keyPiece| be the result of running [=parse an aggregation key piece=]
    with |map|["<code>[=aggregatable-debug-reporting JSON key/key_piece=]</code>"].
1. If |keyPiece| is an error, return |default|.
1. Let |debugDataMap| be a new [=map=].
1. If |map|["<code>[=aggregatable-debug-reporting JSON key/debug_data=]</code>"] [=map/exists=]:
    1. Set |debugDataMap| to the result of running [=parse aggregatable debug reporting data=]
        with |map|["<code>[=aggregatable-debug-reporting JSON key/debug_data=]</code>"], |maxValue|,
        and |supportedTypes|.
    1. If |debugDataMap| is null, return |default|.
1. Let |aggregationCoordinator| be [=default aggregation coordinator=].
1. If |map|["<code>[=aggregatable-debug-reporting JSON key/aggregation_coordinator_origin=]</code>"]
    [=map/exists=]:
    1. Set |aggregationCoordinator| to the result of [=parsing an aggregation coordinator=].
    1. If |aggregationCoordinator| is null, return |default|.
1. Let |aggregatableDebugReportingConfig| be a new [=aggregatable debug reporting config=]
    with the items:
    : [=aggregatable debug reporting config/key piece=]
    :: |keyPiece|
    : [=aggregatable debug reporting config/debug data=]
    :: |debugDataMap|
    : [=aggregatable debug reporting config/aggregation coordinator=]
    :: |aggregationCoordinator|
1. Return |aggregatableDebugReportingConfig|.

Note: The parsing errors are intentionally ignored in this algorithm with |default|
returned to avoid data loss from the optional debug reporting feature.

<h3 id="getting-registration-info">Getting registration info</h3>

To <dfn>get registration info from a header list</dfn> given a
[=header list=] |headers|:

1. If |headers| does not [=header list/contain=] "`Attribution-Reporting-Info`", return null.
1. Let |map| be the result of
    [=header list/get a structured field value|getting=] "`Attribution-Reporting-Info`" from |headers|
    with a type of "`dictionary`".
1. If |map| is not a [=map=], return an error.
1. Let |preferredPlatform| be null.
1. If |map|["`preferred-platform`"] [=map/exists=]:
    1. Let |preferredPlatformValue| be |map|["`preferred-platform`"][0].
    1. If |preferredPlatformValue| is not a [=registrar=], return an error.
    1. Set |preferredPlatform| to |preferredPlatformValue|.
1. Let |reportHeaderErrors| be false.
1. If |map|["`report-header-errors`"] [=map/exists=]:
    1. Let |reportHeaderErrorsValue| be |map|["`report-header-errors`"][0].
    1. If |reportHeaderErrorsValue| is not a [=boolean=], return an error.
    1. Set |reportHeaderErrors| to |reportHeaderErrorsValue|.
1. Let |registrationInfo| be a new [=registration info=] struct whose items are:

    : [=registration info/preferred platform=]
    :: |preferredPlatform|
    : [=registration info/report header errors=]
    :: |reportHeaderErrors|
1. Return |registrationInfo|.

Issue: Require |preferredPlatformValue| to be a [=structured header/token=].

<h3 id="debug-keys">Cookie-based debugging</h3>

To <dfn>check if cookie-based debugging is allowed</dfn> given a
[=suitable origin=] |reportingOrigin| and a [=site=] |contextSite|:

1. [=Assert=]: |contextSite| is not an [=opaque origin=].
1. Let |domain| be the
    <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-canonicalized-host-names">canonicalized domain name</a>
    of |reportingOrigin|'s [=origin/host=].
1. Let |contextDomain| be the
    <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-canonicalized-host-names">canonicalized domain name</a>
    of |contextSite|'s [=scheme and host/host=].
1. If the User Agent's <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-cookie-policy">cookie policy</a>
    or <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-user controls">user controls</a>
    do not allow cookie access for |domain| on |contextDomain| within a <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-third-party-cookies">third-party context</a>,
    return <strong>blocked</strong>.
1. For each |cookie| of the user agent's <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-storage-model">cookie store</a>:
    1. If |cookie|'s name is not "`ar_debug`", [=iteration/continue=].
    1. If |cookie|'s http-only-flag is false, [=iteration/continue=].
    1. If |cookie|'s secure-flag is false, [=iteration/continue=].
    1. If |cookie|'s same-site-flag is not "`None`", [=iteration/continue=].
    1. If |cookie|'s host-only-flag is true and |domain| is not
        identical to |cookie|'s domain, [=iteration/continue=].
    1. If |cookie|'s host-only-flag is false and |domain| does not
        <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-domain-matching">domain-match</a>
        |cookie|'s domain, [=iteration/continue=].
    1. If "`/`" does not
        <a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-paths-and-path-match">path-match</a>
        |cookie|'s path, [=iteration/continue=].
    1. Return <strong>allowed</strong>.
1. Return <strong>blocked</strong>.

Issue: Ideally this would use the
<a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-retrieval-algorithm">cookie-retrieval algorithm</a>,
but it cannot: There is no way to consider *only* cookies whose http-only-flag
is true and whose same-site-flag is "`None`"; there is no way to prevent the
last-access-time from being modified; and the return value is a string that
would have to be further processed to check for the "`ar_debug`" cookie.

<h3 algorithm id="obtaining-context-origin">Obtaining context origin</h3>

To obtain the <dfn export for=node>context origin</dfn> of a [=node=] |node|, return |node|'s [=node navigable=]'s
[=navigable/top-level traversable=]'s [=navigable/active document=]'s [=origin=].

<h3 id="obtaining-randomized-response">Obtaining a randomized response</h3>

To <dfn>obtain a randomized response</dfn> given |trueValue|, a [=set=] |possibleValues|, and a
double |randomPickRate|:

1. [=Assert=]: |randomPickRate| is between 0 and 1 (both inclusive).
1. Let |r| be a random double between 0 (inclusive) and 1 (exclusive) with uniform probability.
1. If |r| is less than |randomPickRate|, return a random item from |possibleValues| with uniform
    probability.
1. Otherwise, return |trueValue|.

<h3 algorithm id="parsing-aggregation-key-piece">Parsing aggregation key piece</h3>

To <dfn>parse an aggregation key piece</dfn> given a [=string=] |input|, perform the following steps.
This algorithm will return either a non-negative 128-bit integer or an error.

1. If |input|'s [=string/code point length=] is not between 3 and 34 (both inclusive), return an error.
1. If the first character is not a U+0030 DIGIT ZERO (0), return an error.
1. If the second character is not a U+0058 LATIN CAPITAL LETTER X character (X) and not a
    U+0078 LATIN SMALL LETTER X character (x), return an error.
1. Let |value| be the [=code point substring=] from 2 to the end of |input|.
1. If the characters within |value| are not all [=ASCII hex digits=], return an error.
1. Interpret |value| as a hexadecimal number and return as a non-negative 128-bit integer.

<h3 dfn id="should-block-processing-for-reporting-origin-limit">Should processing be blocked by reporting-origin limit</h3>

Given an [=attribution rate-limit record=] |newRecord|:

1. Let |max| be [=max source reporting origins per rate-limit window=].
1. Let |scopeSet| be « "<code>[=rate-limit scope/source=]</code>" ».
1. If |newRecord|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/event-attribution=]</code>"
     or "<code>[=rate-limit scope/aggregatable-attribution=]</code>":
     1. Set |max| to [=max attribution reporting origins per rate-limit window=].
     1. Set |scopeSet| to « "<code>[=rate-limit scope/event-attribution=]</code>", "<code>[=rate-limit scope/aggregatable-attribution=]</code>" ».
1. Let |matchingRateLimitRecords| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |scopeSet| [=set/contains=] |record|'s [=attribution rate-limit record/scope=]
     * |record|'s [=attribution rate-limit record/source site=] and |newRecord|'s [=attribution rate-limit record/source site=] are equal
     * |record|'s [=attribution rate-limit record/attribution destination=] and |newRecord|'s [=attribution rate-limit record/attribution destination=] are equal
     * The [=duration from=] |record|'s [=attribution rate-limit record/time=] and |newRecord|'s [=attribution rate-limit record/time=] is <= [=attribution rate-limit window=]
1. Let |distinctReportingOrigins| be the [=set=] of all [=attribution rate-limit record/reporting origin=] in |matchingRateLimitRecords|,
    [=set/union|unioned=] with «|newRecord|'s [=attribution rate-limit record/reporting origin=]».
1. If |distinctReportingOrigins|'s [=set/size=] is greater than |max|, return <strong>blocked</strong>.
1. Return <strong>allowed</strong>.

<h3 dfn id="can-attribution-rate-limit-record-be-removed">Can attribution rate-limit record be removed</h3>

Given an [=attribution rate-limit record=] |record| and a [=moment=] |now|:
1. If the [=duration from=] |record|'s [=attribution rate-limit record|time=] and |now| is <= [=attribution rate-limit window=] , return false.
1. If |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/event-attribution=]</code>"
    or "<code>[=rate-limit scope/aggregatable-attribution=]</code>", return true.
1. If |record|'s [=attribution rate-limit record/expiry time=] is after |now|, return false.
1. Return true.

<h3 id="obtaining-and-delivering-verbose-debug-report">Obtaining and delivering a verbose debug report</h3>

To <dfn>obtain and deliver a verbose debug report</dfn> given a [=list=] of [=verbose debug data=] |data|,
a [=suitable origin=] |reportingOrigin|, and a [=boolean=] |fenced|:

1. If |fenced| is true, return.
1. Let |debugReport| be a [=verbose debug report=] with the items:
    : [=verbose debug report/data=]
    :: |data|
    : [=verbose debug report/reporting origin=]
    :: |reportingOrigin|
1. [=Queue a task=] to [=attempt to deliver a verbose debug report=] with |debugReport|.

<h3 id="making-a-background-attributionsrc-request">Making a background attributionsrc request</h3>

An <dfn export>eligibility</dfn> is one of the following:

<dl dfn-for="eligibility">
: "<dfn><code>unset</code></dfn>"
:: Depending on context, a [=attribution trigger|trigger=] may or may not be
    registered.
: "<dfn><code>empty</code></dfn>"
:: Neither a [=attribution source|source=] nor a
    [=attribution trigger|trigger=] may be registered.
: "<dfn><code>event-source</code></dfn>"
:: An [=source type/event=] [=attribution source|source=] may be registered.
: "<dfn><code>navigation-source</code></dfn>"
:: A [=source type/navigation=] [=attribution source|source=] may be registered.
: "<dfn><code>trigger</code></dfn>"
:: A [=attribution trigger|trigger=] may be registered.
: "<dfn><code>event-source-or-trigger</code></dfn>"
:: An [=source type/event=] [=attribution source|source=] or a
    [=attribution trigger|trigger=] may be registered.

</dl>

A <dfn>registrar</dfn> is one of the following:

<dl dfn-for="registrar">
: "<dfn><code>web</code></dfn>"
:: The user agent supports web registrations.
: "<dfn><code>os</code></dfn>"
:: The user agent supports OS registrations.

</dl>

To <dfn>validate a background attributionsrc eligibility</dfn> given an
[=eligibility=] |eligibility|:

1. [=Assert=]: |eligibility| is
    "<code>[=eligibility/navigation-source=]</code>" or
    "<code>[=eligibility/event-source-or-trigger=]</code>".

To <dfn>make a background attributionsrc request</dfn> given a [=URL=] |url|, an
[=origin=] |contextOrigin|, an [=eligibility=] |eligibility|, a [=boolean=] |fenced|,
a {{Document}} |document|, and a [=referrer policy=] |referrerPolicy|:

1. [=Validate a background attributionsrc eligibility|Validate=] |eligibility|.
1. If |url|'s [=url/origin=] is not [=check if an origin is suitable|suitable=],
    return.
1. If |contextOrigin| is not [=check if an origin is suitable|suitable=], return.
1. Let |context| be |document|'s [=relevant settings object=].
1. If |context| is not a [=secure context=], return.
1. If |document| is not [=allowed to use=] the "<code>{{PermissionPolicy/attribution-reporting}}</code>" feature, return.
1. Let |supportedRegistrars| be the result of [=getting supported registrars=].
1. If |supportedRegistrars| [=list/is empty=], return.
1. Let |request| be a new [=request=] with the following properties:
    :   [=request/method=]
    ::  "`GET`"
    :   [=request/URL=]
    ::  |url|
    :   [=request/keepalive=]
    ::  true
    :   [=request/Attribution Reporting eligibility=]
    ::  |eligibility|
    :   [=request/referrer policy=]
    ::  |referrerPolicy|
1. [=Fetch=] |request| with [=fetch/processResponse=] being
    [=process an attributionsrc response=] with |contextOrigin|, |eligibility|, |fenced|,
    and |request|'s [=request/trigger verification metadata=].

Issue: Audit other properties on |request| and set them properly.

Issue(839): Support header-processing on redirects. Due to <a href=https://fetch.spec.whatwg.org/#atomic-http-redirect-handling>atomic HTTP redirect handling</a>,
we cannot process registrations through integration with [=fetch=].

Issue: Check for transient activation with "<code>[=eligibility/navigation-source=]</code>".

To <dfn>make background attributionsrc requests</dfn> given an
{{HTMLAttributionSrcElementUtils}} |element|, an [=eligibility=] |eligibility|,
and a [=referrer policy=] |referrerPolicy|:

1. Let |attributionSrc| be |element|'s
    {{HTMLAttributionSrcElementUtils/attributionSrc}}.
1. Let |tokens| be the result of
    [=split a string on ASCII whitespace|splitting=] |attributionSrc| on ASCII
    whitespace.
1. [=list/iterate|For each=] |token| of |tokens|:
    1. <a spec="HTML" lt="parse a URL">Parse</a> |token|, relative to
        |element|'s [=Node/node document=]. If that is not successful,
        [=iteration/continue=]. Otherwise, let |url| be the resulting
        [=URL record=].
    1. Let |fenced| be true if |element|'s [=node navigable=] is a [=fenced navigable container/fenced navigable=], false otherwise.
    1. Run [=make a background attributionsrc request=] with |url|,
        |element|'s [=node/context origin=], |eligibility|, |fenced|,
        |element|'s [=Node/node document=], and |referrerPolicy|.

Issue: Consider allowing the user agent to limit the size of |tokens|.

To <dfn>process an attributionsrc response</dfn> given a [=suitable origin=] |contextOrigin|,
an [=eligibility=] |eligibility|, a [=boolean=] |fenced|, a possibly null [=trigger verification metadata=]
|triggerVerificationMetadata|, and a [=response=] |response|:

1. [=Validate a background attributionsrc eligibility|Validate=] |eligibility|.
1. Run [=process an attribution eligible response=] with |contextOrigin|,
    |eligibility|, |fenced|, |triggerVerificationMetadata|, and |response|.

To <dfn>get the registration platform</dfn> given a [=header value=] or null |webHeader|,
a [=header value=] or null |osHeader|, and a [=registrar=] or null |preferredPlatform|:

1. If |webHeader| and |osHeader| are both null, return null.
1. If |preferredPlatform| is null:
    1. If |webHeader| and |osHeader| are both not null, return null.
    1. If |webHeader| is not null and the user agent supports web registrations,
        return "<code>[=registrar/web=]</code>".
    1. If |osHeader| is not null and the user agent supports OS registrations,
        return "<code>[=registrar/os=]</code>".
    1. Return null.
1. If |preferredPlatform| is:
    <dl class="switch">
      : "<code>[=registrar/web=]</code>"
      ::
         1. If |webHeader| is null, return null.
         1. If the user agent supports web registrations, return "<code>[=registrar/web=]</code>".
         1. If |osHeader| is not null and the user agent supports OS registrations,
             return "<code>[=registrar/os=]</code>".
         1. Return null.

      : "<code>[=registrar/os=]</code>"
      ::
         1. If |osHeader| is null, return null.
         1. If the user agent supports OS registrations, return "<code>[=registrar/os=]</code>".
         1. If |webHeader| is not null and the user agent supports web registrations,
             return "<code>[=registrar/web=]</code>".
         1. Return null.

    </dl>

To <dfn>process an attribution source response</dfn> given a [=suitable origin=]
|contextOrigin|, a [=suitable origin=] |reportingOrigin|, a [=source type=]
|sourceType|, a [=header value=] or null |webSourceHeader|, a [=header value=]
or null |osSourceHeader|, a [=registration info=] |registrationInfo|, and a
[=boolean=] |fenced|:

1. Let |platform| be the result of [=get the registration platform=] with
    |webSourceHeader|, |osSourceHeader|, and |registrationInfo|'s
    [=registration info/preferred platform=].
1. If |platform| is null, return.
1. Let |reportHeaderErrors| be |registrationInfo|'s [=registration info/report header errors=].
1. If |platform| is:
    <dl class="switch">
    : "<code>[=registrar/web=]</code>"
    ::
        1. Let |source| be the result of running
            [=parse source-registration JSON=] with |webSourceHeader|,
            |contextOrigin|, |reportingOrigin|, |sourceType|, [=current wall time=], and |fenced|.
        1. If |source| is null:
            1. If |reportHeaderErrors| is true, run [=obtain and deliver debug reports on registration header errors=]
                with "`Attribution-Reporting-Register-Source`",
                |webSourceHeader|, |reportingOrigin|, |contextOrigin|, and |fenced|.
            1. Return.
        1. [=process an attribution source|Process=] |source|.
    : "<code>[=registrar/os=]</code>"
    ::
        1. Let |osSourceRegistrations| be the result of running
            [=get OS registrations from a header value=] with |osSourceHeader|.
        1. If |osSourceRegistrations| is null:
            1. If |reportHeaderErrors| is true, run [=obtain and deliver debug reports on registration header errors=]
                with "`Attribution-Reporting-Register-OS-Source`",
                |osSourceHeader|, |reportingOrigin|, |contextOrigin|, and |fenced|.
            1. Return.
        1. Process |osSourceRegistrations| according to an [=implementation-defined=] algorithm.
        1. Run [=obtain and deliver debug reports on OS registrations=] with
            "<code>[=OS debug data type/os-source-delegated=]</code>", |osSourceRegistrations|,
            |contextOrigin|, and |fenced|.

    </dl>

To <dfn>process an attribution trigger response</dfn> given a [=suitable origin=]
|contextOrigin|, a [=suitable origin=] |reportingOrigin|, a [=response=] |response|,
a possibly null [=trigger verification metadata=] |triggerVerificationMetadata|,
a [=header value=] or null |webTriggerHeader|, a [=header value=] or null
|osTriggerHeader|, a [=registration info=] |registrationInfo|, and a [=boolean=]
|fenced|:

1. Let |platform| be the result of [=get the registration platform=]
    with |webTriggerHeader|, |osTriggerHeader|, and |registrationInfo|'s
    [=registration info/preferred platform=].
1. If |platform| is null, return.
1. Let |reportHeaderErrors| be |registrationInfo|'s [=registration info/report header errors=].
1. If |platform| is:
    <dl class="switch">
    : "<code>[=registrar/web=]</code>"
    ::
        1. Let |destinationSite| be the result of [=obtaining a site=] from
            |contextOrigin|.
        1. Let |triggerVerifications| be the result of [=receiving trigger verification tokens=]
            with |response|'s [=response/URL=]'s [=url/origin=], |response|'s [=response/header list=],
            and |triggerVerificationMetadata|.
        1. Let |trigger| be the result of running
            [=create an attribution trigger=] with |webTriggerHeader|
            |destinationSite|, |reportingOrigin|, |triggerVerifications|, [=current wall time=], and |fenced|.
        1. If |trigger| is null:
            1. If |reportHeaderErrors| is true, run [=obtain and deliver debug reports on registration header errors=]
                with "`Attribution-Reporting-Register-Trigger`",
                |webTriggerHeader|, |reportingOrigin|, |contextOrigin|, and |fenced|.
            1. Return.
        1. [=Maybe defer and then complete trigger attribution=] with |trigger|.
    : "<code>[=registrar/os=]</code>"
    ::
        1. Let |osTriggerRegistrations| be the result of running
            [=get OS registrations from a header value=] with |osTriggerHeader|.
        1. If |osTriggerRegistrations| is null:
            1. If |reportHeaderErrors| is true, run [=obtain and deliver debug reports on registration header errors=]
                with "`Attribution-Reporting-Register-OS-Trigger`",
                |osTriggerHeader|, |reportingOrigin|, |contextOrigin|, and |fenced|.
            1. Return.
        1. Process |osTriggerRegistrations| according to an [=implementation-defined=] algorithm.
        1. Run [=obtain and deliver debug reports on OS registrations=] with
            "<code>[=OS debug data type/os-trigger-delegated=]</code>", |osTriggerRegistrations|,
            |contextOrigin|, and |fenced|.

     </dl>

To <dfn export>process an attribution eligible response</dfn> given a [=suitable origin=]
|contextOrigin|, an [=eligibility=] |eligibility|, a [=boolean=] |fenced|,
a possibly null [=trigger verification metadata=] |triggerVerificationMetadata|, and a [=response=] |response|:

1. The user-agent MAY ignore the response; if so, return.

    Note: The user-agent may prevent attribution for a number of reasons, such as user opt-out. In these
    cases, it is preferred to abort the API flow at response time rather than at request time so this
    state is not immediately detectable. Attribution may also be blocked if the reporting origin is not
    <a href="https://github.com/privacysandbox/attestation">enrolled</a>.

1. [=Queue a task=] on the [=networking task source=] to proceed with the following steps.

    Note: This algorithm can be invoked from while [=in parallel=].

1. [=Assert=]: |eligibility| is
    "<code>[=eligibility/navigation-source=]</code>" or
    "<code>[=eligibility/event-source=]</code>" or
    "<code>[=eligibility/event-source-or-trigger=]</code>".
1. Let |reportingOrigin| be |response|'s [=response/URL=]'s [=url/origin=].
1. If |reportingOrigin| is not [=check if an origin is suitable|suitable=], return.
1. Let |sourceHeader| be the result of [=header list/get|getting=]
    "`Attribution-Reporting-Register-Source`" from |response|'s
    [=response/header list=].
1. Let |triggerHeader| be the result of [=header list/get|getting=]
    "`Attribution-Reporting-Register-Trigger`" from |response|'s
    [=response/header list=].
1. Let |osSourceHeader| be the result of [=header list/get|getting=]
    "`Attribution-Reporting-Register-OS-Source`" from |response|'s
    [=response/header list=].
1. Let |osTriggerHeader| be the result of [=header list/get|getting=]
    "`Attribution-Reporting-Register-OS-Trigger`" from |response|'s
    [=response/header list=].
1. Let |registrationInfo| be the result of
    [=get registration info from a header list|getting registration info=]
    from |response|'s [=response/header list=].
1. If |registrationInfo| is an error, return.
1. If |eligibility| is:
    <dl class="switch">
    : "<code>[=eligibility/navigation-source=]</code>"
    : "<code>[=eligibility/event-source=]</code>"
    :: Run the following steps:
        1. Let |sourceType| be "<code>[=source type/navigation=]</code>".
        1. If |eligibility| is "<code>[=eligibility/event-source=]</code>",
            set |sourceType| to "<code>[=source type/event=]</code>".
        1. Run [=process an attribution source response=] with |contextOrigin|,
            |reportingOrigin|, |sourceType|, |sourceHeader|,
            |osSourceHeader|, and |registrationInfo|.
    : "<code>[=eligibility/event-source-or-trigger=]</code>"
    :: Run the following steps:
        1. Let |hasSourceRegistration| be false.
        1. If |sourceHeader| or |osSourceHeader| is not null, set
            |hasSourceRegistration| to true.
        1. Let |hasTriggerRegistration| be false.
        1. If |triggerHeader| or |osTriggerHeader| is not null, set
            |hasTriggerRegistration| to true.
        1. If both |hasSourceRegistration| and |hasTriggerRegistration| are true,
            return.
        1. If |hasSourceRegistration| is true:
            1. Run [=process an attribution source response=]
                with |contextOrigin|, |reportingOrigin|, "<code>[=source type/event=]</code>",
                |sourceHeader|, |osSourceHeader|, |registrationInfo|, and |fenced|.
        1. If |hasTriggerRegistration| is true:
            1. Run [=process an attribution trigger response=]
                with |contextOrigin|, |reportingOrigin|, |response|, |triggerVerificationMetadata|, |triggerHeader|,
                |osTriggerHeader|, |registrationInfo|, and |fenced|.

    </dl>

To <dfn>obtain and deliver debug reports on registration header errors</dfn>
given a [=header name=] |headerName|, a [=header value=] |headerValue|, a
[=suitable origin=] |reportingOrigin|, a [=suitable origin=] |contextOrigin|,
and a [=boolean=] |fenced|:

1. Let |contextSite| be the result of [=obtaining a site=] from |contextOrigin|.
1. Let |body| be a new [=map=] with the following key/value pairs:
    : "`context_site`"
    :: |contextSite|, <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
    : "`header`"
    :: |headerName|.
    : "`value`"
    :: |headerValue|.
1. Let |data| be a new [=verbose debug data=] with the items:
    : [=verbose debug data/data type=]
    :: "<code>[=header errors debug data type/header-parsing-error=]</code>"
    : [=verbose debug data/body=]
    :: |body|
1. Run [=obtain and deliver a verbose debug report=] with « |data| », |reportingOrigin|, and |fenced|.

Note: The user agent may optionally include error details of any type in |body|["`error`"].

<h3 id="attribution-debugging">Attribution debugging</h3>

To <dfn>check if attribution debugging can be enabled</dfn> given an [=attribution debug info=] |debugInfo|:

1. If |debugInfo|'s [=attribution debug info/source debug key=] is null,
    return false.
1. If |debugInfo|'s [=attribution debug info/trigger debug key=] is null,
    return false.
1. Return true.

To <dfn>serialize an attribution debug info</dfn> given a [=map=] |data| and an
[=attribution debug info=] |debugInfo|:

1. If |debugInfo|'s [=attribution debug info/source debug key=] is not null, [=map/set=]
    |data|["`source_debug_key`"] to |debugInfo|'s [=attribution debug info/source debug key=],
    [=serialize an integer|serialized=].
1. If |debugInfo|'s [=attribution debug info/trigger debug key=] is not null, [=map/set=]
    |data|["`trigger_debug_key`"] to |report|'s [=attribution debug info/trigger debug key=],
    [=serialize an integer|serialized=].

<h3 id="obtaining-and-delivering-aggregatable-debug-report">Obtaining and delivering an aggregatable debug report</h3>

To <dfn>check if aggregatable debug reporting should be blocked by rate-limit</dfn>
given an [=aggregatable debug rate-limit record=] |newRecord|:

1. Let |matchingRecords| be all [=aggregatable debug rate-limit records=]
    |record| of [=aggregatable debug rate-limit cache=] where all of the following
    are true:
    * |record|'s [=aggregatable debug rate-limit record/context site=] and |newRecord|'s [=aggregatable debug rate-limit record/context site=] are equal
    * The [=duration from=] |record|'s [=aggregatable debug rate-limit record/time=] and |newRecord|'s [=aggregatable debug rate-limit record/time=] is <= [=aggregatable debug rate-limit window=]
1. Let |totalBudget| be |newRecord|'s [=aggregatable debug rate-limit record/consumed budget=].
1. Let |totalSameReportingBudget| be |totalBudget|.
1. [=set/iterate|For each=] |record| of |matchingRecords|:
    1. Increment |totalBudget| value by |record|'s [=aggregatable debug rate-limit record/consumed budget=].
    1. If |record|'s [=aggregatable debug rate-limit record/reporting site=] and
        |newRecord|'s [=aggregatable debug rate-limit record/reporting site=] are equal,
        increment |totalSameReportingBudget| by |record|'s [=aggregatable debug rate-limit record/consumed budget=].
1. If |totalBudget| is greater than [=max aggregatable debug budget per rate-limit window=][0],
    return <strong>blocked</strong>.
1. If |totalSameReportingBudget| is greater than [=max aggregatable debug budget per rate-limit window=][1],
    return <strong>blocked</strong>.
1. Return <strong>allowed</strong>.

To <dfn>obtain and deliver an aggregatable debug report</dfn> given a [=list=]
of [=aggregatable contributions=] |contributions|,
a [=suitable origin=] |reportingOrigin|, a [=site=] |effectiveDestination|,
an [=aggregation coordinator=] |aggregationCoordinator|, and a [=moment=] |now|:

1. [=Assert=]: |effectiveDestination| is not an [=opaque origin=].
1. Let |report| be a new [=aggregatable debug report=] with the items:
    : [=aggregatable debug report/reporting origin=]
    :: |reportingOrigin|
    : [=aggregatable debug report/effective attribution destination=]
    :: |effectiveDestination|
    : [=aggregatable debug report/report time=]
    :: |now|
    : [=aggregatable debug report/report ID=]
    :: The result of [=generating a random UUID=]
    : [=aggregatable debug report/contributions=]
    :: |contributions|
    : [=aggregatable debug report/aggregation coordinator=]
    :: |aggregationCoordinator|

1. [=Queue a task=] to [=attempt to deliver an aggregatable debug report=] with |report|.

To <dfn>obtain and deliver an aggregatable debug report on registration</dfn> given a [=list=] |contributions|,
a [=site=] |contextSite|, an [=origin=] |reportingOrigin|, a possibly null
[=attribution source=] |source|, a [=site=] |effectiveDestination|,
an [=aggregation coordinator=] |aggregationCoordinator|, and a [=moment=] |now|:

1. If |contributions| [=list/is empty=]:
    1. Run [=obtain and deliver an aggregatable debug report=]
        with «», |contextSite|, |reportingOrigin|, |effectiveDestination|,
        |aggregationCoordinator|, and |now|.
    1. Return.
1. Let |remainingBudget| be [=allowed aggregatable budget per source=].
1. Let |numReports| be 0.
1. If |source| is not null:
    1. Set |remainingBudget| to |source|'s [=attribution source/remaining aggregatable debug budget=].
    1. Set |numReports| to |source|'s [=attribution source/number of aggregatable debug reports=].
1. Let |requiredBudget| be the total [=aggregatable contribution/value=] of |contributions|.
1. If |requiredBudget| is greater than |remainingBudget|:
    1. Run [=obtain and deliver an aggregatable debug report=] with «»,
        |reportingOrigin|, |effectiveDestination|, |aggregationCoordinator|, and |now|.
    1. Return.
1. If |numReports| is equal to [=max aggregatable reports per source=][1]:
    1. Run [=obtain and deliver an aggregatable debug report=] with «»,
        |reportingOrigin|, |effectiveDestination|, |aggregationCoordinator|, and |now|.
    1. Return.
1. Let |rateLimitRecord| be a new [=aggregatable debug rate-limit record=] with the items:
    : [=aggregatable debug rate-limit record/context site=]
    :: |contextSite|
    : [=aggregatable debug rate-limit record/reporting site=]
    :: The result of [=obtaining a site=] from |reportingOrigin|
    : [=aggregatable debug rate-limit record/time=]
    :: |now|
    : [=aggregatable debug rate-limit record/consumed budget=]
    :: |requiredBudget|
1. If the result of running [=check if aggregatable debug reporting should be blocked by rate-limit=]
    with |rateLimitRecord| is <strong>blocked</strong>:
    1. Run [=obtain and deliver an aggregatable debug report=] with «»,
        |reportingOrigin|, |effectiveDestination|, |aggregationCoordinator|, and |now|.
    1. Return.
1. Run [=obtain and deliver an aggregatable debug report=] with |contributions|,
    |reportingOrigin|, |effectiveDestination|, |aggregationCoordinator|, and |now|.
1. If |source| is not null:
    1. Decrement |source|'s [=attribution source/remaining aggregatable debug budget=]
        value by |requiredBudget|.
    1. Increment |source|'s [=attribution source/number of aggregatable debug reports=]
        value by 1.
1. [=set/Append=]  |rateLimitRecord| to the [=aggregatable debug rate-limit cache=].
1. [=set/Remove=] all [=aggregatable debug rate-limit records=] |entry| from the
    [=aggregatable debug rate-limit cache=] if the [=duration from=] |entry|'s
    [=aggregatable debug rate-limit record/time=] and |now| is > [=aggregatable debug rate-limit window=].

# Source Algorithms # {#source-algorithms}

<h3 algorithm id="obtaining-randomized-source-response">Obtaining a randomized source response</h3>

To <dfn>obtain a set of possible trigger states</dfn> given a [=randomized response output configuration=] |config|:
1. Let |possibleTriggerStates| be a new [=set=].
1. [=map/iterate|For each=] |triggerData| → |spec| of |config|'s [=randomized response output configuration/trigger specs=]:
    1. [=list/For each=] |reportWindow| of |spec|'s [=trigger spec/event-level report windows=]:
        1. Let |state| be a new [=trigger state=] with the items:
            : [=trigger state/trigger data=]
            :: |triggerData|
            : [=trigger state/report window=]
            :: |reportWindow|
        1. [=set/Append=] |state| to |possibleTriggerStates|.
1. Let |possibleValues| be a new [=set=].
1. [=set/iterate|For each=] integer |attributions| of [=the range=] 0 to |config|'s [=randomized response output configuration/max attributions per source=], inclusive:
    1. [=set/Append=] to |possibleValues| all distinct
        |attributions|-[=list/size=] combinations of |possibleTriggerStates|
        with repetition.
1. Return |possibleValues|.

To <dfn>obtain a randomized source response pick rate</dfn> given a [=randomized response output configuration=] |config| and a double |epsilon|:

1. Let |possibleValues| be the result of [=obtaining a set of possible trigger states=] with |config|.
1. Let |numPossibleValues| be the [=set/size=] of |possibleValues|.
1. Return |numPossibleValues| / (|numPossibleValues| - 1 + e<sup>|epsilon|</sup>).

To <dfn>obtain a randomized source response</dfn> given a [=randomized response output configuration=] |config| and a double |epsilon|:

1. Let |possibleValues| be the result of [=obtaining a set of possible trigger states=] with |config|.
1. Let |pickRate| be the result of [=obtaining a randomized source response pick rate=] with |config| and |epsilon|.
1. Return the result of [=obtaining a randomized response=] with null, |possibleValues|, and
    |pickRate|.

<h3 algorithm id="computing-channel-capacity">Computing channel capacity</h3>

To <dfn>compute the channel capacity of a source</dfn> given a [=randomized response output configuration=] |config| and a double |epsilon|:
1. Let |pickRate| be the [=obtain a randomized source response pick rate|randomized response pick rate=] with |config| and |epsilon|.
1. Let |states| be the [=obtain a set of possible trigger states|number of possible trigger states=] with |config|.
1. If |states| is 1, return 0.
1. If |states| is greater than the user agent's [=max trigger-state cardinality=], return an error.
1. Let |p| be |pickRate| * (|states| - 1) / |states|.
1. Return log2(|states|) - h(|p|) - |p| * log2(|states| - 1) where h is the binary entropy function [[BIN-ENT]].

Note: This algorithm computes the channel capacity [[CHAN]] of a q-ary symmetric channel [[Q-SC]].

<h3 algorithm id="parsing-source-registration">Parsing source-registration JSON</h3>

A <dfn>source-registration JSON key</dfn> is one of the following:

<ul dfn-for="source-registration JSON key">
<li>"<dfn><code>aggregatable_debug_reporting</code></dfn>"
<li>"<dfn><code>aggregatable_report_window</code></dfn>"
<li>"<dfn><code>aggregation_keys</code></dfn>"
<li>"<dfn><code>budget</code></dfn>"
<li>"<dfn><code>debug_key</code></dfn>"
<li>"<dfn><code>debug_reporting</code></dfn>"
<li>"<dfn><code>destination</code></dfn>"
<li>"<dfn><code>destination_limit_priority</code></dfn>"
<li>"<dfn><code>end_times</code></dfn>"
<li>"<dfn><code>event_level_epsilon</code></dfn>"
<li>"<dfn><code>event_report_window</code></dfn>"
<li>"<dfn><code>event_report_windows</code></dfn>"
<li>"<dfn><code>expiry</code></dfn>"
<li>"<dfn><code>filter_data</code></dfn>"
<li>"<dfn><code>max_event_level_reports</code></dfn>"
<li>"<dfn><code>priority</code></dfn>"
<li>"<dfn><code>source_event_id</code></dfn>"
<li>"<dfn><code>start_time</code></dfn>"
<li>"<dfn><code>summary_buckets</code></dfn>"
<li>"<dfn><code>summary_window_operator</code></dfn>"
<li>"<dfn><code>trigger_data</code></dfn>"
<li>"<dfn><code>trigger_data_matching</code></dfn>"
<li>"<dfn><code>trigger_specs</code></dfn>"
</ul>

To <dfn>parse an attribution destination</dfn> from a [=string=] |str|:
1. Let |url| be the result of running the [=URL parser=] on the value of
    the |str|.
1. If |url| is failure or null, return null.
1. If |url|'s [=url/origin=] is not [=check if an origin is suitable|suitable=],
    return null.
1. Return the result of [=obtain a site|obtaining a site=] from |url|'s
    [=url/origin=].

To <dfn>parse attribution destinations</dfn> from a [=map=] |map|:
1. If |map|["<code>[=source-registration JSON key/destination=]</code>"] does not [=map/exists|exist=], return null.
1. Let |val| be |map|["<code>[=source-registration JSON key/destination=]</code>"].
1. If |val| is a [=string=], set |val| to « |val| ».
1. If |val| is not a [=list=], return null.
1. Let |result| be a [=set=].
1. [=list/iterate|For each=] |value| of |val|:
    1. If |value| is not a [=string=], return null.
    1. Let |destination| be the result of [=parse an attribution destination=] with |value|.
    1. If |destination| is null, return null.
    1. [=set/Append=] |destination| to |result|.
1. If |result| [=set/is empty=] or its [=set/size=] is greater than the
    [=max destinations per source=], return null.
1. [=list/sort in ascending order|Sort=] |result| in ascending order, with |a|
    being less than |b| if |a|, <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>,
    is less than |b|, <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
1. Return |result|.

Note: Sorting |result| helps ensure that registrations with the same set of
destinations are equivalent, regardless of the order of sites in the
registration JSON.

To <dfn>parse a duration</dfn> given a [=map=] |map|, a [=string=] |key|, and a
tuple of [=durations=] (|clampStart|, |clampEnd|):

1. [=Assert=]: |clampStart| < |clampEnd|.
1. Let |seconds| be null.
1. If |map|[|key|] [=map/exists=] and is a non-negative integer, set |seconds| to |map|[|key|].
1. Otherwise, set |seconds| to the result of running
    [=parse an optional 64-bit unsigned integer=] with |map|, |key|, and null.
1. If |seconds| is an error, return an error.
1. If |seconds| is null, return |clampEnd|.
1. Let |duration| be the [=duration=] of |seconds| seconds.
1. If |duration| is less than |clampStart|, return |clampStart|.
1. If |duration| is greater than |clampEnd|, return |clampEnd|.
1. Return |duration|.

Issue: Consider rejecting out-of-bounds values instead of silently clamping.

To <dfn>parse aggregation keys</dfn> given a [=map=] |map|:

1. Let |aggregationKeys| be a new [=map=].
1. If |map|["<code>[=source-registration JSON key/aggregation_keys=]</code>"] does not [=map/exist=], return |aggregationKeys|.
1. Let |values| be |map|["<code>[=source-registration JSON key/aggregation_keys=]</code>"].
1. If |values| is not an [=map=], return null.
1. If |values|'s [=map/size=] is greater than the
    [=max aggregation keys per source registration=], return null.
1. [=map/iterate|For each=] |key| → |value| of |values|:
    1. If |key|'s [=string/length=] is greater than the [=max length per aggregation key identifier=],
        return null.
    1. If |value| is not a [=string=], return null.
    1. Let |keyPiece| be the result of running [=parse an aggregation key piece=] with |value|.
    1. If |keyPiece| is an error, return null.
    1. [=map/Set=] |aggregationKeys|[|key|] to |keyPiece|.
1. Return |aggregationKeys|.

To <dfn>obtain default effective windows</dfn> given a [=source type=] |sourceType|,
a [=moment=] |sourceTime|, and a [=duration=] |eventReportWindow|:

1. Let |deadlines| be «» if |sourceType| is "<code>[=source type/event=]</code>", else « 2 days, 7 days ».
1. [=list/Remove=] all elements in |deadlines| that are greater than or equal to |eventReportWindow|.
1. [=list/Append=] |eventReportWindow| to |deadlines|.
1. Let |lastEnd| be |sourceTime|.
1. Let |windows| be «».
1. [=list/iterate|For each=] |deadline| of |deadlines|:
    1. Let |window| be a new [=report window=] whose items are

        : [=report window/start=]
        :: |lastEnd|
        : [=report window/end=]
        :: |lastEnd| + |deadline|

    1. [=list/Append=] |window| to |windows|.
    1. Set |lastEnd| to |lastEnd| + |deadline|.
1. Return |windows|.

To <dfn>parse top-level report windows</dfn> given a [=map=] |map|, a [=moment=] |sourceTime|,
a [=source type=] |sourceType|, and a [=duration=] |expiry|:

1. If |map|["<code>[=source-registration JSON key/event_report_window=]</code>"] [=map/exists=] and
    |map|["<code>[=source-registration JSON key/event_report_windows=]</code>"] [=map/exists=], return an error.
1. If |map|["<code>[=source-registration JSON key/event_report_window=]</code>"] [=map/exists=]:
    1. Let |eventReportWindow| be the result of running [=parse a duration=]
        with |map|, "<code>[=source-registration JSON key/event_report_window=]</code>", and ([=min report window=], |expiry|).
    1. If |eventReportWindow| is an error, return |eventReportWindow|.
    1. Return the result of [=obtaining default effective windows=] given |sourceType|, |sourceTime|, and |eventReportWindow|.
1. If |map|["<code>[=source-registration JSON key/event_report_windows=]</code>"] does not [=map/exist=], return the result
    of [=obtaining default effective windows=] given |sourceType|, |sourceTime|,
    and |expiry|.
1. Return the result of [=parsing report windows=] with
    |map|["<code>[=source-registration JSON key/event_report_windows=]</code>"], |sourceTime|, and |expiry|.

To <dfn>parse report windows</dfn> given a |value|, a
[=moment=] |sourceTime|, and a [=duration=] |expiry|:

1. If |value| is not a [=map=], return an error.
1. Let |startDuration| be 0 seconds.
1. If |value|["<code>[=source-registration JSON key/start_time=]</code>"] [=map/exists=]:
    1. Let |start| be |value|["<code>[=source-registration JSON key/start_time=]</code>"].
    1. If |start| is not a non-negative integer, return an error.
    1. Set |startDuration| to |start| seconds.
    1. If |startDuration| is greater than |expiry|, return an error.
1. If |value|["<code>[=source-registration JSON key/end_times=]</code>"] does not [=map/exist=] or is not a [=list=], return an error.
1. Let |endDurations| be |value|["<code>[=source-registration JSON key/end_times=]</code>"].
1. If the [=list/size=] of |endDurations| is greater than [=max settable event-level report windows=], return an error.
1. If |endDurations| [=list/is empty=], return an error.
1. Let |windows| be a new [=list=].
1. [=list/iterate|For each=] |end| of |endDurations|:
    1. If |end| is not a positive integer, return an error.
    1. Let |endDuration| be |end| seconds.
    1. If |endDuration| is greater than |expiry|, set |endDuration| to |expiry|.
    1. If |endDuration| is less than [=min report window=], set |endDuration| to [=min report window=].
    1. If |endDuration| is less than or equal to |startDuration|, return an error.
    1. Let |window| be a new [=report window=] whose items are

        : [=report window/start=]
        :: |sourceTime| + |startDuration|
        : [=report window/end=]
        :: |sourceTime| + |endDuration|

    1. [=list/Append=] |window| to |windows|.
    1. Set |startDuration| to |endDuration|.
1. Return |windows|.

The user-agent has an associated boolean
<dfn>experimental Flexible Event support</dfn> (default false) that exposes
non-normative behavior described in the
<a href="https://github.com/WICG/attribution-reporting-api/blob/main/flexible_event_config.md">Flexible event-level configurations</a>
proposal.

To <dfn>parse summary window operator</dfn> given a [=map=] |map|:

1. Let |value| be "<code>[=summary window operator/count=]</code>".
1. If |map|["<code>[=source-registration JSON key/summary_window_operator=]</code>"] [=map/exists=]:
    1. If |map|["<code>[=source-registration JSON key/summary_window_operator=]</code>"] is not a [=string=], return an
        error.
    1. If |map|["<code>[=source-registration JSON key/summary_window_operator=]</code>"] is not a
        [=summary window operator=], return an error.
    1. Set |value| to |map|["<code>[=source-registration JSON key/summary_window_operator=]</code>"].
1. Return |value|.

To <dfn>parse summary buckets</dfn> given a [=map=] |map| and an integer |maxEventLevelReports|:

1. Let |values| be [=the inclusive range|the range=] 1 to
    |maxEventLevelReports|, inclusive.
1. If |map|["<code>[=source-registration JSON key/summary_buckets=]</code>"] [=map/exists=]:
    1. If |map|["<code>[=source-registration JSON key/summary_buckets=]</code>"] is not a [=list=], [=list/is empty=], or
        its [=list/size=] is greater than |maxEventLevelReports|, return an
        error.
    1. Set |values| to |map|["<code>[=source-registration JSON key/summary_buckets=]</code>"].
1. Let |prev| be 0.
1. Let |summaryBuckets| be a new [=list=].
1. [=list/iterate|For each=] |item| of |values|:
    1. If |item| is not an integer or cannot be represented by an unsigned
        32-bit integer, or is less than or equal to |prev|, return an error.
    1. Let |summaryBucket| be a new [=summary bucket=] whose items are

        : [=summary bucket/start=]
        :: |prev|
        : [=summary bucket/end=]
        :: |item| - 1

    1. [=list/Append=] |summaryBucket| to |summaryBuckets|.
    1. Set |prev| to |item|.
1. Return |summaryBuckets|.

To <dfn>parse trigger data into a trigger spec map</dfn> given a
|triggerDataList|, a [=trigger spec=] |spec|, a [=trigger spec map=]
|specs|, and a [=boolean=] |allowEmpty|:

1. If |triggerDataList| is not a [=list=] or its [=list/size=] is greater than
    [=max distinct trigger data per source=], return false.
1. If |allowEmpty| is false and |triggerDataList| [=list/is empty=], return
    false.
1. [=list/iterate|For each=] |triggerData| of |triggerDataList|:
    1. If |triggerData| is not an integer or cannot be represented by an
        unsigned 32-bit integer, or |specs|[|triggerData|] [=map/exists=],
        return false.
    1. [=map/Set=] |specs|[|triggerData|] to |spec|.
    1. If |specs|'s [=map/size=] is greater than
        [=max distinct trigger data per source=], return false.
1. Return true.

To <dfn>parse trigger specs</dfn> given a [=map=] |map|, a [=moment=]
|sourceTime|, a [=source type=] |sourceType|, a [=duration=] |expiry|, and a
[=trigger-data matching mode=] |matchingMode|:

1. Let |defaultReportWindows| be the result of
    [=parsing top-level report windows=] with |map|, |sourceTime|, |sourceType|,
    and |expiry|.
1. If |defaultReportWindows| is an error, return an error.
1. Let |specs| be a new [=trigger spec map=].
1. If [=experimental Flexible Event support=] is true and
    |map|["<code>[=source-registration JSON key/trigger_specs=]</code>"] [=map/exists=]:
    1. If |map|["<code>[=source-registration JSON key/trigger_data=]</code>"] [=map/exists=], return an error.
    1. If |map|["<code>[=source-registration JSON key/trigger_specs=]</code>"] is not a [=list=] or its
        [=list/size=] is greater than [=max distinct trigger data per source=],
        return an error.
    1. [=list/iterate|For each=] |item| of |map|["<code>[=source-registration JSON key/trigger_specs=]</code>"]:
        1. If |item| is not a [=map=], return an error.
        1. Let |spec| be a new [=trigger spec=] with the following items:
            : [=trigger spec/event-level report windows=]
            :: |defaultReportWindows|
        1. If |item|["<code>[=source-registration JSON key/event_report_windows=]</code>"] [=map/exists=]:
            1. Let |reportWindows| be the result of
                [=parsing report windows=] with |item|["<code>[=source-registration JSON key/event_report_windows=]</code>"],
                |sourceTime|, and |expiry|.
            1. If |reportWindows| is an error, return it.
            1. Set |spec|'s [=trigger spec/event-level report windows=] to
                |reportWindows|.
        1. If |item|["<code>[=source-registration JSON key/trigger_data=]</code>"] does not [=map/exist=], return an error.
        1. Let |allowEmpty| be false.
        1. If the result of running
            [=parse trigger data into a trigger spec map=] with
            |item|["<code>[=source-registration JSON key/trigger_data=]</code>"], |spec|, |specs|, and |allowEmpty| is
            false, return an error.
1. Otherwise:
    1. Let |spec| be a new [=trigger spec=] with the following items:
        : [=trigger spec/event-level report windows=]
        :: |defaultReportWindows|
    1. If |map|["<code>[=source-registration JSON key/trigger_data=]</code>"] [=map/exists=]:
        1. Let |allowEmpty| be true.
        1. If the result of running
            [=parse trigger data into a trigger spec map=] with
            |map|["<code>[=source-registration JSON key/trigger_data=]</code>"], |spec|, |specs|, and |allowEmpty| is false,
            return an error.
    1. Otherwise:
        1. [=set/iterate|For each=] integer |triggerData| of
            [=the exclusive range|the range=] 0 to
            [=default trigger data cardinality=][|sourceType|], exclusive:
            1. [=map/Set=] |specs|[|triggerData|] to |spec|.
1. If |matchingMode| is "<code>[=trigger-data matching mode/modulus=]</code>":
    1. Let |i| be 0.
    1. [=map/iterate|For each=] |triggerData| of |specs|'s [=map/get the keys|keys=]:
        1. If |triggerData| does not equal |i|, return an error.
        1. Set |i| to |i| + 1.
1. Return |specs|.

Issue: Invoke [=parse summary buckets=] and [=parse summary window operator=]
from this algorithm.

To <dfn>parse a source aggregatable debug reporting config</dfn> given |value|, a
non-negative integer |defaultBudget|, and an [=aggregatable debug reporting config=]
|defaultConfig|:

1. If |value| is not a [=map=], return the [=tuple=] (|defaultBudget|, |defaultConfig|).
1. If |value|["<code>[=source-registration JSON key/budget=]</code>"] does not
    [=map/exist=], return the [=tuple=] (|defaultBudget|, |defaultConfig|).
1. Let |budget| be |value|["<code>[=source-registration JSON key/budget=]</code>"].
1. If |budget| is not an integer or is less than or equal to 0 or is greater than
    [=allowed aggregatable budget per source=], return the [=tuple=] (|defaultBudget|, |defaultConfig|).
1. Let |supportedTypes| be the set of all [=source debug data types=].
1. Let |config| be the result of running [=parse an aggregatable debug reporting config=]
    with |value|, |budget|, |supportedTypes|, and |defaultConfig|.
1. Return the [=tuple=] (|budget|, |config|).

To <dfn noexport>parse source-registration JSON</dfn> given a [=byte sequence=]
|json|, a [=suitable origin=] |sourceOrigin|, a [=suitable origin=] |reportingOrigin|, a
[=source type=] |sourceType|, a [=moment=] |sourceTime|, and a [=boolean=] |fenced|:

1. Let |value| be the result of running
    [=parse JSON bytes to an Infra value=] with |json|.
1. If |value| is not a [=map=], return null.
1. Let |attributionDestinations| be the result of running
    [=parse attribution destinations=] with |value|.
1. If |attributionDestinations| is null, return null.
1. Let |sourceEventId| be the result of running
    [=parse an optional 64-bit unsigned integer=] with |value|,
    "<code>[=source-registration JSON key/source_event_id=]</code>", and 0.
1. If |sourceEventId| is an error, return null.
1. Let |expiry| be the result of running [=parse a duration=] with |value|,
    "<code>[=source-registration JSON key/expiry=]</code>", and [=valid source expiry range=].
1. If |expiry| is an error, return null.
1. If |sourceType| is "<code>[=source type/event=]</code>", round |expiry| away
    from zero to the nearest day (86400 seconds).
1. Let |priority| be the result of running
    [=parse an optional 64-bit signed integer=] with |value|, "<code>[=source-registration JSON key/priority=]</code>", and
    0.
1. If |priority| is an error, return null.
1. Let |destinationLimitPriority| be the result of running
    [=parse an optional 64-bit signed integer=] with |value|,
    "<code>[=source-registration JSON key/destination_limit_priority=]</code>", and 0.
1. If |destinationLimitPriority| is an error, return null.
1. Let |filterData| be a new [=filter map=].
1. If |value|["<code>[=source-registration JSON key/filter_data=]</code>"] [=map/exists=]:
    1. Set |filterData| to the result of running [=parse filter data=] with
        |value|["<code>[=source-registration JSON key/filter_data=]</code>"].
    1. If |filterData| is null, return null.
    1. If |filterData|["`source_type`"] [=map/exists=], return null.
1. [=map/Set=] |filterData|["`source_type`"] to « |sourceType| ».
1. Let |debugKey| be the result of running
    [=parse an optional 64-bit unsigned integer=] with |value|, "<code>[=source-registration JSON key/debug_key=]</code>",
    and null.
1. If |debugKey| is an error, set |debugKey| to null.
1. Let |debugCookieSet| be false.
1. Let |sourceSite| be the result of [=obtaining a site=] from |sourceOrigin|.
1. If the result of running [=check if cookie-based debugging is allowed=]
    with |reportingOrigin| and |sourceSite| is <strong>allowed</strong>, set |debugCookieSet| to true.
1. If |debugCookieSet| is false, set |debugKey| to null.
1. Let |aggregationKeys| be the result of running [=parse aggregation keys=] with |value|.
1. If |aggregationKeys| is null, return null.
1. Let |maxAttributionsPerSource| be [=default event-level attributions per source=][|sourceType|].
1. Set |maxAttributionsPerSource| to |value|["<code>[=source-registration JSON key/max_event_level_reports=]</code>"] if it [=map/exists=].
1. If |maxAttributionsPerSource| is not a non-negative integer, or is greater than [=max settable event-level attributions per source=], return null.
1. Let |aggregatableReportWindowEnd| be the result of running [=parse a duration=]
    with |value|, "<code>[=source-registration JSON key/aggregatable_report_window=]</code>", and ([=min report window=], |expiry|).
1. If |aggregatableReportWindowEnd| is an error, return null.
1. Let |debugReportingEnabled| be false.
1. If |value|["<code>[=source-registration JSON key/debug_reporting=]</code>"] [=map/exists=] and is a [=boolean=], set
    |debugReportingEnabled| to |value|["<code>[=source-registration JSON key/debug_reporting=]</code>"].
1. Let |aggregatableReportWindow| be a new [=report window=] with the following items:

    : [=report window/start=]
    :: |sourceTime|
    : [=report window/end=]
    :: |sourceTime| + |aggregatableReportWindowEnd|

1. Let |triggerDataMatchingMode| be "<code>[=trigger-data matching mode/modulus=]</code>".
1. If |value|["<code>[=source-registration JSON key/trigger_data_matching=]</code>"] [=map/exists=]:
    1. If |value|["<code>[=source-registration JSON key/trigger_data_matching=]</code>"] is not a [=string=], return null.
    1. If |value|["<code>[=source-registration JSON key/trigger_data_matching=]</code>"] is not a [=trigger-data matching mode=], return null.
    1. Set |triggerDataMatchingMode| to |value|["<code>[=source-registration JSON key/trigger_data_matching=]</code>"].
1. Let |triggerSpecs| be the result of [=parsing trigger specs=] with |value|,
    |sourceTime|, |sourceType|, |expiry|, and |triggerDataMatchingMode|.
1. If |triggerSpecs| is an error, return null.
1. Let |epsilon| be the user agent's [=max settable event-level epsilon=].
1. Set |epsilon| to |value|["<code>[=source-registration JSON key/event_level_epsilon=]</code>"] if it [=map/exists=]:
1. If |epsilon| is not a double, is less than 0, or is greater than the user agent's [=max settable event-level epsilon=], return null.
1. Let |aggregatableDebugBudget| be 0.
1. Let |aggregatableDebugReportingConfig| be a new [=aggregatable debug reporting config=].
1. If |value|["<code>[=source-registration JSON key/aggregatable_debug_reporting=]</code>"] [=map/exists=]:
    1. Let |aggregatableDebugReportingResult| be the result of running
        [=parse a source aggregatable debug reporting config=] with
        |value|["<code>[=source-registration JSON key/aggregatable_debug_reporting=]</code>"],
        |aggregatableDebugBudget|, and |aggregatableDebugReportingConfig|.
    1. Set |aggregatableDebugBudget| to |aggregatableDebugReportingResult|[0].
    1. Set |aggregatableDebugReportingConfig| to |aggregatableDebugReportingResult|[1].
1. Let |aggregatableAttributionBudget| be [=allowed aggregatable budget per source=] - |aggregatableDebugBudget|.
1. If [=automation local testing mode=] is true, set |epsilon| to `∞`.
1. Let |source| be a new [=attribution source=] struct whose items are:

    : [=attribution source/source identifier=]
    :: A new unique [=string=]
    : [=attribution source/source origin=]
    :: |sourceOrigin|
    : [=attribution source/event ID=]
    :: |sourceEventId|
    : [=attribution source/attribution destinations=]
    :: |attributionDestinations|
    : [=attribution source/reporting origin=]
    :: |reportingOrigin|
    : [=attribution source/expiry=]
    :: |expiry|
    : [=attribution source/trigger specs=]
    :: |triggerSpecs|
    : [=attribution source/aggregatable report window=]
    :: |aggregatableReportWindow|
    : [=attribution source/priority=]
    :: |priority|
    : [=attribution source/source time=]
    :: |sourceTime|
    : [=attribution source/source type=]
    :: |sourceType|
    : [=attribution source/number of event-level reports=]
    :: 0
    : [=attribution source/max number of event-level reports=]
    :: |maxAttributionsPerSource|
    : [=attribution source/event-level epsilon=]
    :: |epsilon|
    : [=attribution source/filter data=]
    :: |filterData|
    : [=attribution source/debug key=]
    :: |debugKey|
    : [=attribution source/aggregation keys=]
    :: |aggregationKeys|
    : [=attribution source/remaining aggregatable attribution budget=]
    :: |aggregatableAttributionBudget|
    : [=attribution source/debug reporting enabled=]
    :: |debugReportingEnabled|
    : [=attribution source/trigger-data matching mode=]
    :: |triggerDataMatchingMode|
    : [=attribution source/debug cookie set=]
    :: |debugCookieSet|
    : [=attribution source/fenced=]
    :: |fenced|
    : [=attribution source/remaining aggregatable debug budget=]
    :: |aggregatableDebugBudget|
    : [=attribution source/aggregatable debug reporting config=]
    :: |aggregatableDebugReportingConfig|
    : [=attribution source/destination limit priority=]
    :: |destinationLimitPriority|
1. Return |source|.

Issue: Determine proper charset-handling for the JSON header value.

<h3 id="processing-an-attribution-source">Processing an attribution source</h3>

To <dfn>check if an [=attribution source=] exceeds the time-based destination limits</dfn> given an
[=attribution source=] |source|, run the following steps:

1. Let |matchingSources| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/source=]</code>"
     * |record|'s [=attribution rate-limit record/source site=] and |source|'s [=attribution source/source site=] are equal
     * |record|'s [=attribution rate-limit record/expiry time=] is greater than |source|'s [=attribution source/source time=]
     * The [=duration from=] |record|'s [=attribution rate-limit record/time=] and |source|'s [=attribution source/source time=]
        is less than [=destination rate-limit window=]
1. Let |matchingSameReportingSources| be all the [=attribution rate-limit records|records=] in |matchingSources|
    whose associated [=attribution rate-limit record/reporting origin=] is [=same site=] with |source|'s
    [=attribution source/reporting origin=].
1. Let |destinations| be the [=set=] of every [=attribution rate-limit record/attribution destination=] in |matchingSources|,
    [=set/union|unioned=] with |source|'s [=attribution source/attribution destinations=].
1. Let |sameReportingDestinations| be the [=set=] of every [=attribution rate-limit record/attribution destination=] in |matchingSameReportingSources|,
    [=set/union|unioned=] with |source|'s [=attribution source/attribution destinations=].
1. Let |hitRateLimit| be whether |destinations|'s [=set/size=] is greater than [=max destinations per rate-limit window=][0].
1. Let |hitSameReportingRateLimit| be whether |sameReportingDestinations|'s [=set/size=] is greater than [=max destinations per rate-limit window=][1].
1. If (|hitRateLimit|, |hitSameReportingRateLimit|) is
    <dl class="switch">
    : (false, false)
    :: Return "<code>[=destination rate-limit result/allowed=]</code>".
    : (false, true)
    :: Return "<code>[=destination rate-limit result/hit reporting limit=]</code>".
    : (true, false)
    :: Return "<code>[=destination rate-limit result/hit global limit=]</code>".
    : (true, true)
    :: Return "<code>[=destination rate-limit result/hit reporting limit=]</code>".

    </dl>

Note: When both limits are hit, we interpret it as "<code>[=destination rate-limit result/hit reporting limit=]</code>"
for debug reporting.

To <dfn>check if an [=attribution source=] exceeds the per day destination limits</dfn>
given an [=attribution source=] |source|, run the following steps:

1. Let |matchingSources| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/source=]</code>"
     * |record|'s [=attribution rate-limit record/source site=] and |source|'s [=attribution source/source site=] are equal
     * |record|'s [=attribution rate-limit record/reporting origin=] is [=same site=] with
        |source|'s [=attribution source/reporting origin=]
     * |record|'s [=attribution rate-limit record/expiry time=] is greater than |source|'s [=attribution source/source time=]
     * The [=duration from=] |record|'s [=attribution rate-limit record/time=] and |source|'s [=attribution source/source time=]
        is less than 1 day
1. Let |destinations| be the [=set=] of all [=attribution rate-limit record/attribution destination=] in |matchingSources|,
    [=set/union|unioned=] with |source|'s [=attribution source/attribution destinations=].
1. Return whether |destinations|'s [=set/size=] is greater than [=max destinations per source reporting site per day=].

To <dfn>delete sources for unexpired destination limit</dfn> given a [=set=] of
[=attribution source/source identifiers=] |sourcesToDelete| and a [=moment=] |now|:

1. If |sourcesToDelete| [=set/is empty=], return.
1. [=set/iterate|For each=] [=attribution source=] |source| of the [=attribution source cache=]:
    1. [=set/Remove=] |source| from the [=attribution source cache=] if |sourcesToDelete|
        [=set/contains=] |source|'s [=attribution source/source identifier=].
1. Let |deletedEventLevelReports| be a new [=set=].
1. [=set/iterate|For each=] [=event-level report=] |report| of the [=event-level report cache=]:
    1. If |sourcesToDelete| [=set/contains=] |report|'s [=event-level report/source identifier=]
        and |report|'s [=event-level report/trigger time=] is greater than or equal to |now|:
        1. [=set/Append=] |report|'s [=event-level report/report ID=] to |deletedEventLevelReports|.
        1. [=set/Remove=] |report| from the [=event-level report cache=].

    Note: Leaking browsing history of destinations deactivated for unexpired
    destination limit from [=event-level reports=] whose [=event-level report/trigger time=]
    is earlier than |now| is mitigated by the presence of [=obtain a fake report|fake reports=].
    [=Event-level reports=] whose [=event-level report/trigger time=] is greater
    than or equal to |now| must be deleted to avoid exposing whether an
    [=attribution source=] has a [=attribution source/randomized response=].

1. Let |deletedAggregatableReports| be a new [=set=].
1. [=set/iterate|For each=] [=aggregatable attribution report=] |report| of the [=aggregatable attribution report cache=]:
    1. If |sourcesToDelete| [=set/contains=] |report|'s [=aggregatable attribution report/source identifier=]:
        1. [=set/Append=] |report|'s [=aggregatable attribution report/report ID=] to |deletedAggregatableReports|.
        1. [=set/Remove=] |report| from the [=aggregatable attribution report cache=].
1. [=set/iterate|For each=] [=attribution rate-limit record=] |record| of the [=attribution rate-limit cache=]:
    1. If |record|'s [=attribution rate-limit record/scope=] is:
        <dl class="switch">
        : "<code>[=rate-limit scope/source=]</code>"
        :: Set |record|'s [=attribution rate-limit record/deactivated for unexpired destination limit=] to
            true if |sourcesToDelete| [=set/contains=] |record|'s [=attribution rate-limit record/entity ID=].
        : "<code>[=rate-limit scope/event-attribution=]</code>"
        :: [=set/Remove=] |record| from the [=attribution rate-limit cache=] if
            |deletedEventLevelReports| [=set/contains=] |record|'s [=attribution rate-limit record/entity ID=].
        : "<code>[=rate-limit scope/aggregatable-attribution=]</code>"
        :: [=set/Remove=] |record| from the [=attribution rate-limit cache=] if
            |deletedAggregatableReports| [=set/contains=] |record|'s [=attribution rate-limit record/entity ID=].

        </dl>

A <dfn>destination limit record</dfn> is a [=struct=] with the following items:

<dl dfn-for="destination limit record">
: <dfn>attribution destination</dfn>
:: A [=site=].
: <dfn>priority</dfn>
:: A 64-bit integer.
: <dfn>time</dfn>
:: A [=moment=]
: <dfn>source identifier</dfn>
:: A [=string=].

</dl>

To <dfn>get sources to delete for the unexpired destination limit</dfn> given an
[=attribution source=] |source|, run the following steps:
1. Let |destinationRecords| be a new [=list=].
1. [=set/iterate|For each=] [=attribution rate-limit record=] |record| of the [=attribution rate-limit cache=]:
    1. If |record|'s [=attribution rate-limit record/scope=] is not "<code>[=rate-limit scope/source=]</code>", [=iteration/continue=].
    1. If |record|'s [=attribution rate-limit record/deactivated for unexpired destination limit=] is true, [=iteration/continue=].
    1. If |record|'s [=attribution rate-limit record/source site=] and |source|'s [=attribution source/source site=] are not equal, [=iteration/continue=].
    1. If |record|'s [=attribution rate-limit record/reporting origin=] and |source|'s [=attribution source/reporting origin=] are not [=same site=], [=iteration/continue=].
    1. If |record|'s [=attribution rate-limit record/expiry time=] is less than or equal to |source|'s [=attribution source/source time=], [=iteration/continue=].
    1. [=Assert=]: |record|'s [=attribution rate-limit record/destination limit priority=] is not null.
    1. [=Assert=]: |record|'s [=attribution rate-limit record/entity ID=] is not null.
    1. Let |destinationRecord| be a new [=destination limit record=] struct whose items are:

        : [=destination limit record/attribution destination=]
        :: |record|'s [=attribution rate-limit record/attribution destination=]
        : [=destination limit record/priority=]
        :: |record|'s [=attribution rate-limit record/destination limit priority=]
        : [=destination limit record/time=]
        :: |record|'s [=attribution rate-limit record/time=]
        : [=destination limit record/source identifier=]
        :: |record|'s [=attribution rate-limit record/entity ID=]

    1. [=list/Append=] |destinationRecord| to |destinationRecords|.
1. [=set/iterate|For each=] [=site=] |destination| of |source|'s [=attribution source/attribution destinations=]:
    1. Let |destinationRecord| be a new [=destination limit record=] struct whose items are:

        : [=destination limit record/attribution destination=]
        :: |destination|
        : [=destination limit record/priority=]
        :: |source|'s [=attribution source/destination limit priority=]
        : [=destination limit record/time=]
        :: |source|'s [=attribution source/source time=]
        : [=destination limit record/source identifier=]
        :: |record|'s [=attribution source/source identifier=]

    1. [=list/Append=] |destinationRecord| to |destinationRecords|.
1. [=list/sort in descending order|Sort=] |destinationRecords| in descending order, with |a| less than |b| if the following steps return true:
    1. If |a|'s [=destination limit record/priority=] is less than |b|'s [=destination limit record/priority=], return true.
    1. If |a|'s [=destination limit record/priority=] is greater than |b|'s [=destination limit record/priority=], return false.
    1. If |a|'s [=destination limit record/time=] is less than |b|'s [=destination limit record/time=], return true.
    1. If |a|'s [=destination limit record/time=] is greater than |b|'s [=destination limit record/time=], return false.
    1. If |a|'s <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>
        [=destination limit record/attribution destination=]
        is less than |b|'s <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>
        [=destination limit record/attribution destination=], return true.
    1. Return false.
1. Let |sourcesToDelete| be a new [=set=].
1. Let |newDestinations| be a new [=set=].
1. [=set/iterate|For each=] [=destination limit record=] |record| of |destinationRecords|:
    1. Let |destination| be |record|'s [=destination limit record/attribution destination=].
    1. If |newDestinations|'s [=set/size=] is less than the user agent's [=max destinations covered by unexpired sources=],
        [=set/append=] |destination| to |newDestinations|.
    1. Otherwise, if |newDestinations| does not [=set/contain=] |destination|:
        1. [=set/Append=] |record|'s [=destination limit record/source identifier=] to |sourcesToDelete|.
1. Return |sourcesToDelete|.

To <dfn>check if an [=attribution source=] should be blocked by reporting-origin per site limit</dfn> given an [=attribution source=] |source|:

1. Let |matchingRateLimitRecords| be all [=attribution rate-limit records=] |record| in the [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/source=]</code>"
     * |record|'s [=attribution rate-limit record/source site=] and |source|'s [=attribution source/source site=] are equal
     * The [=duration from=] |record|'s [=attribution rate-limit record/time=] and |source|'s [=attribution source/source time=] is <= [=origin rate-limit window=]
1. Let |distinctReportingOrigins| be the [=set=] of all [=attribution rate-limit record/reporting origin=] in |matchingRateLimitRecords|,
    [=set/union|unioned=] with «|source|'s [=attribution source/reporting origin=]».
1. If |distinctReportingOrigins|'s [=list/size=] is greater than [=max source reporting origins per source reporting site=], return <strong>blocked</strong>.
1. Return <strong>allowed</strong>.

To <dfn>obtain a fake report</dfn> given an [=attribution source=] |source| and
a [=trigger state=] |triggerState|:

1. Let |specEntry| be the [=map/entry=] for
    |source|'s [=attribution source/trigger specs=][|triggerState|'s [=trigger state/trigger data=]].
1. Let |triggerTime| be |triggerState|'s [=trigger state/report window=]'s [=report window/start=].
1. Let |priority| be 0.
1. Let |fakeReport| be the result of running [=obtain an event-level report=] with |source|,
    |triggerTime|, [=obtain an event-level report/triggerDebugKey=] set to null,
    |priority|, and |specEntry|.
1. [=Assert=]: |fakeReport|'s [=event-level report/report time=] is equal to
    |triggerState|'s [=trigger state/report window=]'s [=report window/end=].
1. Return |fakeReport|.

To <dfn>check if a source debug data type is a verbose debug data type</dfn>
given a [=source debug data type=] |dataType|:

1. If |dataType| is:
    <dl class="switch">
    : "<code>[=source debug data type/source-destination-global-rate-limit=]</code>"
    : "<code>[=source debug data type/source-destination-limit-replaced=]</code>"
    : "<code>[=source debug data type/source-reporting-origin-limit=]</code>"
    :: Return false.

    </dl>
1. Return true.

To <dfn>obtain and deliver a verbose debug report on source registration</dfn> given a
[=set=] of [=source debug data types=] |dataTypes|, an [=attribution source=] |source|,
and a [=boolean=] |isNoised|:

1. If |source|'s [=attribution source/debug reporting enabled=] is false, return.
1. If |source|'s [=attribution source/debug cookie set=] is false, return.
1. Let |body| be a new [=map=] with the following key/value pairs:
    : "`attribution_destination`"
    :: |source|'s [=attribution source/attribution destinations=], [=serialize attribution destinations|serialized=].
    : "`source_event_id`"
    :: |source|'s [=attribution source/event ID=], [=serialize an integer|serialized=].
    : "`source_site`"
    :: |source|'s [=attribution source/source site=], <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
1. If |source|'s [=attribution source/debug key=] is not null, [=map/set=] |body|["`source_debug_key`"]
    to |source|'s [=attribution source/debug key=], [=serialize an integer|serialized=].
1. Let |dataTypeToReport| be null.
1. [=set/iterate|For each=] |dataType| of |dataTypes|:
    1. Let |effectiveDataType| be |dataType|.
    1. If |dataType| is:
        <dl class="switch">
            : "<code>[=source debug data type/source-destination-global-rate-limit=]</code>"
            : "<code>[=source debug data type/source-reporting-origin-limit=]</code>"
            :: Set |effectiveDataType| to "<code>[=source debug data type/source-success=]</code>".

        </dl>
    1. If |effectiveDataType| is "<code>[=source debug data type/source-success=]</code>"
        and |isNoised| is true, set |effectiveDataType| to "<code>[=source debug data type/source-noised=]</code>".
    1. If the result of [=checking if a source debug data type is a verbose debug data type=]
        is true:
        1. [=Assert=]: |dataTypeToReport| is null.
        1. Set |dataTypeToReport| to |effectiveDataType|.
    1. If |effectiveDataType| is:
        <dl class="switch">
        : "<code>[=source debug data type/source-destination-limit=]</code>"
        :: [=map/Set=] |body|["`limit`"] to the user agent's [=max destinations covered by unexpired sources=],
            [=serialize an integer|serialized=].
        : "<code>[=source debug data type/source-destination-limit-replaced=]</code>"
        :: [=map/Set=] |body|["`source_destination_limit`"] to the user agent's
            [=max destinations covered by unexpired sources=], [=serialize an integer|serialized=].

        Note: The "`source_destination_limit`" field may be included to indicate that
        [=max destinations covered by unexpired sources=] was hit, which is not
        reported as "<code>[=source debug data type/source-destination-limit=]</code>" to prevent side-channel
        leakage of cross-origin data.

        : "<code>[=source debug data type/source-destination-rate-limit=]</code>"
        :: [=map/Set=] |body|["`limit`"] to the user agent's [=max destinations per rate-limit window=][1],
             [=serialize an integer|serialized=].
        : "<code>[=source debug data type/source-destination-per-day-rate-limit=]</code>"
        :: [=map/Set=] |body|["`limit`"] to the user agent's [=max destinations per source reporting site per day=],
             [=serialize an integer|serialized=].
        : "<code>[=source debug data type/source-storage-limit=]</code>"
        :: [=map/Set=] |body|["`limit`"] to the user agent's [=max pending sources per source origin=],
            [=serialize an integer|serialized=].
        : "<code>[=source debug data type/source-channel-capacity-limit=]</code>"
        ::
            1. Let |sourceType| be |source|'s [=attribution source/source type=].
            1. [=map/Set=] |body|["`limit`"] to the user agent's [=max event-level channel capacity per source=][|sourceType|].
        : "<code>[=source debug data type/source-trigger-state-cardinality-limit=]</code>"
        :: [=map/Set=] |body|["`limit`"] to the user agent's [=max trigger-state cardinality=],
            [=serialize an integer|serialized=].
        : "<code>[=source debug data type/source-reporting-origin-per-site-limit=]</code>"
        :: [=map/Set=] |body|["`limit`"] to the user agent's [=max source reporting origins per source reporting site=],
            [=serialize an integer|serialized=].

        </dl>
1. [=Assert=]: |dataTypeToReport| is not null.
1. Let |data| be a new [=verbose debug data=] with the items:
    : [=verbose debug data/data type=]
    :: |dataTypeToReport|
    : [=verbose debug data/body=]
    :: |body|
1. Run [=obtain and deliver a verbose debug report=] with « |data| », |source|'s [=attribution source/reporting origin=],
    and |source|'s [=attribution source/fenced=].

To <dfn>obtain and deliver an aggregatable debug report on source registration</dfn>
given a [=set=] of [=source debug data types=] |dataTypes|, an [=attribution source=] |source|,
and a [=boolean=] |isNoised|:

1. If |source|'s [=attribution source/fenced=] is true, return.
1. Let |config| be |source|'s [=attribution source/aggregatable debug reporting config=].
1. Let |debugDataMap| be |config|'s [=aggregatable debug reporting config/debug data=].
1. If |debugDataMap| [=map/is empty=], return.
1. Let |contributions| be a new [=list=].
1. [=set/iterate|For each=] |dataType| of |dataTypes|:
    1. Let |dataTypeToReport| be |dataType|.
    1. If |dataType| is "<code>[=source debug data type/source-success=]</code>"
        and |isNoised| is true, set |dataTypeToReport| to "<code>[=source debug data type/source-noised=]</code>".
    1. If |debugDataMap|[|dataTypeToReport|] [=map/exists=]:
        1. Let |contribution| be a new [=aggregatable contribution=] with items:
            : [=aggregatable contribution/key=]
            :: |debugDataMap|[|dataTypeToReport|]'s [=aggregatable contribution/key=] bitwise-OR
                |config|'s [=aggregatable debug reporting config/key piece=]
            : [=aggregatable contribution/value=]
            :: |debugDataMap|[|dataTypeToReport|]'s [=aggregatable contribution/value=]
            : [=aggregatable contribution/filtering ID=]
            :: [=default filtering ID value=]
        1. [=list/Append=] |contribution| to |contributions|.
1. Run [=obtain and deliver an aggregatable debug report on registration=] with |contributions|,
    |source|'s [=attribution source/source site=], |source|'s [=attribution source/reporting origin=],
    |source|, |source|'s [=attribution source/attribution destinations=][0],
    |config|'s [=aggregatable debug reporting config/aggregation coordinator=],
    and |source|'s [=attribution source/source time=].

To <dfn>obtain and deliver debug reports on source registration</dfn>
given a [=set=] of [=source debug data types=] |dataTypes|, an [=attribution source=] |source|,
and an optional [=boolean=] |isNoised| (default false):

1. Run [=obtain and deliver a verbose debug report on source registration=]
    with |dataTypes|, |source|, and |isNoised|.
1. Run [=obtain and deliver an aggregatable debug report on source registration=]
    with |dataTypes|, |source|, and |isNoised|.

To <dfn>delete expired sources</dfn> given a [=moment=] |now|:

1. [=set/iterate|For each=] |source| of the [=attribution source cache=]:
    1. If |source|'s [=attribution source/expiry time=] is less than |now|,
        [=set/remove=] |source| from the [=attribution source cache=].

To <dfn>process an attribution source</dfn> given an [=attribution source=] |source|:

1. [=Delete expired sources=] with |source|'s [=attribution source/source time=].
1. Let |randomizedResponseConfig| be a new [=randomized response output configuration=] whose items are:

    : [=randomized response output configuration/max attributions per source=]
    :: |source|'s [=attribution source/max number of event-level reports=]
    : [=randomized response output configuration/trigger specs=]
    :: |source|'s [=trigger specs=]

1. Let |epsilon| be |source|'s [=attribution source/event-level epsilon=].
1. Let |channelCapacity| be the result of [=computing the channel capacity of a source=] with |randomizedResponseConfig| and |epsilon|.
1. If |channelCapacity| is an error:
    1. Run [=obtain and deliver debug reports on source registration=] with
        « "<code>[=source debug data type/source-trigger-state-cardinality-limit=]</code>" » and |source|.
    1. Return.
1. Let |sourceType| be |source|'s [=attribution source/source type=].
1. If |channelCapacity| is greater than [=max event-level channel capacity per source=][|sourceType|]:
    1. Run [=obtain and deliver debug reports on source registration=] with
        « "<code>[=source debug data type/source-channel-capacity-limit=]</code>" » and |source|.
    1. Return.
1. Set |source|'s [=attribution source/randomized response=] to the result of
    [=obtaining a randomized source response=] with |randomizedResponseConfig| and |epsilon|.
1. Set |source|'s [=attribution source/randomized trigger rate=] to the result of
    [=obtaining a randomized source response pick rate=] with |randomizedResponseConfig| and |epsilon|.
1. Set |source|'s [=attribution source/number of event-level reports=] to 0 if
    |source|'s [=attribution source/randomized response=] is null,
    [=attribution source/randomized response=]'s [=list/size=] otherwise.
1. Let |pendingSourcesForSourceOrigin| be the [=set=] of all
    [=attribution sources=] |pendingSource| of the [=attribution source cache=] where |pendingSource|'s
    [=attribution source/source origin=] and |source|'s
    [=attribution source/source origin=] are [=same origin=].
1. If |pendingSourcesForSourceOrigin|'s [=list/size=] is greater than or equal
    to the user agent's [=max pending sources per source origin=]:
    1. Run [=obtain and deliver debug reports on source registration=] with
        « "<code>[=source debug data type/source-storage-limit=]</code>" » and |source|.
    1. Return.
1. Let |destinationRateLimitResult| be the result of running [=check if an attribution source exceeds the time-based destination limit=] with |source|.
1. If |destinationRateLimitResult| is "<code>[=destination rate-limit result/hit reporting limit=]</code>":
    1. Run [=obtain and deliver debug reports on source registration=] with
        « "<code>[=source debug data type/source-destination-rate-limit=]</code>" » and |source|.
    1. Return.
1. If the result of running [=check if an attribution source exceeds the per day destination limit=]
    with |source| is true:
    1. Run [=obtain and deliver debug reports on source registration=] with
        « "<code>[=source debug data type/source-destination-per-day-rate-limit=]</code>" » and |source|.
    1. Return.
1. Let |sourcesToDeleteForDestinationLimit| be the result of running [=get sources to delete for the unexpired destination limit=]
    with |source|.
1. If |sourcesToDeleteForDestinationLimit| [=set/contains=] |source|'s [=attribution source/source identifier=]:
    1. Run [=obtain and deliver debug reports on source registration=] with
        "<code>[=source debug data type/source-destination-limit=]</code>" and |source|.
    1. Return.
1. Let |debugDataTypes| be a new [=set=].
1. If |sourcesToDeleteForDestinationLimit| is not [=set/is empty|empty=],
    [=set/append=] "<code>[=source debug data type/source-destination-limit-replaced=]</code>"
    to |debugDataTypes|.
1. Run [=delete sources for unexpired destination limit=] with |sourcesToDeleteForDestinationLimit| and |source|'s [=attribution source/source time=].
1. Let |isNoised| be true if |source|'s [=attribution source/randomized response=]
    is not null, otherwise false.
1. If |destinationRateLimitResult| is "<code>[=destination rate-limit result/hit global limit=]</code>":
    1. [=set/Append=] "<code>[=source debug data type/source-destination-global-rate-limit=]</code>"
        to |debugDataTypes|.
    1. Run [=obtain and deliver debug reports on source registration=]
        with |debugDataTypes|, |source|, and |isNoised|.
    1. Return.
1. Let |newRateLimitRecords| be a new [=set=].
1. [=set/iterate|For each=] |destination| in |source|'s [=attribution source/attribution destinations=]:
    1. Let |rateLimitRecord| be a new [=attribution rate-limit record=] with the items:
        : [=attribution rate-limit record/scope=]
        :: "<code>[=rate-limit scope/source=]</code>"
        : [=attribution rate-limit record/source site=]
        :: |source|'s [=attribution source/source site=]
        : [=attribution rate-limit record/attribution destination=]
        :: |destination|
        : [=attribution rate-limit record/reporting origin=]
        :: |source|'s [=attribution source/reporting origin=]
        : [=attribution rate-limit record/time=]
        :: |source|'s [=attribution source/source time=]
        : [=attribution rate-limit record/expiry time=]
        :: |source|'s [=attribution source/expiry time=]
        : [=attribution rate-limit record/entity ID=]
        :: |source|'s [=attribution source/source identifier=]
        : [=attribution rate-limit record/destination limit priority=]
        :: |source|'s [=attribution source/destination limit priority=]
    1. If the result of running [=should processing be blocked by reporting-origin limit=] with
        |rateLimitRecord| is <strong>blocked</strong>:
        1. [=set/Append=] "<code>[=source debug data type/source-reporting-origin-limit=]</code>"
            to |debugDataTypes|.
        1. Run [=obtain and deliver debug reports on source registration=]
            with |debugDataTypes|, |source|, and |isNoised|.
        1. Return.
    1. [=set/Append=] |rateLimitRecord| to |newRateLimitRecords|.
1. [=set/iterate|For each=] |record| of |newRateLimitRecords|, [=set/append=] |record| to
    the [=attribution rate-limit cache=].
1. [=list/Remove=] all [=attribution rate-limit records=] |entry| from the [=attribution rate-limit cache=] if the result of running
    [=can attribution rate-limit record be removed=] with |entry| and |source|'s [=attribution source/source time=] is true.
1. If |source|'s [=attribution source/randomized response=] is not null and is a [=list=]:
    1. [=list/iterate|For each=] [=trigger state=] |triggerState| of |source|'s
        [=attribution source/randomized response=]:
        1. Let |fakeReport| be the result of running [=obtain a fake report=]
            with |source| and |triggerState|.
        1. [=set/Append=] |fakeReport| to the [=event-level report cache=].
    1. If |source|'s [=attribution source/randomized response=] is not [=list/is empty|empty=],
        then set |source|'s [=attribution source/event-level attributable=] value to false.
    1. [=map/iterate|For each=] |destination| in |source|'s [=attribution source/attribution destinations=]:
        1. Let |rateLimitRecord| be a new [=attribution rate-limit record=] with the items:
            : [=attribution rate-limit record/scope=]
            :: "<code>[=rate-limit scope/event-attribution=]</code>"
            : [=attribution rate-limit record/source site=]
            :: |source|'s [=attribution source/source site=]
            : [=attribution rate-limit record/attribution destination=]
            :: |destination|
            : [=attribution rate-limit record/reporting origin=]
            :: |source|'s [=attribution source/reporting origin=]
            : [=attribution rate-limit record/time=]
            :: |source|'s [=attribution source/source time=]
            : [=attribution rate-limit record/expiry time=]
            :: null
            : [=attribution rate-limit record/entity ID=]
            :: null
        1. [=set/Append=] |rateLimitRecord| to the [=attribution rate-limit cache=].
1. [=set/Append=] "<code>[=source debug data type/source-success=]</code>" to
    |debugDataTypes|.
1. Run [=obtain and deliver debug reports on source registration=] with
    |debugDataTypes|, |source|, and |isNoised|.
1. [=set/Append=] |source| to the [=attribution source cache=].

Note: Because a fake report does not have a "real" effective destination, we need to subtract from the
privacy budget of all possible destinations.

Note: The limits that are not reported as <code>[=source debug data type/source-success=]</code>
in [=verbose debug reports=] should be checked before any limits that are reported implicitly as
<code>[=source debug data type/source-success=]</code> (
<code>[=source debug data type/source-destination-global-rate-limit=]</code> and
<code>[=source debug data type/source-reporting-origin-limit=]</code>) to
prevent side-channel leakage of cross-origin data. Furthermore, the [=verbose debug data=]
should be fully determined regardless of the result of checks on implicitly reported limits.

# Triggering Algorithms # {#trigger-algorithms}

A <dfn>trigger-registration JSON key</dfn> is one of the following:

<ul dfn-for="trigger-registration JSON key">
<li>"<dfn><code>aggregatable_debug_reporting</code></dfn>"
<li>"<dfn><code>aggregatable_deduplication_keys</code></dfn>"
<li>"<dfn><code>aggregatable_filtering_id_max_bytes</code></dfn>"
<li>"<dfn><code>aggregatable_source_registration_time</code></dfn>"
<li>"<dfn><code>aggregatable_trigger_data</code></dfn>"
<li>"<dfn><code>aggregatable_values</code></dfn>"
<li>"<dfn><code>aggregation_coordinator_origin</code></dfn>"
<li>"<dfn><code>debug_key</code></dfn>"
<li>"<dfn><code>debug_reporting</code></dfn>"
<li>"<dfn><code>deduplication_key</code></dfn>"
<li>"<dfn><code>event_trigger_data</code></dfn>"
<li>"<dfn><code>filtering_id</code></dfn>"
<li>"<dfn><code>filters</code></dfn>"
<li>"<dfn><code>key_piece</code></dfn>"
<li>"<dfn><code>not_filters</code></dfn>"
<li>"<dfn><code>priority</code></dfn>"
<li>"<dfn><code>source_keys</code></dfn>"
<li>"<dfn><code>trigger_context_id</code></dfn>"
<li>"<dfn><code>trigger_data</code></dfn>"
<li>"<dfn><code>value</code></dfn>"
<li>"<dfn><code>values</code></dfn>"
</ul>

<h3 algorithm id="attribution-trigger-creation">Creating an attribution trigger</h3>

To <dfn>parse an event-trigger value</dfn> given a [=map=] |map|:

1. If [=experimental Flexible Event support=] is false or |map|["<code>[=trigger-registration JSON key/value=]</code>"] does
    not [=map/exists|exist=], return 1.
1. Let |value| be |map|["<code>[=trigger-registration JSON key/value=]</code>"].
1. If |value| is not an integer, cannot be represented by an unsigned 32-bit
    integer, or is less than or equal to zero, return an error.
1. Return |value|.

To <dfn>parse event triggers</dfn> given a [=map=] |map|:

1. Let |eventTriggers| be a new [=set=].
1. If |map|["<code>[=trigger-registration JSON key/event_trigger_data=]</code>"] does not [=map/exists|exist=], return
    |eventTriggers|.
1. Let |values| be |map|["<code>[=trigger-registration JSON key/event_trigger_data=]</code>"].
1. If |values| is not a [=list=], return null.
1. [=list/iterate|For each=] |value| of |values|:
    1. If |value| is not a [=map=], return null.
    1. Let |triggerData| be the result of running
        [=parse an optional 64-bit unsigned integer=] with |value|,
        "<code>[=trigger-registration JSON key/trigger_data=]</code>", and 0.
    1. If |triggerData| is an error, return null.
    1. Let |dedupKey| be the result of running
        [=parse an optional 64-bit unsigned integer=] with |value|,
        "<code>[=trigger-registration JSON key/deduplication_key=]</code>", and null.
    1. If |dedupKey| is an error, return null.
    1. Let |priority| be the result of running
        [=parse an optional 64-bit signed integer=] with |value|, "<code>[=trigger-registration JSON key/priority=]</code>",
        and 0.
    1. If |priority| is an error, return null.
    1. Let |filterPair| be the result of running [=parse a filter pair=] with
        |value|.
    1. If |filterPair| is null, return null.
    1. Let |triggerValue| be the result of running
        [=parse an event-trigger value=] with |value|.
    1. If |triggerValue| is an error, return null.
    1. Let |eventTrigger| be a new [=event-level trigger configuration=] with
        the items:
        : [=event-level trigger configuration/trigger data=]
        :: |triggerData|
        : [=event-level trigger configuration/dedup key=]
        :: |dedupKey|
        : [=event-level trigger configuration/priority=]
        :: |priority|
        : [=event-level trigger configuration/filters=]
        :: |filterPair|[0]
        : [=event-level trigger configuration/negated filters=]
        :: |filterPair|[1]
        : [=event-level trigger configuration/value=]
        :: |triggerValue|
    1. [=set/Append=] |eventTrigger| to |eventTriggers|.
1. Return |eventTriggers|.

To <dfn>parse aggregatable trigger data</dfn> given a [=map=] |map|:

1. Let |aggregatableTriggerData| be a new [=list=].
1. If |map|["<code>[=trigger-registration JSON key/aggregatable_trigger_data=]</code>"] does not [=map/exist=], return |aggregatableTriggerData|.
1. Let |values| be |map|["<code>[=trigger-registration JSON key/aggregatable_trigger_data=]</code>"].
1. If |values| is not a [=list=], return null.
1. [=list/iterate|For each=] |value| of |values|:
    1. If |value| is not a [=map=], return null.
    1. If |value|["<code>[=trigger-registration JSON key/key_piece=]</code>"] does not [=map/exist=] or is not a [=string=], return null.
    1. Let |keyPiece| be the result of running [=parse an aggregation key piece=] with |value|["<code>[=trigger-registration JSON key/key_piece=]</code>"].
    1. If |keyPiece| is an error, return null.
    1. Let |sourceKeys| be a new [=set=].
    1. If |value|["<code>[=trigger-registration JSON key/source_keys=]</code>"] [=map/exists=]:
        1. If |value|["<code>[=trigger-registration JSON key/source_keys=]</code>"] is not a [=list=], return null.
        1. [=list/iterate|For each=] |sourceKey| of |value|["<code>[=trigger-registration JSON key/source_keys=]</code>"]:
            1. If |sourceKey| is not a [=string=], return null.
            1. If |sourceKey|'s [=string/length=] is greater than the
                [=max length per aggregation key identifier=], return null.
            1. [=set/Append=] |sourceKey| to |sourceKeys|.
    1. Let |filterPair| be the result of running [=parse a filter pair=] with
        |value|.
    1. If |filterPair| is null, return null.
    1. Let |aggregatableTrigger| be a new [=aggregatable trigger data=] with the items:
        : [=aggregatable trigger data/key piece=]
        :: |keyPiece|
        : [=aggregatable trigger data/source keys=]
        :: |sourceKeys|
        : [=aggregatable trigger data/filters=]
        :: |filterPair|[0]
        : [=aggregatable trigger data/negated filters=]
        :: |filterPair|[1]
    1. [=list/Append=] |aggregatableTrigger| to |aggregatableTriggerData|.
1. Return |aggregatableTriggerData|.

To <dfn>parse aggregatable filtering ID max bytes</dfn> given a [=map=] |map|:

1. Let |maxBytes| be [=default filtering ID max bytes=].
1. If |map|["<code>[=trigger-registration JSON key/aggregatable_filtering_id_max_bytes=]</code>"] [=map/exists=]:
    1. Set |maxBytes| to |map|["<code>[=trigger-registration JSON key/aggregatable_filtering_id_max_bytes=]</code>"].
    1. If |maxBytes| is a positive integer and is [=set/contained=] in the [=valid filtering ID max bytes range=],
        return |maxBytes|.
    1. Otherwise, return null.
1. Return |maxBytes|.

To <dfn>validate aggregatable key-values value</dfn> given a |value|:
1. If |value| is not an integer, return false.
1. If |value| is less than or equal to 0, return false.
1. If |value| is greater than [=allowed aggregatable budget per source=], return false.
1. Return true.

To <dfn>parse aggregatable key-values</dfn> given a [=map=] |map| and a positive integer |maxBytes|:

1. Let |out| be a new [=map=].
1. [=map/iterate|For each=] |key| → |value| of |map|:
    1. If |key|'s [=string/length=] is greater than the [=max length per aggregation key identifier=],
        return null.
    1. If |value| is not a [=map=] or an integer, return null.
    1. If |value| is an integer:
        1. If the result of running [=validate aggregatable key-values value=] with |value| is false, return null.
        1. [=map/Set=] |out|[|key|] to a new [=aggregatable key value=] whose items are
            : [=aggregatable key value/value=]
            :: |value|
            : [=aggregatable key value/filtering ID=]
            :: [=default filtering ID value=]
        1. [=iteration/Continue=].
    1. If |value|["<code>[=trigger-registration JSON key/value=]</code>"] does not [=map/exist=], return null.
    1. If the result of running [=validate aggregatable key-values value=] with
        |value|["<code>[=trigger-registration JSON key/value=]</code>"] is false, return null.
    1. Let |filteringId| be [=default filtering ID value=].
    1. If |value|["<code>[=trigger-registration JSON key/filtering_id=]</code>"] [=map/exists=]:
        1. Set |filteringId| to the result of applying the
            <a spec="html">rules for parsing non-negative integers</a> to |value|["<code>[=trigger-registration JSON key/filtering_id=]</code>"].
        1. If |filteringId| is an error, return null.
        1. If |filteringId| is not in [=the exclusive range|the range=]
            0 to 256<sup>|maxBytes|</sup>, exclusive, return null.
    1.  [=map/Set=] |out|[|key|] to a new [=aggregatable key value=] whose items are
        : [=aggregatable key value/value=]
        :: |value|["<code>[=trigger-registration JSON key/value=]</code>"]
        : [=aggregatable key value/filtering ID=]
        :: |filteringId|
1. Return |out|.

To <dfn>parse aggregatable values</dfn> given a [=map=] |map| and a positive integer |maxBytes|:

1. If |map|["<code>[=trigger-registration JSON key/aggregatable_values=]</code>"] does not [=map/exist=], return a new [=list=].
1. Let |values| be |map|["<code>[=trigger-registration JSON key/aggregatable_values=]</code>"].
1. If |values| is not a [=map=] or a [=list=], return null.
1. Let |aggregatableValuesConfigurations| be a [=list=] of [=aggregatable values configurations=], initially empty.
1. If |values| is a [=map=]:
    1. Let |aggregatableKeyValues| be the result of running [=parse aggregatable key-values=] with |values| and |maxBytes|.
    1. If |aggregatableKeyValues| is null, return null.
    1. Let |aggregatableValuesConfiguration| be a new [=aggregatable values configuration=] with the items:
        : [=aggregatable values configuration/values=]
        :: |aggregatableKeyValues|
        : [=aggregatable values configuration/filters=]
        :: «»
        : [=aggregatable values configuration/negated filters=]
        :: «»
    1. [=list/Append=] |aggregatableValuesConfiguration| to |aggregatableValuesConfigurations|.
    1. Return |aggregatableValuesConfigurations|.
1. [=list/iterate|For each=] |value| of |values|:
    1. If |value| is not a [=map=], return null.
    1. If |value|["<code>[=trigger-registration JSON key/values=]</code>"] does not [=map/exist=], return null.
    1. Let |aggregatableKeyValues| be the result of running [=parse aggregatable key-values=] with
        |value|["<code>[=trigger-registration JSON key/values=]</code>"] and |maxBytes|.
    1. If |aggregatableKeyValues| is null, return null.
    1. Let |filterPair| be the result of running [=parse a filter pair=] with
        |value|.
    1. If |filterPair| is null, return null.
    1. Let |aggregatableValuesConfiguration| be a new [=aggregatable values configuration=] with the items:
        : [=aggregatable values configuration/values=]
        :: |aggregatableKeyValues|
        : [=aggregatable values configuration/filters=]
        :: |filterPair|[0]
        : [=aggregatable values configuration/negated filters=]
        :: |filterPair|[1]
    1. [=list/Append=] |aggregatableValuesConfiguration| to |aggregatableValuesConfigurations|.
1. Return |aggregatableValuesConfigurations|.

To <dfn>parse aggregatable dedup keys</dfn> given a [=map=] |map|:

1. Let |aggregatableDedupKeys| be a new [=list=].
1. If |map|["<code>[=trigger-registration JSON key/aggregatable_deduplication_keys=]</code>"] does not [=map/exist=], return |aggregatableDedupKeys|.
1. Let |values| be |map|["<code>[=trigger-registration JSON key/aggregatable_deduplication_keys=]</code>"].
1. If |values| is not a [=list=], return null.
1. [=list/iterate|For each=] |value| of |values|:
    1. If |value| is not a [=map=], return null.
    1. Let |dedupKey| be the result of running
        [=parse an optional 64-bit unsigned integer=] with |value|,
        "<code>[=trigger-registration JSON key/deduplication_key=]</code>", and null.
    1. If |dedupKey| is an error, return null.
    1. Let |filterPair| be the result of running [=parse a filter pair=] with
        |value|.
    1. If |filterPair| is null, return null.
    1. Let |aggregatableDedupKey| be a new [=aggregatable dedup key=] with the items:
        : [=aggregatable dedup key/dedup key=]
        :: |dedupKey|
        : [=aggregatable dedup key/filters=]
        :: |filterPair|[0]
        : [=aggregatable dedup key/negated filters=]
        :: |filterPair|[1]
    1. [=set/Append=] |aggregatableDedupKey| to |aggregatableDedupKeys|.
1. Return |aggregatableDedupKeys|.

To <dfn noexport>create an attribution trigger</dfn> given a [=byte sequence=]
|json|, a [=site=] |destination|, a [=suitable origin=] |reportingOrigin|, a [=list=] of [=trigger verification=] |triggerVerifications|,
a [=moment=] |triggerTime|, and a [=boolean=] |fenced|:

1. Let |value| be the result of running
    [=parse JSON bytes to an Infra value=] with |json|.
1. If |value| is not a [=map=], return null.
1. Let |eventTriggers| be the result of running [=parse event triggers=]
    with |value|.
1. If |eventTriggers| is null, return null.
1. Let |aggregatableTriggerData| be the result of running [=parse aggregatable trigger data=]
    with |value|.
1. If |aggregatableTriggerData| is null, return null.
1. Let |filteringIdsMaxBytes| be the result of [=parsing aggregatable filtering ID max bytes=] with |value|.
1. If |filteringIdsMaxBytes| is null, return null.
1. Let |aggregatableValuesConfigurations| be the result of running
    [=parse aggregatable values=] with |value| and |filteringIdsMaxBytes|.
1. If |aggregatableValuesConfigurations| is null, return null.
1. Let |aggregatableDedupKeys| be the result of running [=parse aggregatable dedup keys=]
    with |value|.
1. If |aggregatableDedupKeys| is null, return null.
1. Let |debugKey| be the result of running
    [=parse an optional 64-bit unsigned integer=] with |value|, "<code>[=trigger-registration JSON key/debug_key=]</code>",
    and null.
1. If |debugKey| is an error, set |debugKey| to null.
1. If the result of running [=check if cookie-based debugging is allowed=] with
    |reportingOrigin| and |destination| is <strong>blocked</strong>, set |debugKey| to null.
1. Let |filterPair| be the result of running [=parse a filter pair=] with |value|.
1. If |filterPair| is null, return null.
1. Let |debugReportingEnabled| be false.
1. If |value|["<code>[=trigger-registration JSON key/debug_reporting=]</code>"] [=map/exists=] and is a [=boolean=], set
    |debugReportingEnabled| to value["<code>[=trigger-registration JSON key/debug_reporting=]</code>"].
1. Let |aggregationCoordinator| be [=default aggregation coordinator=].
1. If |value|["<code>[=trigger-registration JSON key/aggregation_coordinator_origin=]</code>"] [=map/exists=]:
    1. Set |aggregationCoordinator| to the result of running [=parse an aggregation coordinator=] with
        |value|["<code>[=trigger-registration JSON key/aggregation_coordinator_origin=]</code>"].
    1. If |aggregationCoordinator| is null, return null.
1. Let |aggregatableSourceRegTimeConfig| be "<code>[=aggregatable source registration time configuration/exclude=]</code>".
1. If |value|["<code>[=trigger-registration JSON key/aggregatable_source_registration_time=]</code>"] [=map/exists=]:
    1. If |value|["<code>[=trigger-registration JSON key/aggregatable_source_registration_time=]</code>"] is not a [=string=], return null.
    1. If |value|["<code>[=trigger-registration JSON key/aggregatable_source_registration_time=]</code>"] is not an [=aggregatable source registration time configuration=],
        return null.
    1. Set |aggregatableSourceRegTimeConfig| to |value|["<code>[=trigger-registration JSON key/aggregatable_source_registration_time=]</code>"].
1. Let |triggerContextID| be null.
1. If |value|["<code>[=trigger-registration JSON key/trigger_context_id=]</code>"] [=map/exists=]:
    1. If |value|["<code>[=trigger-registration JSON key/trigger_context_id=]</code>"] is not a [=string=], return null.
    1. If |value|["<code>[=trigger-registration JSON key/trigger_context_id=]</code>"]'s [=string/length=] is greater than the [=max length per trigger context ID=],
        return null.
    1. Set |triggerContextID| to |value|["<code>[=trigger-registration JSON key/trigger_context_id=]</code>"].
1. Let |aggregatableDebugReportingConfig| be a new [=aggregatable debug reporting config=].
1. If |value|["<code>[=trigger-registration JSON key/aggregatable_debug_reporting=]</code>"] [=map/exists=]:
    1. Let |supportedTypes| be the [=set=] of all [=trigger debug data types=].
    1. Set |aggregatableDebugReportingConfig| to the result of running [=parse an aggregatable debug reporting config=]
        with |value|["<code>[=trigger-registration JSON key/aggregatable_debug_reporting=]</code>"],
        [=allowed aggregatable budget per source=], |supportedTypes|, and |aggregatableDebugReportingConfig|.
1. Let |trigger| be a new [=attribution trigger=] with the items:
    : [=attribution trigger/attribution destination=]
    :: |destination|
    : [=attribution trigger/trigger time=]
    :: |triggerTime|
    : [=attribution trigger/reporting origin=]
    :: |reportingOrigin|
    : [=attribution trigger/filters=]
    :: |filterPair|[0]
    : [=attribution trigger/negated filters=]
    :: |filterPair|[1]
    : [=attribution trigger/debug key=]
    :: |debugKey|
    : [=attribution trigger/event-level trigger configurations=]
    :: |eventTriggers|
    : [=attribution trigger/aggregatable trigger data=]
    :: |aggregatableTriggerData|
    : [=attribution trigger/aggregatable values configurations=]
    :: |aggregatableValuesConfigurations|
    : [=attribution trigger/aggregatable dedup keys=]
    :: |aggregatableDedupKeys|
    : [=attribution trigger/verifications=]
    :: |triggerVerifications|
    : [=attribution trigger/debug reporting enabled=]
    :: |debugReportingEnabled|
    : [=attribution trigger/aggregation coordinator=]
    :: |aggregationCoordinator|
    : [=attribution trigger/aggregatable source registration time configuration=]
    :: |aggregatableSourceRegTimeConfig|
    : [=attribution trigger/trigger context ID=]
    :: |triggerContextID|
    : [=attribution trigger/fenced=]
    :: |fenced|
    : [=attribution trigger/aggregatable filtering ID max bytes=]
    :: |filteringIdsMaxBytes|
    : [=attribution trigger/aggregatable debug reporting config=]
    :: |aggregatableDebugReportingConfig|
1. If |aggregatableSourceRegTimeConfig| is not "<code>[=aggregatable source registration time configuration/exclude=]</code>"
    and the result of running [=check if an aggregatable attribution report should be unconditionally sent=] with |trigger| is true, return null.
1. Return |trigger|.

Issue: Determine proper charset-handling for the JSON header value.

<h3 dfn id="does-filter-data-match">Does filter data match</h3>

To <dfn>match [=filter values=]</dfn> given a [=filter value=] |a| and a [=filter value=] |b|:
1. If |b| [=set/is empty=], then:
    1. If |a| [=set/is empty=], then return true.
    1. Otherwise, return false.
1. Let |i| be the [=set/intersection=] of |a| and |b|.
1. If |i| [=set/is empty=], then return false.
1. Return true.

To <dfn>match [=filter values=] with negation</dfn> given a [=filter value=] |a| and a [=filter value=] |b|:
1. If |b| [=set/is empty=], then:
    1. If |a| is not [=set/is empty|empty=], then return true.
    1. Otherwise, return false.
1. Let |i| be the [=set/intersection=] of |a| and |b|.
1. If |i| is not [=set/is empty|empty=], then return false.
1. Return true.

To <dfn>match an attribution source against a filter config</dfn> given an
[=attribution source=] |source|, a [=filter config=] |filter|, a [=moment=] |moment|, and a [=boolean=]
<dfn for="match an attribution source against a filter config"><var>isNegated</var></dfn>:

1. Let |lookbackWindow| be |filter|'s [=filter config/lookback window=].
1. If |lookbackWindow| is not null:
    1. If the [=duration from=] |moment| and the |source|'s [=attribution source/source time=] is greater than |lookbackWindow|:
        1. If |isNegated| is false, return false.
    1. Else if |isNegated| is true, return false.

    Note: If non-negated, the source must have been registered inside of the
    lookback window. If negated, it must be outside of the lookback window.

1. Let |filterMap| be |filter|'s [=filter config/map=].
1. Let |sourceData| be |source|'s [=attribution source/filter data=].
1. [=map/iterate|For each=] |key| → |filterValues| of |filterMap|:
    1. If |sourceData|[|key|] does not [=map/exist=], [=iteration/continue=].
    1. Let |sourceValues| be |sourceData|[|key|].
    1. If |isNegated| is:
        <dl class="switch">
        <dt>false</dt>
        <dd> If the result of running [=match filter values=] with |sourceValues| and |filterValues|
             is false, return false.</dd>

        <dt>true</dt>
        <dd>If the result of running [=match filter values with negation=] with |sourceValues| and
            |filterValues| is false, return false.</dd>
        </dl>
1. Return true.

To <dfn>match an attribution source against filters</dfn> given an
[=attribution source=] |source|, a [=list=] of [=filter configs=] |filters|, a [=moment=] |moment|, and a [=boolean=]
<dfn for="match an attribution source against filters"><var>isNegated</var></dfn>:

1. If |filters| [=list/is empty=], return true.
1. [=list/iterate|For each=] |filter| of |filters|:
    1. If the result of running [=match an attribution source against a filter config=] with |source|, |filter|, |moment|, and |isNegated| is true, return true.
1. Return false.

To <dfn>match an attribution source against filters and negated filters</dfn> given an
[=attribution source=] |source|, a [=list=] of [=filter configs=] |filters|, a [=list=] of [=filter configs=] |notFilters|, and a [=moment=] |moment|:

1. If the result of running [=match an attribution source against filters=] with
    |source|, |filters|, |moment|, and [=match an attribution source against filters/isNegated=] set to false is false, return false.
1. If the result of running [=match an attribution source against filters=] with
    |source|, |notFilters|, |moment|, and [=match an attribution source against filters/isNegated=] set to true is false, return false.
1. Return true.

<h3 dfn id="should-send-a-report-unconditionally">Should send a report unconditionally</h3>

To <dfn>check if an aggregatable attribution report should be unconditionally sent</dfn> given an [=attribution trigger=] |trigger|:

1. If |trigger|'s [=attribution trigger/trigger context ID=] is not null, return true.
1. If |trigger|'s [=attribution trigger/aggregatable filtering ID max bytes=]
    is not equal to [=default filtering ID max bytes=], return true.
1. Return false.

<h3 id="should-block-attribution-for-rate-limits">Should attribution be blocked by rate limits</h3>

To <dfn>check if attribution should be blocked by attribution rate limit</dfn> given an [=attribution trigger=] |trigger|, an [=attribution source=] |sourceToAttribute|, and a [=attribution rate-limit record/scope=] |rateLimitScope|:

1. Let |matchingRateLimitRecords| be all [=attribution rate-limit records=] |record| of [=attribution rate-limit cache=] where all of the following are true:
     * |record|'s [=attribution rate-limit record/scope=] is |rateLimitScope|
     * |record|'s [=attribution rate-limit record/source site=] and |sourceToAttribute|'s [=attribution source/source site=] are equal
     * |record|'s [=attribution rate-limit record/attribution destination=] and |trigger|'s [=attribution trigger/attribution destination=] are equal
     * |record|'s [=attribution rate-limit record/reporting origin=] and |trigger|'s [=attribution trigger/reporting origin=] are [=same site=]
     * |record|'s [=attribution rate-limit record/time=] is greater than [=attribution rate-limit window=] before |trigger|'s [=attribution trigger/trigger time=]
1. If |matchingRateLimitRecords|'s [=list/size=] is greater than or equal to [=max attributions per rate-limit window=], return <strong>blocked</strong>.
1. Return <strong>allowed</strong>.

To <dfn>check if attribution should be blocked by rate limits</dfn> given an [=attribution trigger=] |trigger|, an [=attribution source=]
|sourceToAttribute|, and an [=attribution rate-limit record=] |newRecord|:

1. If the result of running [=check if attribution should be blocked by attribution rate limit=] with |trigger|, |sourceToAttribute|,
    and |newRecord|'s [=attribution rate-limit record/scope=] is <strong>blocked</strong>:
    1. Let |debugDataType| be "<code>[=trigger debug data type/trigger-event-attributions-per-source-destination-limit=]</code>".
    1. If |newRecord|'s [=attribution rate-limit record/scope=] is "<code>[=rate-limit scope/aggregatable-attribution=]</code>",
        set |debugDataType| to "<code>[=trigger debug data type/trigger-aggregate-attributions-per-source-destination-limit=]</code>".
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", (|debugDataType|, null)).
1. If the result of running [=should processing be blocked by reporting-origin limit=] with
    |newRecord| is <strong>blocked</strong>:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-reporting-origin-limit=]</code>", null)).
1. Return null.

Issue(1287): Consider performing [=should processing be blocked by reporting-origin limit=] from
[=triggering attribution=] to avoid duplicate invocation from
[=triggering event-level attribution=] and [=triggering aggregatable attribution=].

<h3 algorithm id="creating-aggregatable-contributions">Creating aggregatable contributions</h3>

To <dfn>create [=aggregatable contributions=] from [=attribution source/aggregation keys=] and aggregatable [=aggregatable values configuration/values=]</dfn>
 given a [=map=] |aggregationKeys| and a [=map=] |aggregatableValues|,
 run the following steps:

1. Let |contributions| be an empty [=list=].
1. [=map/iterate|For each=] |id| → |key| of |aggregationKeys|:
    1. If |aggregatableValues|[|id|] does not [=map/exist=], [=iteration/continue=].
    1. Let |contribution| be a new [=aggregatable contribution=] with the items:
        : [=aggregatable contribution/key=]
        :: |key|
        : [=aggregatable contribution/value=]
        :: |aggregatableValues|[|id|]'s [=aggregatable key value/value=]
        : [=aggregatable contribution/filtering ID=]
        :: |aggregatableValues|[|id|]'s [=aggregatable key value/filtering ID=]
    1. [=list/Append=] |contribution| to |contributions|.
1. Return |contributions|.

To <dfn>create [=aggregatable contributions=]</dfn> given an [=attribution source=] |source| and an
 [=attribution trigger=] |trigger|, run the following steps:

1. Let |aggregationKeys| be the result of [=map/clone|cloning=] |source|'s [=attribution source/aggregation keys=].
1. [=list/iterate|For each=] |triggerData| of |trigger|'s [=attribution trigger/aggregatable trigger data=]:
    1. If the result of running [=match an attribution source against filters and negated filters=] with
        |source|, |triggerData|'s [=aggregatable trigger data/filters=],
        |triggerData|'s [=aggregatable trigger data/negated filters=], and
        |trigger|'s [=attribution trigger/trigger time=]
        is false, [=iteration/continue=]:
    1. [=set/iterate|For each=] |sourceKey| of |triggerData|'s [=aggregatable trigger data/source keys=]:
        1. If |aggregationKeys|[|sourceKey|] does not [=map/exist=], [=iteration/continue=].
        1. [=map/Set=] |aggregationKeys|[|sourceKey|] to |aggregationKeys|[|sourceKey|] bitwise-OR |triggerData|'s
            [=aggregatable trigger data/key piece=].
1. Let |aggregatableValuesConfigurations| be |trigger|'s [=attribution trigger/aggregatable values configurations=].
1. [=list/iterate|For each=] |aggregatableValuesConfiguration| of |aggregatableValuesConfigurations|:
    1. If the result of running [=match an attribution source against filters and negated filters=] with
        |source|, |aggregatableValuesConfiguration|'s [=aggregatable values configuration/filters=],
        |aggregatableValuesConfiguration|'s [=aggregatable values configuration/negated filters=], and
        |trigger|'s [=attribution trigger/trigger time=] is true:
        1. Return the result of running [=create aggregatable contributions from aggregation keys and aggregatable values=] with
            |aggregationKeys| and |aggregatableValuesConfiguration|'s [=aggregatable values configuration/values=].
1. Return a new [=list=].

<h3 id="can-source-create-aggregatable-contributions">Can source create aggregatable contributions</h3>

To <dfn>check if an [=attribution source=] can create [=aggregatable contributions=]</dfn> given an
[=aggregatable attribution report=] |report| and an [=attribution source=] |sourceToAttribute|, run the following steps:

1. Let |remainingAggregatableBudget| be |sourceToAttribute|'s [=attribution source/remaining aggregatable attribution budget=].
1. [=Assert=]: |remainingAggregatableBudget| is greater than or equal to 0.
1. If |report|'s [=aggregatable attribution report/required aggregatable budget=] is greater than
    |remainingAggregatableBudget|, return false.
1. Return true.

<h3 id="obtaining-trigger-verbose-debug-data">Obtaining verbose debug data on trigger registration</h3>

To <dfn>obtain verbose debug data body on trigger registration</dfn> given a
[=trigger debug data type=] |dataType|, an [=attribution trigger=] |trigger|,
an optional [=attribution source=] <dfn for="obtain verbose debug data body on trigger registration">
<var>sourceToAttribute</var></dfn>, and an optional [=attribution report=]
<dfn for="obtain verbose debug data body on trigger registration"><var>report</var></dfn>:

1. Let |body| be a new [=map=].
1. If |dataType| is:
    <dl class="switch">
    : "<code>[=trigger debug data type/trigger-event-attributions-per-source-destination-limit=]</code>"
    : "<code>[=trigger debug data type/trigger-aggregate-attributions-per-source-destination-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to the user agent's [=max attributions per rate-limit window=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-reporting-origin-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to the user agent's [=max attribution reporting origins per rate-limit window=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-event-storage-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=max event-level reports per attribution destination=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-aggregate-storage-limit=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=max aggregatable attribution reports per attribution destination=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-aggregate-insufficient-budget=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=allowed aggregatable budget per source=],
         [=serialize an integer|serialized=].
    : "<code>[=trigger debug data type/trigger-aggregate-excessive-reports=]</code>"
    :: [=map/Set=] |body|["`limit`"] to [=max aggregatable reports per source=][0],
    : "<code>[=trigger debug data type/trigger-event-low-priority=]</code>"
    : "<code>[=trigger debug data type/trigger-event-excessive-reports=]</code>"
    ::
        1. [=Assert=]: |report| is not null and is an [=event-level report=].
        1. Return the result of running [=obtain an event-level report body=] with |report|.

    </dl>

1. [=map/Set=] |body|["`attribution_destination`"] to |trigger|'s [=attribution trigger/attribution destination=],
    <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
1. If |trigger|'s [=attribution trigger/debug key=] is not null, [=map/set=] |body|["`trigger_debug_key`"]
    to |trigger|'s [=attribution trigger/debug key=], [=serialize an integer|serialized=].
1. If |sourceToAttribute| is not null:
    1. [=map/Set=] |body|["`source_event_id`"] to |source|'s [=attribution source/event ID=], [=serialize an integer|serialized=].
    1. [=map/Set=] |body|["`source_site`"] to |source|'s [=attribution source/source site=], <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
    1. If |sourceToAttribute|'s [=attribution source/debug key=] is not null, [=map/set=]
        |body|["`source_debug_key`"] to |sourceToAttribute|'s [=attribution source/debug key=],
        [=serialize an integer|serialized=].
1. Return |body|.

To <dfn>obtain verbose debug data on trigger registration</dfn> given a [=trigger debug data type=] |dataType|,
an [=attribution trigger=] |trigger|, an optional [=attribution source=]
<dfn for="obtain verbose debug data on trigger registration"><var>sourceToAttribute</var></dfn>,
and an optional [=attribution report=] <dfn for="obtain verbose debug data on trigger registration"><var>report</var></dfn>:

1. If |trigger|'s [=attribution trigger/debug reporting enabled=] is false, return null.
1. If the result of running [=check if cookie-based debugging is allowed=] with |trigger|'s
    [=attribution trigger/reporting origin=] and |trigger|'s [=attribution trigger/attribution destination=] is <strong>blocked</strong>, return null.
1. If |sourceToAttribute| is not null and |sourceToAttribute|'s [=attribution source/debug cookie set=] is false,
     return null.
1. Let |data| be a new [=verbose debug data=] with the items:
    : [=verbose debug data/data type=]
    :: |dataType|.
    : [=verbose debug data/body=]
    :: The result of running [=obtain verbose debug data body on trigger registration=] with |dataType|, |trigger|, |sourceToAttribute|, and |report|.
1. Return |data|.

<h3 algorithm id="triggering-event-level-attribution">Triggering event-level attribution</h3>

An [=event-level report=] |a| <dfn for="event-level report">is lower-priority than</dfn>
an [=event-level report=] |b| if any of the following are true:

* |a|'s [=event-level report/trigger priority=] is less than |b|'s [=event-level report/trigger priority=].
* |a|'s [=event-level report/trigger priority=] is equal to |b|'s [=event-level report/trigger priority=]
     and |a|'s [=event-level report/trigger time=] is greater than |b|'s [=event-level report/trigger time=].

An <dfn>event-level-report-replacement result</dfn> is one of the following:

<dl dfn-for="event-level-report-replacement result">
: "<dfn><code>add-new-report</code></dfn>"
:: The new report should be added.
: "<dfn><code>drop-new-report-none-to-replace</code></dfn>"
:: The new report should be dropped because the attributed source has reached
    its [=attribution source/max number of event-level reports|report limit=]
    and there is no pending report to consider for replacement.
: "<dfn><code>drop-new-report-low-priority</code></dfn>"
:: The new report should be dropped because the attributed source has reached
    its [=attribution source/max number of event-level reports|report limit=]
    and the new report [=event-level report/is lower-priority than=] all pending
    reports.

</dl>

To <dfn>maybe replace event-level report</dfn> given an [=attribution source=]
|sourceToAttribute| and an [=event-level report=] |report|:

1. [=Assert=]: |sourceToAttribute|'s [=attribution source/number of event-level reports=] is less than or equal to
    |sourceToAttribute|'s [=attribution source/max number of event-level reports=].
1. If |sourceToAttribute|'s [=attribution source/number of event-level reports=] is less than
    |sourceToAttribute|'s [=attribution source/max number of event-level reports=], return "<code>[=event-level-report-replacement result/add-new-report=]</code>".
1. Let |matchingReports| be a new [=list=] whose elements are all the elements in the [=event-level report cache=] whose [=event-level report/report time=] and [=event-level report/source identifier=] are equal to |report|'s, [=list/sorted in ascending order=] using [=event-level report/is lower-priority than=].
1. If |matchingReports| [=list/is empty=]:
    1. Set |sourceToAttribute|'s [=attribution source/event-level attributable=] value to false.
    1. Return "<code>[=event-level-report-replacement result/drop-new-report-none-to-replace=]</code>".
1. [=Assert=]: |sourceToAttribute|'s [=attribution source/number of event-level reports=]
    is greater than or equal to |matchingReports|'s [=list/size=].
1. Let |lowestPriorityReport| be |matchingReports|[0].
1. If |report| [=event-level report/is lower-priority than=] |lowestPriorityReport|,
    return "<code>[=event-level-report-replacement result/drop-new-report-low-priority=]</code>".
1. [=set/Remove=] |lowestPriorityReport| from the [=event-level report cache=].
1. Decrement |sourceToAttribute|'s [=attribution source/number of event-level reports=] value by 1.
1. Let |rateLimitRecord| be the element from [=attribution rate-limit cache=] whose
    [=attribution rate-limit record/entity ID=] is equal to |lowestPriorityReport|'s [=event-level report/report ID=]
    and [=attribution rate-limit record/scope=] is equal to "<code>[=rate-limit scope/event-attribution=]</code>".
1. [=Assert=]: |rateLimitRecord| is not null.

    Note: We are making an implicit assumption that [=attribution rate-limit window=] is
    greater than or equal to |sourceToAttribute|'s [=attribution source/expiry=].
    If this assumption does not hold then |rateLimitRecord| might be null.

1. [=set/Remove=] |rateLimitRecord| from the [=attribution rate-limit cache=].
1. Return "<code>[=event-level-report-replacement result/add-new-report=]</code>".

Issue: This algorithm is not compatible with the behavior proposed for
[=experimental Flexible Event support=] with differing
[=trigger spec/event-level report windows=] for a given source.

To <dfn>trigger event-level attribution</dfn> given an [=attribution trigger=] |trigger| and an
[=attribution source=] |sourceToAttribute|, run the following steps:

1. If |trigger|'s [=attribution trigger/event-level trigger configurations=]
    [=list/is empty=], return the [=triggering result=]
    ("<code>[=triggering status/dropped=]</code>", null).
1. If |sourceToAttribute|'s [=attribution source/randomized response=] is not null and is not [=list/is empty|empty=]:
    1. [=Assert=]: |sourceToAttribute|'s [=attribution source/event-level attributable=] is false.
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-event-noise=]</code>", null)).
1. Let |matchedConfig| be null.
1. [=set/iterate|For each=] [=event-level trigger configuration=] |config| of |trigger|'s
    [=attribution trigger/event-level trigger configurations=]:
    1. If the result of running
        [=match an attribution source against filters and negated filters=] with |sourceToAttribute|,
        |config|'s [=event-level trigger configuration/filters=],
        |config|'s [=event-level trigger configuration/negated filters=], and
        |trigger|'s [=attribution trigger/trigger time=] is true:
        1. Set |matchedConfig| to |config|.
        1. [=iteration/Break=].
1. If |matchedConfig| is null:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-event-no-matching-configurations=]</code>", null)).
1. If |matchedConfig|'s [=event-level trigger configuration/dedup key=] is not null and
    |sourceToAttribute|'s [=attribution source/dedup keys=] [=list/contains=] it:
     1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
         ("<code>[=trigger debug data type/trigger-event-deduplicated=]</code>", null)).
1. Let |specEntry| be the result of [=finding a matching trigger spec=] with
    |sourceToAttribute| and |matchedConfig|'s
    [=event-level trigger configuration/trigger data=].
1. If |specEntry| is null:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-event-no-matching-trigger-data=]</code>", null)).
1. Let |windowResult| be the result of [=check whether a moment falls within a window=]
    with |trigger|'s [=attribution trigger/trigger time=] and
    |specEntry|'s [=map/value=]'s [=trigger spec/event-level report windows=]'s
    [=report window list/total window=].
1. If |windowResult| is <strong>falls before</strong>:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-event-report-window-not-started=]</code>", null)).
1. If |windowResult| is <strong>falls after</strong>:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-event-report-window-passed=]</code>", null)).
1. [=Assert=]: |windowResult| is <strong>falls within</strong>.
1. Let |report| be the result of running [=obtain an event-level report=] with |sourceToAttribute|,
    |trigger|'s [=attribution trigger/trigger time=], |trigger|'s [=attribution trigger/debug key=],
    |matchedConfig|'s [=event-level trigger configuration/priority=], and |specEntry|.
1. Let |rateLimitRecord| be a new [=attribution rate-limit record=] with the items:
    : [=attribution rate-limit record/scope=]
    :: "<code>[=rate-limit scope/event-attribution=]</code>"
    : [=attribution rate-limit record/source site=]
    :: |sourceToAttribute|'s [=attribution source/source site=]
    : [=attribution rate-limit record/attribution destination=]
    :: |trigger|'s [=attribution trigger/attribution destination=]
    : [=attribution rate-limit record/reporting origin=]
    :: |sourceToAttribute|'s [=attribution source/reporting origin=]
    : [=attribution rate-limit record/time=]
    :: |sourceToAttribute|'s [=attribution source/source time=]
    : [=attribution rate-limit record/expiry time=]
    :: null
    : [=attribution rate-limit record/entity ID=]
    :: |report|'s [=event-level report/report ID=]
1. If the result of running [=check if attribution should be blocked by rate limits=]
    with |trigger|, |sourceToAttribute|, and |rateLimitRecord| is not null, return it.
1. If |sourceToAttribute|'s [=attribution source/event-level attributable=] value
    is false:
     1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
         ("<code>[=trigger debug data type/trigger-event-excessive-reports=]</code>", |report|)).
1. If the result of running [=maybe replace event-level report=] with |sourceToAttribute| and |report| is:
    <dl class="switch">
    : "<code>[=event-level-report-replacement result/add-new-report=]</code>"
    ::
         1. Let |numMatchingReports| be the number of entries in the [=event-level report cache=] whose
             [=event-level report/attribution destinations=] [=set/contains=] |trigger|'s [=attribution trigger/attribution destination=].
         1. If |numMatchingReports| is greater than or equal to the user agent's [=max event-level reports per attribution destination=]:
             1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
                 ("<code>[=trigger debug data type/trigger-event-storage-limit=]</code>", null)).
    : "<code>[=event-level-report-replacement result/drop-new-report-none-to-replace=]</code>"
    ::
         1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
             ("<code>[=trigger debug data type/trigger-event-excessive-reports=]</code>", |report|)).
    : "<code>[=event-level-report-replacement result/drop-new-report-low-priority=]</code>"
    ::
         1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
             ("<code>[=trigger debug data type/trigger-event-low-priority=]</code>", |report|)).

    </dl>
1. Let |triggeringStatus| be "<code>[=triggering status/attributed=]</code>".
1. Let |debugData| be null.
1. If |sourceToAttribute|'s [=attribution source/randomized response=] is:
    <dl class="switch">
    : null
    ::
        1. [=set/Append=] |report| to the [=event-level report cache=].
        1. [=set/Append=] |rateLimitRecord| to the [=attribution rate-limit cache=].
    : not null
    ::
        1. Set |triggeringStatus| to "<code>[=triggering status/noised=]</code>".
        1. Set |debugData| to ("<code>[=trigger debug data type/trigger-event-noise=]</code>", null).

    </dl>
1. Increment |sourceToAttribute|'s [=attribution source/number of event-level reports=] value by 1.
1. If |matchedConfig|'s [=event-level trigger configuration/dedup key=] is not null,
    [=list/append=] it to |sourceToAttribute|'s [=attribution source/dedup keys=].
1. If |triggeringStatus| is "<code>[=triggering status/attributed=]</code>" and
    the result of [=checking if attribution debugging can be enabled=]
    with |report|'s [=event-level report/attribution debug info=] is true, [=queue a task=] to
    [=attempt to deliver a debug report=] with |report|.
1. Return the [=triggering result=] (|triggeringStatus|, |debugData|).

<h3 algorithm id="triggering-aggregatable-attribution">Triggering aggregatable attribution</h3>

To <dfn>trigger aggregatable attribution</dfn> given an [=attribution trigger=] |trigger| and an
[=attribution source=] |sourceToAttribute|, run the following steps:

1. If the result of running [=check if an attribution trigger contains aggregatable data=] is false,
    return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>", null).
1. Let |windowResult| be the result of [=check whether a moment falls within a window=] with |trigger|'s
    [=attribution trigger/trigger time=] and |sourceToAttribute|'s [=attribution source/aggregatable report window=].
1. If |windowResult| is <strong>falls after</strong>:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-aggregate-report-window-passed=]</code>", null)).
1. [=Assert=]: |windowResult| is <strong>falls within</strong>.
1. Let |matchedDedupKey| be null.
1. [=list/iterate|For each=] [=aggregatable dedup key=] |aggregatableDedupKey| of |trigger|'s [=attribution trigger/aggregatable dedup keys=]:
    1. If the result of running [=match an attribution source against filters and negated filters=]
        with |sourceToAttribute|, |aggregatableDedupKey|'s [=aggregatable dedup key/filters=],
        |aggregatableDedupKey|'s [=aggregatable dedup key/negated filters=], and
        |trigger|'s [=attribution trigger/trigger time=] is true:
        1. Set |matchedDedupKey| to |aggregatableDedupKey|'s [=aggregatable dedup key/dedup key=].
        1. [=iteration/Break=].
1. If |matchedDedupKey| is not null and |sourceToAttribute|'s [=attribution source/aggregatable dedup keys=]
    [=list/contains=] it:
     1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
         ("<code>[=trigger debug data type/trigger-aggregate-deduplicated=]</code>", null)).
1. Let |report| be the result of running [=obtain an aggregatable attribution report=] with |sourceToAttribute| and |trigger|.
1. If |report|'s [=aggregatable attribution report/contributions=] [=list/is empty=]:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-aggregate-no-contributions=]</code>", null)).
1. Let |numMatchingReports| be the number of entries in the [=aggregatable attribution report cache=] whose
    [=aggregatable attribution report/effective attribution destination=] equals |trigger|'s [=attribution trigger/attribution destination=]
     and [=aggregatable attribution report/is null report=] is false.
1. If |numMatchingReports| is greater than or equal to the user agent's
    [=max aggregatable attribution reports per attribution destination=]:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-aggregate-storage-limit=]</code>", null)).
1. Let |rateLimitRecord| be a new [=attribution rate-limit record=] with the items:
    : [=attribution rate-limit record/scope=]
    :: "<code>[=rate-limit scope/aggregatable-attribution=]</code>"
    : [=attribution rate-limit record/source site=]
    :: |sourceToAttribute|'s [=attribution source/source site=]
    : [=attribution rate-limit record/attribution destination=]
    :: |trigger|'s [=attribution trigger/attribution destination=]
    : [=attribution rate-limit record/reporting origin=]
    :: |sourceToAttribute|'s [=attribution source/reporting origin=]
    : [=attribution rate-limit record/time=]
    :: |sourceToAttribute|'s [=attribution source/source time=]
    : [=attribution rate-limit record/expiry time=]
    :: null
    : [=attribution rate-limit record/entity ID=]
    :: null
1. If the result of running [=check if attribution should be blocked by rate limits=]
    with |trigger|, |sourceToAttribute|, and |rateLimitRecord| is not null,
    return it.
1. If |sourceToAttribute|'s [=attribution source/number of aggregatable attribution reports=] value is equal to [=max aggregatable reports per source=][0], then:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-aggregate-excessive-reports=]</code>", null)).
1. If the result of running [=check if an attribution source can create aggregatable contributions=]
    with |report| and |sourceToAttribute| is false:
    1. Return the [=triggering result=] ("<code>[=triggering status/dropped=]</code>",
        ("<code>[=trigger debug data type/trigger-aggregate-insufficient-budget=]</code>", null)).
1. [=set/Append=] |report| to the [=aggregatable attribution report cache=].
1. Increment |sourceToAttribute|'s [=attribution source/number of aggregatable attribution reports=] value by 1.
1. Decrement |sourceToAttribute|'s [=attribution source/remaining aggregatable attribution budget=] value by
    |report|'s [=aggregatable attribution report/required aggregatable budget=].
1. If |matchedDedupKey| is not null, [=list/append=] it to |sourceToAttribute|'s [=attribution source/aggregatable dedup keys=].
1. [=set/Append=] |rateLimitRecord| to the [=attribution rate-limit cache=].
1. Run [=generate null attribution reports and assign private state tokens=] with |trigger| and |report|.
1. If the result of [=checking if attribution debugging can be enabled=]
    with |report|'s [=aggregatable attribution report/attribution debug info=] is true,
    [=queue a task=] to [=attempt to deliver a debug report=] with |report|.
1. Return the [=triggering result=] ("<code>[=triggering status/attributed=]</code>", null).

<h3 algorithm id="triggering-attribution">Triggering attribution</h3>

To <dfn>obtain and deliver a verbose debug report on trigger registration</dfn>
given a [=set=] of [=trigger debug data=] |dataSet|, an [=attribution trigger=] |trigger|,
and an optional [=attribution source=] |sourceToAttribute|:

1. Let |debugDataList| be a new [=list=].
1. [=set/iterate|For each=] |data| of |dataSet|:
    1. Let |debugData| be the result of running [=obtain verbose debug data on trigger registration=] with
        |data|'s [=trigger debug data/data type=], |trigger|, |sourceToAttribute|,
        and |data|'s [=trigger debug data/report=].
    1. If |debugData| is not null, [=list/append=] |debugData| to |debugDataList|.
1. If |debugDataList| [=list/is empty=], return.
1. Run [=obtain and deliver a verbose debug report=] with |debugDataList|, |trigger|'s [=attribution trigger/reporting origin=],
    and |trigger|'s [=attribution trigger/fenced=].

To <dfn>obtain and deliver an aggregatable debug report on trigger registration</dfn>
given a [=set=] of [=trigger debug data=] |dataSet|, an [=attribution trigger=] |trigger|,
and an optional [=attribution source=] |sourceToAttribute|:

1. If |trigger|'s [=attribution trigger/fenced=] is true, return.
1. Let |config| be |trigger|'s [attribution trigger/aggregatable debug reporting config=].
1. Let |debugDataMap| be |config|'s [=aggregatable debug reporting config/debug data=].
1. If |debugDataMap| [=map/is empty=], return.
1. Let |sourceKeyPiece| be 0.
1. If |sourceToAttribute| is not null, then set |sourceKeyPiece| to
    |sourceToAttribute|'s [=attribution source/aggregatable debug reporting config=]'s
    [=aggregatable debug reporting config/key piece=].
1. Let |contributions| be a new [=list=].
1. Let |contextKeyPiece| be |sourceKeyPiece| bitwise-OR |config|'s
    [=aggregatable debug reporting config/key piece=].
1. [=set/iterate|For each=] |data| of |dataSet|:
    1. Let |type| be |data|'s [=trigger debug data/data type=].
    1. If |debugDataMap|[|type|] [=map/exists=]:
        1. Let |keyPiece| be |contextKeyPiece| bitwise-OR |debugDataMap|[|type|]'s
            [=aggregatable contribution/key=].
        1. Let |contribution| be a new [=aggregatable contribution=] with the items:
            : [=aggregatable contribution/key=]
            :: |keyPiece|
            : [=aggregatable contribution/value=]
            :: |debugDataMap|[|type|]'s [=aggregatable contribution/value=]
            : [=aggregatable contribution/filtering ID=]
            :: [=default filtering ID value=]
        1. [=list/Append=] |contribution| to |contributions|.
1. Run [=obtain and deliver an aggregatable debug report on registration=] with |contributions|,
    |trigger|'s [=attribution trigger/attribution destination=], |trigger|'s [=attribution trigger/reporting origin=],
    |sourceToAttribute|, |trigger|'s [=attribution trigger/attribution destination=],
    |config|'s [=aggregatable debug reporting config/aggregation coordinator=],
    and |trigger|'s [=attribution trigger/trigger time=].

To <dfn>obtain and deliver debug reports on trigger registration</dfn>
given a [=set=] of [=trigger debug data=] |dataSet|, an [=attribution trigger=] |trigger|,
and an optional [=attribution source=]
<dfn for="obtain and deliver debug reports on trigger registration"><var>sourceToAttribute</var></dfn>:

1. Run [=obtain and deliver a verbose debug report on trigger registration=]
    with |dataSet|, |trigger|, and |sourceToAttribute|.
1. Run [=obtain and deliver an aggregatable debug report on trigger registration=]
    with |dataSet|, |trigger|, and |sourceToAttribute|.

To <dfn>find matching sources</dfn> given an [=attribution trigger=] |trigger|:

1. Let |matchingSources| be a new [=list=].
1. [=set/iterate|For each=] |source| of the [=attribution source cache=]:
    1. If |source|'s [=attribution source/attribution destinations=] does not [=set/contains|contain=] |trigger|'s [=attribution trigger/attribution destination=], [=iteration/continue=].
    1. If |source|'s [=attribution source/reporting origin=] and |trigger|'s [=attribution trigger/reporting origin=] are not [=same origin=], [=iteration/continue=].
    1. If |source|'s [=attribution source/expiry time=] is less than or equal to |trigger|'s [=attribution trigger/trigger time=], [=iteration/continue=].
    1. [=list/Append=] |source| to |matchingSources|.
1. Set |matchingSources| to the result of [=list/sort in descending order|sorting=] |matchingSources|
    in descending order, with |a| being less than |b| if any of the following are true:
      * |a|'s [=attribution source/priority=] is less than |b|'s [=attribution source/priority=].
      * |a|'s [=attribution source/priority=] is equal to |b|'s [=attribution source/priority=] and |a|'s
         [=attribution source/source time=] is less than |b|'s [=attribution source/source time=].
1. Return |matchingSources|.

To <dfn>check if an [=attribution trigger=] contains aggregatable data</dfn> given an [=attribution trigger=] |trigger|,
run the following steps:

1. If |trigger|'s [=attribution trigger/aggregatable trigger data=] is not [=list/is empty|empty=], return true.
1. If any of |trigger|'s [=attribution trigger/aggregatable values configurations=]'s [=aggregatable values configuration/values=] is not [=list/is empty|empty=], return true.
1. Return false.

To <dfn noexport>trigger attribution</dfn> given an [=attribution trigger=] |trigger|, run the following steps:

1. Let |hasAggregatableData| be the result of [=checking if an attribution trigger contains aggregatable data=]
    with |trigger|.
1. If |trigger|'s [=attribution trigger/event-level trigger configurations=]
    [=set/is empty=] and |hasAggregatableData| is false, return.
1. Let |matchingSources| be the result of running [=find matching sources=] with |trigger|.
1. If |matchingSources| [=list/is empty=]:
    1. Run [=obtain and deliver debug reports on trigger registration=] with
        « ("<code>[=trigger debug data type/trigger-no-matching-source=]</code>", null) »,
        |trigger|, and [=obtain and deliver debug reports on trigger registration/sourceToAttribute=] set to null.
    1. If |hasAggregatableData| is true, then run [=generate null attribution reports and assign private state tokens=]
        with |trigger| and [=generate null attribution reports and assign private state tokens/report=] set to null.
    1. Return.
1. Let |sourceToAttribute| be |matchingSources|[0].
1. If the result of running
    [=match an attribution source against filters and negated filters=] with
    |sourceToAttribute|, |trigger|'s [=attribution trigger/filters=],
    |trigger|'s [=attribution trigger/negated filters=], and
    |trigger|'s [=attribution trigger/trigger time=] is false:
    1. Run [=obtain and deliver debug reports on trigger registration=] with
        « ("<code>[=trigger debug data type/trigger-no-matching-filter-data=]</code>", null) »,
        |trigger|, and |sourceToAttribute|.
    1. If |hasAggregatableData| is true, then run [=generate null attribution reports and assign private state tokens=]
        with |trigger| and [=generate null attribution reports and assign private state tokens/report=] set to null.
    1. Return.
1. [=list/Remove=] |sourceToAttribute| from |matchingSources|.
1. [=list/iterate|For each=] |item| of |matchingSources|:
    1. [=set/Remove=] |item| from the [=attribution source cache=].
1. Let |eventLevelResult| be the result of running [=trigger event-level attribution=]
    with |trigger| and |sourceToAttribute|.
1. Let |aggregatableResult| be the result of running [=trigger aggregatable attribution=]
    with |trigger| and |sourceToAttribute|.
1. Let |debugDataSet| be a new [=set=].
1. If |eventLevelResult|'s [=triggering result/debug data=] is not null,
    then [=set/append=] |eventLevelResult|'s [=triggering result/debug data=] to |debugDataSet|.
1. If |aggregatableResult|'s [=triggering result/debug data=] is not null,
    then [=set/append=] |aggregatableResult|'s [=triggering result/debug data=] to |debugDataSet|.
1. Run [=obtain and deliver debug reports on trigger registration=] with |debugDataSet|,
    |trigger|, and |sourceToAttribute|.
1. If |hasAggregatableData| and |aggregatableResult|'s [=triggering result/status=] is "<code>[=triggering status/dropped=]</code>",
    run [=generate null attribution reports and assign private state tokens=] with |trigger| and
    [=generate null attribution reports and assign private state tokens/report=] set to null.
1. [=list/Remove=] all [=attribution rate-limit records=] |entry| from the [=attribution rate-limit cache=] if the result of running
    [=can attribution rate-limit record be removed=] with |entry| and |trigger|'s [=attribution trigger/trigger time=] is true.

Issue(1287): Consider replacing |debugDataSet| with a [=list=].

<h3 algorithm id="delivery-time">Establishing report delivery time</h3>

To <dfn>check whether a moment falls within a window</dfn> given a [=moment=] |moment| and
a [=report window=] |window|:

1. If |moment| is less than |window|'s [=report window/start=], return
    <strong>falls before</strong>.
1. If |moment| is greater than or equal to |window|'s [=report window/end=],
    return <strong>falls after</strong>.
1. Return <strong>falls within</strong>.

To <dfn>obtain an event-level report delivery time</dfn> given a
[=report window list=] |windows| and a [=moment=] |triggerTime|:

1. If [=automation local testing mode=] is true, return |triggerTime|.
1. [=list/iterate|For each=] |window| of |windows|:
    1. If the result of [=check whether a moment falls within a window=] with
        |triggerTime| and |window| is <strong>falls within</strong>, return
        |window|'s [=report window/end=].
1. [=Assert=]: not reached.

To <dfn>obtain an aggregatable attribution report delivery time</dfn> given an [=attribution trigger=]
|trigger|, perform the following steps. They return a [=moment=].

1. Let |triggerTime| be |trigger|'s [=attribution trigger/trigger time=].
1. If the result of running [=check if an aggregatable attribution report should be unconditionally sent=] with |trigger|
    is true, return |triggerTime|.
1. Let |r| be a random double between 0 (inclusive) and 1 (exclusive) with uniform probability.
1. Return |triggerTime| + |r| * [=randomized aggregatable attribution report delay=].

<h3 algorithm id="obtaining-an-event-level-report">Obtaining an event-level report</h3>

To <dfn>obtain an event-level report</dfn> given an [=attribution source=] |source|,
a [=moment=] |triggerTime|, an optional non-negative 64-bit integer
<dfn for="obtain an event-level report"><var>triggerDebugKey</var></dfn>,
a 64-bit integer priority |priority|, and a [=trigger spec map=] [=map/entry=]
|specEntry|:

1. Let |reportTime| be the result of running
    [=obtain an event-level report delivery time=] with |specEntry|'s
    [=map/value=]'s [=trigger spec/event-level report windows=] and
    |triggerTime|.
1. Let |report| be a new [=event-level report=] struct whose items are:

    : [=event-level report/event ID=]
    :: |source|'s [=attribution source/event ID=].
    : [=event-level report/trigger data=]
    :: |specEntry|'s [=map/key=]
    : [=event-level report/randomized trigger rate=]
    :: |source|'s [=attribution source/randomized trigger rate=].
    : [=event-level report/reporting origin=]
    :: |source|'s [=attribution source/reporting origin=].
    : [=event-level report/attribution destinations=]
    :: |source|'s [=attribution source/attribution destinations=].
    : [=event-level report/report time=]
    :: |reportTime|
    : [=event-level report/trigger priority=]
    :: |priority|.
    : [=event-level report/trigger time=]
    :: |triggerTime|.
    : [=event-level report/source identifier=]
    :: |source|'s [=attribution source/source identifier=].
    : [=event-level report/report ID=]
    :: The result of [=generating a random UUID=].
    : [=event-level report/attribution debug info=]
    :: (|source|'s [=attribution source/debug key=], |triggerDebugKey|).
1. Return |report|.

<h3 id="obtaining-required-aggregatable-budget">Obtaining an aggregatable report's required budget</h3>

An [=aggregatable report=] |report|'s <dfn for="aggregatable report, aggregatable attribution report, aggregatable debug report">
required aggregatable budget</dfn> is the total [=aggregatable contribution/value=] of |report|'s
[=aggregatable report/contributions=].

<h3 algorithm id="obtaining-an-aggregatable-attribution-report">Obtaining an aggregatable attribution report</h3>

To <dfn>obtain an aggregatable attribution report</dfn> given an [=attribution source=] |source| and
an [=attribution trigger=] |trigger|:

1. Let |reportTime| be the result of running [=obtain an aggregatable attribution report delivery time=] with |trigger|.
1. Let |report| be a new [=aggregatable attribution report=] struct whose items are:

    : [=aggregatable attribution report/reporting origin=]
    :: |source|'s [=attribution source/reporting origin=].
    : [=aggregatable attribution report/effective attribution destination=]
    :: |trigger|'s [=attribution trigger/attribution destination=].
    : [=aggregatable attribution report/source time=]
    :: |source|'s [=attribution source/source time=].
    : [=aggregatable attribution report/report time=]
    :: |reportTime|.
    : [=aggregatable attribution report/report ID=]
    :: The result of [=generating a random UUID=].
    : [=aggregatable attribution report/attribution debug info=]
    :: (|source|'s [=attribution source/debug key=], |trigger|'s [=attribution trigger/debug key=]).
    : [=aggregatable attribution report/contributions=]
    :: The result of running [=create aggregatable contributions=] with |source| and |trigger|.
    : [=aggregatable attribution report/serialized private state token=]
    :: null.
    : [=aggregatable attribution report/aggregation coordinator=]
    :: |trigger|'s [=attribution trigger/aggregation coordinator=].
    : [=aggregatable attribution report/source registration time configuration=]
    :: |trigger|'s [=attribution trigger/aggregatable source registration time configuration=].
    : [=aggregatable attribution report/trigger context ID=]
    :: |trigger|'s [=attribution trigger/trigger context ID=]
    : [=aggregatable attribution report/filtering ID max bytes=]
    :: |trigger|'s [=attribution trigger/aggregatable filtering ID max bytes=]
    : [=aggregatable attribution report/source identifier=]
    :: |source|'s [=attribution source/source identifier=].
1. Return |report|.

<h3 id="generating-randomized-null-attribution-reports">Generating randomized null attribution reports</h3>

To <dfn>obtain a null attribution report</dfn> given an [=attribution trigger=] |trigger| and a [=moment=] |sourceTime|:

1. Let |reportTime| be the result of running [=obtain an aggregatable attribution report delivery time=] with |trigger|.
1. Let |report| be a new [=aggregatable attribution report=] struct whose items are:

    : [=aggregatable attribution report/reporting origin=]
    :: |trigger|'s [=attribution trigger/reporting origin=]
    : [=aggregatable attribution report/effective attribution destination=]
    :: |trigger|'s [=attribution trigger/attribution destination=]
    : [=aggregatable attribution report/source time=]
    :: |sourceTime|
    : [=aggregatable attribution report/report time=]
    :: |reportTime|
    : [=aggregatable attribution report/report ID=]
    :: The result of [=generating a random UUID=]
    : [=aggregatable attribution report/attribution debug info=]
    :: (null, |trigger|'s [=attribution trigger/debug key=])
    : [=aggregatable attribution report/contributions=]
    :: «»
    : [=aggregatable attribution report/serialized private state token=]
    :: null
    : [=aggregatable attribution report/aggregation coordinator=]
    :: |trigger|'s [=attribution trigger/aggregation coordinator=]
    : [=aggregatable attribution report/source registration time configuration=]
    :: |trigger|'s [=attribution trigger/aggregatable source registration time configuration=]
    : [=aggregatable attribution report/is null report=]
    :: true
    : [=aggregatable attribution report/trigger context ID=]
    :: |trigger|'s [=attribution trigger/trigger context ID=]
    : [=aggregatable attribution report/filtering ID max bytes=]
    :: |trigger|'s [=attribution trigger/aggregatable filtering ID max bytes=]
1. Return |report|.

To <dfn>obtain rounded source time</dfn> given a [=moment=] |sourceTime|, return |sourceTime| in seconds
since the UNIX epoch, rounded down to a multiple of a whole day (86400 seconds).

To <dfn>determine if a randomized null attribution report is generated</dfn> given a double |randomPickRate|:

1. [=Assert=]: |randomPickRate| is between 0 and 1 (both inclusive).
1. Let |r| be a random double between 0 (inclusive) and 1 (exclusive) with uniform probability.
1. If |r| is less than |randomPickRate|, return true.
1. Otherwise, return false.

To <dfn>generate null attribution reports</dfn> given an [=attribution trigger=] |trigger| and an optional [=aggregatable attribution report=] |report| defaulting to null:

1. Let |nullReports| be a new [=list=].
1. If |trigger|'s [=attribution trigger/aggregatable source registration time configuration=] is "<code>[=aggregatable source registration time configuration/exclude=]</code>":
    1. Let |randomizedNullReportRate| be [=randomized null attribution report rate excluding source registration time=].
    1. If the result of running [=check if an aggregatable attribution report should be unconditionally sent=] with |trigger|
        is true, set |randomizedNullReportRate| to 1.
    1. If |report| is null and the result of [=determining if a randomized null attribution report is generated=] with
        |randomizedNullReportRate| is true:
        1. Let |nullReport| be the result of [=obtaining a null attribution report=] with |trigger| and |trigger|'s
            [=attribution trigger/trigger time=].
        1. [=set/Append=] |nullReport| to the [=aggregatable attribution report cache=].
        1. [=list/Append=] |nullReport| to |nullReports|.
1. Otherwise:
    1. [=Assert=]: |trigger|'s [=attribution trigger/trigger context ID=] is null.
    1. Let |maxSourceExpiry| be [=valid source expiry range=][1].
    1. Round |maxSourceExpiry| away from zero to the nearest day (86400 seconds).
    1. Let |roundedAttributedSourceTime| be null.
    1. If |report| is not null, set |roundedAttributedSourceTime| to the result of [=obtaining rounded source time=] with |report|'s
        [=aggregatable attribution report/source time=].
    1. [=set/iterate|For each=] integer |day| of [=the range=] 0 to the number of days in |maxSourceExpiry|, inclusive:
        1. Let |fakeSourceTime| be |trigger|'s [=attribution trigger/trigger time=] - |day| days.
        1. If |roundedAttributedSourceTime| is not null and equals the result of [=obtaining rounded source time=] with |fakeSourceTime|:
            1. [=iteration/Continue=].
        1. If the result of [=determining if a randomized null attribution report is generated=] with [=randomized null attribution report rate including source registration time=] is true:
            1. Let |nullReport| be the result of [=obtaining a null attribution report=] with |trigger| and |fakeSourceTime|.
            1. [=set/Append=] |nullReport| to the [=aggregatable attribution report cache=].
            1. [=list/Append=] |nullReport| to |nullReports|.
1. Return |nullReports|.

To <dfn>shuffle a [=list=]</dfn> |list|, reorder |list|'s elements such that each possible permutation has equal
probability of appearance.

To <dfn>assign private state tokens</dfn> given a [=list=] of [=aggregatable attribution reports=] |reports| and
an [=attribution trigger=] |trigger|:

1. If |reports| [=list/is empty=], return.
1. Let |verifications| be |trigger|'s [=attribution trigger/verifications=].
1. If |verifications| [=list/is empty=], return.
1. If [=automation local testing mode=] is false:
    1. [=shuffle a list|Shuffle=] |reports|.
    1. [=shuffle a list|Shuffle=] |verifications|.
1. Let |n| be the minimum of |reports|'s [=list/size=] and |verifications|'s [=list/size=].
1. [=set/iterate|For each=] integer |i| of [=the exclusive range|the range=] 0 to |n|, exclusive:
    1. Set |reports|[i]'s [=aggregatable attribution report/report ID=] to |verifications|[i]'s [=trigger verification/id=].
    1. Set |reports|[i]'s [=aggregatable attribution report/serialized private state token=] to |verifications|[i]'s [=trigger verification/token=].

To <dfn>generate null attribution reports and assign private state tokens</dfn> given an [=attribution trigger=] |trigger|
and an optional [=aggregatable attribution report=] <dfn for="generate null attribution reports and assign private state tokens"><var>report</var></dfn> defaulting to null:

1. Let |reports| be the result of [=generating null attribution reports=] with |trigger| and |report|.
1. If |report| is not null:
    1. [=list/Append=] |report| to |reports|.
1. Run [=assign private state tokens=] with |reports| and |trigger|.

<h3 id="deferring-trigger-attribution">Deferring trigger attribution</h3>

To <dfn>maybe defer and then complete trigger attribution</dfn> given an [=attribution trigger=] |trigger|,
run the following steps [=in parallel=]:

1. Let |navigation| be the navigation that landed on the [=document=] from which |trigger|'s registration was initiated.
1. If |navigation| is null, return.
1. Let |sources| be all source registrations originating from background attributionsrc requests initiated by |navigation|.
1. If |sources| is empty, return.
1. Wait until all |sources| are [=process an attribution source|processed=].
1. [=Queue a task=] on the [=networking task source=] to [=trigger attribution=] with |trigger|.

Issue: Specify this in terms of <a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigating-across-documents">Navigation</a>

# Report delivery # {#report-delivery}

The user agent MUST periodically run [=queue reports for delivery=] on the
[=event-level report cache=] and [=aggregatable attribution report cache=].

To <dfn>queue reports for delivery</dfn> given a [=set=] of
[=attribution reports=] |cache|, run the following steps:

1. [=set/iterate|For each=] |report| of |cache|:
  1. If |report|'s [=attribution report/report time=] is greater than the
      [=current wall time=], [=iteration/continue=].
  1. [=set/Remove=] |report| from |cache|.

      Note: In order to support sending, waiting, and retries across various
       forms of interruption, including shutdown, the user agent may need to
       persist reports that are in the process of being sent in some other
       storage.
  1. Run the following steps [=in parallel=]:
      1. Wait an [=implementation-defined=] random non-negative [=duration=].

          Note: On startup, it is possible the user agent will need to send many reports whose report times passed while the browser was
           closed. Adding random delay prevents temporal joining of reports from different [=attribution source/source origin=]s.
      1. Optionally, wait a further [=implementation-defined=] [=duration=].

          Note: This is intended to allow user agents to optimize device resource usage.
      1. Run [=attempt to deliver a report=] with |report|.

<h3 id="encode-integer">Encode an unsigned k-bit integer</h3>

To <dfn>encode an unsigned k-byte integer</dfn> given an integer |integerToEncode|
and an integer |byteLength|, return the representation of |integerToEncode| as a
big-endian [=byte sequence=] of length |byteLength|, left padding with zeroes as
necessary.

<h3 id="obtain-aggregatable-report-debug-mode">Obtaining an aggregatable report's debug mode</h3>

An [=aggregatable report=] |report|'s <dfn for="aggregatable report">debug mode</dfn> is the result
of running the following steps:

1. If |report| is an:
    <dl class="switch">
    : [=aggregatable attribution report=]
    ::
        1. If the result of [=checking if attribution debugging can be enabled=] with
            |report|'s [=aggregatable attribution report/attribution debug info=] is true,
            return <strong>enabled</strong>.
        1. Return <strong>disabled</strong>.
    : [=aggregatable debug report=]
    :: Return <strong>disabled</strong>.

    </dl>

<h3 id="obtain-aggregatable-report-shared-info">Obtaining an aggregatable report's shared info</h3>

An [=aggregatable report=] |report|'s <dfn for="aggregatable report, aggregatable attribution report">shared info</dfn> is the result
of running the following steps:

1. Let |reportingOrigin| be |report|'s [=aggregatable report/reporting origin=].
1. Let |api| be null.
1. If |report| is an:
    <dl class="switch">
    : [=aggregatable attribution report=]
    :: Set |api| to "`attribution-reporting`".
    : [=aggregatable debug report=]
    :: Set |api| to "`attribution-reporting-debug`".

    </dl>
1. Let |sharedInfo| be a [=map=] of the following key/value pairs:

    : "`api`"
    :: |api|
    : "`attribution_destination`"
    :: |report|'s [=aggregatable report/effective attribution destination=], <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>
    : "`report_id`"
    :: |report|'s [=aggregatable report/report ID=]

    Note: The inclusion of "`report_id`" in the shared info is intended to allow the report recipient
    to perform deduplication and prevent double counting, in the event that the user agent retries
    reports on failure.

    : "`reporting_origin`"
    :: |reportingOrigin|, [=serialization of an origin|serialized=]
    : "`scheduled_report_time`"
    :: |report|'s [=aggregatable report/report time=] in seconds since the UNIX epoch, [=serialize an integer|serialized=]
    : "`version`"
    :: "`1.0`"

    Note: The "`version`" value needs to be bumped if the <a href="https://github.com/privacysandbox/aggregation-service">aggregation service</a> upgrades.

1. If |report|'s [=aggregatable report/debug mode=] is <strong>enabled</strong>,
    [=map/set=] |sharedInfo|["`debug_mode`"] to "`enabled`".
1. If |report| is an [=aggregatable attribution report=]:
    1. If |report|'s [=aggregatable attribution report/source registration time configuration=] is:
        <dl class="switch">
        : "<code>[=aggregatable source registration time configuration/include=]</code>"</dt>
        :: [=map/Set=] |sharedInfo|["`source_registration_time`"] to the result of [=obtaining rounded source time=]
            with |report|'s [=aggregatable attribution report/source time=], [=serialize an integer|serialized=].
        : "<code>[=aggregatable source registration time configuration/exclude=]</code>"
        :: [=map/Set=] |sharedInfo|["`source_registration_time`"] to "`0`".

        </dl>

1. Return the [=string=] resulting from executing [=serialize an infra value to a json string=] on |sharedInfo|.

<h3 id="obtain-aggregatable-report-aggregation-service-payloads">Obtaining an aggregatable report's aggregation service payloads</h3>

To <dfn>obtain the public key for encryption</dfn> given an [=aggregation coordinator=] |aggregationCoordinator|:

1. Let |url| be a new [=URL record=].
1. Set |url|'s [=url/scheme=] to |aggregationCoordinator|'s [=origin/scheme=].
1. Set |url|'s [=url/host=] to |aggregationCoordinator|'s [=origin/host=].
1. Set |url|'s [=url/port=] to |aggregationCoordinator|'s [=origin/port=].
1. Set |url|'s [=url/path=]  to «"`.well-known`", "`aggregation-service`", "`v1`", "`public-keys`"».
1. Return a user-agent-determined public key from |url| or an error in the event that the user
    agent failed to obtain the public key from |url|. This step may be asynchronous.

Issue: Specify this in terms of [=fetch=].

Note: The user agent might enforce weekly key rotation. If there are multiple keys, the user agent
might independently pick a key uniformly at random for every encryption operation.
The key should be uniquely identifiable.

An [=aggregatable report=] |report|'s <dfn for="aggregatable report">plaintext payload</dfn>
is the result of running the following steps:

1. Let |payloadData| be a new [=list=].
1. Let |maxContributions| be null.
1. If |report| is an:
    <dl class="switch">
    : [=aggregatable attribution report=]
    :: Set |maxContributions| to [=max aggregation keys per source registration=].
    : [=aggregatable debug report=]
    :: Set |maxContributions| to [=max contributions per aggregatable debug report=].

    </dl>
1. Let |contributions| be |report|'s [=aggregatable report/contributions=].
1. [=Assert=]: |contributions|'s [=list/size=] is less than or equal to |maxContributions|.
1. [=iteration/While=] |contributions|'s [=list/size=] is less than |maxContributions|:
    1. Let |nullContribution| be a new [=aggregatable contribution=] with the
        items:

        : [=aggregatable contribution/key=]
        :: 0
        : [=aggregatable contribution/value=]
        :: 0
        : [=aggregatable contribution/filtering ID=]
        :: [=default filtering ID value=]

    1. [=list/Append=] |nullContribution| to |contributions|.
1. [=list/iterate|For each=] |contribution| of |contributions|:
    1. Let |contributionData| be a [=map=] of the following key/value pairs:

        : "`bucket`"
        :: The result of [=encoding an unsigned k-byte integer=] given
            |contribution|'s [=aggregatable contribution/key=] and 16.
        : "`value`"
        :: The result of [=encoding an unsigned k-byte integer=] given
            |contribution|'s [=aggregatable contribution/value=] and 4.
        : "`id`"
        :: The result of [=encoding an unsigned k-byte integer=] given
            |contribution|'s [=aggregatable contribution/filtering ID=] and
            |report|'s [=aggregatable attribution report/filtering ID max bytes=].

    1. [=list/Append=] |contributionData| to |payloadData|.
1. Let |payload| be a [=map=] of the following key/value pairs:

    : "`data`"
    :: |payloadData|
    : "`operation`"
    :: "`histogram`"

1. Return the [=byte sequence=] resulting from [[!RFC8949|CBOR encoding]] |payload|.

To <dfn>obtain the encrypted payload</dfn> given an [=aggregatable report=] |report| and
a public key |pkR|, run the following steps:

1. Let |plaintext| be |report|'s [=aggregatable report/plaintext payload=].
1. Let |encodedSharedInfo| be |report|'s [=aggregatable report/shared info=], [=utf-8 encode|encoded=].
1. Let |info| be the [=string/concatenate|concatenation=] of «"`aggregation_service`", |encodedSharedInfo|».
1. Set up [[RFC9180|HPKE]] [[RFC9180#name-encryption-to-a-public-key|sender's context]]
    with |pkR| and |info|.
1. Return the [=byte sequence=] or an error resulting from [[RFC9180#name-encryption-and-decryption|encrypting]]
    |plaintext| with the [[RFC9180#name-encryption-to-a-public-key|sender's context]].

To <dfn>obtain the aggregation service payloads</dfn> given an [=aggregatable report=] |report|,
run the following steps:

1. Let |pkR| be the result of running [=obtain the public key for encryption=]
    with |report|'s [=aggregatable report/aggregation coordinator=].
1. If |pkR| is an error, return |pkR|.
1. Let |encryptedPayload| be the result of running [=obtain the encrypted payload=] with |report| and |pkR|.
1. If |encryptedPayload| is an error, return |encryptedPayload|.
1. Let |aggregationServicePayloads| be a new [=list=].
1. Let |aggregationServicePayload| be a [=map=] of the following key/value pairs:

    : "`payload`"
    :: |encryptedPayload|, [=forgiving-base64 encode|base64 encoded=]
    : "`key_id`"
    :: A [=string=] identifying |pkR|

1. If |report|'s [=aggregatable report/debug mode=] is <strong>enabled</strong>,
    [=map/set=] |aggregationServicePayload|["`debug_cleartext_payload`"] to |report|'s
    [=aggregatable report/plaintext payload=], [=forgiving-base64 encode|base64 encoded=].
1. [=list/Append=] |aggregationServicePayload| to |aggregationServicePayloads|.
1. Return |aggregationServicePayloads|.

<h3 id="serialize-report-body">Serialize attribution report body</h3>

To <dfn>obtain an event-level report body</dfn> given an [=attribution report=] |report|, run the following steps:

1. Let |data| be a [=map=] of the following key/value pairs:

    : "`attribution_destination`"
    :: |report|'s [=event-level report/attribution destinations=], [=serialize attribution destinations|serialized=].
    : "`randomized_trigger_rate`"
    :: |report|'s [=event-level report/randomized trigger rate=], rounded to 7 digits after the decimal point
    : "`source_type`"
    :: |report|'s [=event-level report/source type=]
    : "`source_event_id`"
    :: |report|'s [=event-level report/event ID=], [=serialize an integer|serialized=]
    : "`trigger_data`"
    :: |report|'s [=event-level report/trigger data=], [=serialize an integer|serialized=]
    : "`report_id`"
    :: |report|'s [=event-level report/report ID=]

    Note: The inclusion of "`report_id`" in the report body is intended to allow the report recipient
    to perform deduplication and prevent double counting, in the event that the user agent retries
    reports on failure.

    : "`scheduled_report_time`"
    :: |report|'s [=event-level report/report time=] in seconds since the UNIX epoch, [=serialize an integer|serialized=]

1. Run [=serialize an attribution debug info=] with |data| and |report|'s
    [=event-level report/attribution debug info=].
1. Return |data|.

To <dfn>serialize an [=event-level report=]</dfn> |report|, run the following steps:

1. Let |data| be the result of running [=obtain an event-level report body=] with |report|.
1. Return the [=byte sequence=] resulting from executing [=serialize an infra value to JSON bytes=] on |data|.

To <dfn>obtain an [=aggregatable report=] body</dfn> given an [=aggregatable report=] |report|, run the following steps:

1. [=Assert=]: |report|'s [=aggregatable report/effective attribution destination=] is not an [=opaque origin=].
1. Let |aggregationServicePayloads| be the result of running [=obtain the aggregation service payloads=].
1. If |aggregationServicePayloads| is an error, return |aggregationServicePayloads|.
1. Let |data| be a [=map=] of the following key/value pairs:

    : "`shared_info`"
    :: |report|'s [=aggregatable report/shared info=]
    : "`aggregation_service_payloads`"
    :: |aggregationServicePayloads|
    : "`aggregation_coordinator_origin`"
    :: |report|'s [=aggregatable report/aggregation coordinator=], [=serialization of an origin|serialized=]

1. Return |data|.

To <dfn>serialize an [=aggregatable attribution report=] </dfn> |report|, run the following steps:

1. Let |data| be the result of running [=obtain an aggregatable report body=] with |report|.
1. Run [=serialize an attribution debug info=] with |data| and |report|'s
    [=aggregatable attribution report/attribution debug info=].
1. If |report|'s [=aggregatable attribution report/trigger context ID=] is not null, [=map/set=]
    |data|["`trigger_context_id`"] to |report|'s [=aggregatable attribution report/trigger context ID=].
1. Return the [=byte sequence=] resulting from executing [=serialize an infra value to JSON bytes=] on |data|.

To <dfn>serialize an [=aggregatable debug report=] </dfn> |report|, run the following steps:

1. Let |data| be the result of running [=obtain an aggregatable report body=] with |report|.
1. Return the [=byte sequence=] resulting from executing [=serialize an infra value to JSON bytes=] on |data|.

To <dfn>serialize an [=attribution report=]</dfn> |report|, run the following steps:

1. [=Assert=]: |report| is an [=event-level report=] or an [=aggregatable attribution report=].
1. If |report| is an:
    <dl class="switch">
    : [=event-level report=]
    :: Return the result of running [=serialize an event-level report=] with |report|.
    : [=aggregatable attribution report=]
    :: Return the result of running [=serialize an aggregatable attribution report=] with |report|.

    </dl>

<h3 id="serialize-verbose-debug-report-body">Serialize verbose debug report body</h3>

To <dfn>serialize a [=verbose debug report=]</dfn> |report|, run the following steps:

1. Let |collection| be a new [=list=].
1. [=list/iterate|For each=] |debugData| of |report|'s [=verbose debug report/data=]:
    1. Let |data| be a [=map=] of the following key/value pairs:
        : "`type`"
        :: |debugData|'s [=verbose debug data/data type=]
        : "`body`"
        :: |debugData|'s [=verbose debug data/body=]
    1. [=list/Append=] |data| to |collection|.
1. Return the [=byte sequence=] resulting from executing [=serialize an Infra value to JSON bytes=] on |collection|.

<h3 id="get-report-url">Get report request URL</h3>

To <dfn>generate a report URL</dfn> given a [=suitable origin=] |reportingOrigin| and a [=list=] of [=strings=] |path|:

1. Let |reportUrl| be a new [=URL=] record.
1. Set |reportUrl|'s [=url/scheme=] to |reportingOrigin|'s [=origin/scheme=].
1. Set |reportUrl|'s [=url/host=] to |reportingOrigin|'s [=origin/host=].
1. Set |reportUrl|'s [=url/port=] to |reportingOrigin|'s [=origin/port=].
1. Let |fullPath| be «"`.well-known`", "`attribution-reporting`"».
1. [=list/Append=] |path| to |fullPath|.
1. Set |reportUrl|'s [=url/path=] to |fullPath|.
1. Return |reportUrl|.

To <dfn>generate an attribution report URL</dfn> given an [=attribution report=] |report| and an optional
[=boolean=] <dfn for="generate an attribution report URL"><var>isDebugReport</var></dfn> (default false):

1. [=Assert=]: |report| is an [=event-level report=] or an [=aggregatable attribution report=].
1. Let |path| be a new [=list=].
1. If |isDebugReport| is true, [=list/append=] "`debug`" to |path|.
1. If |report| is an:
    <dl class="switch">
    : [=event-level report=]
    :: [=list/Append=] "`report-event-attribution`" to |path|.
    : [=aggregatable attribution report=]
    :: [=list/Append=] "`report-aggregate-attribution`" to |path|.

    </dl>
1. Return the result of running [=generate a report URL=] with |report|'s
    [=attribution report/reporting origin=] and |path|.

To <dfn>generate a verbose debug report URL</dfn> given a [=verbose debug report=] |report|:

1. Let |path| be «"`debug`", "`verbose`"».
1. Return the result of running [=generate a report URL=] with |report|'s
    [=verbose debug report/reporting origin=] and |path|.

To <dfn>generate an aggregatable debug report URL</dfn> given an [=aggregatable debug report=] |report|:

1. Let |path| be «"`debug`", "`report-aggregate-debug`"».
1. Return the result of running [=generate a report URL=] with |report|'s
    [=aggregatable debug report/reporting origin=] and |path|.

<h3 id="create-report-request">Creating a report request</h3>

To <dfn>create a report request</dfn> given a [=URL=] |url|, a [=byte sequence=] |body|,
and a [=header list=] |newHeaders| (defaults to an empty [=list=]):

1. Let |headers| be a new [=header list=] containing a [=header=] named
    "`Content-Type`" whose value is "`application/json`".
1. [=list/iterate|For each=] |header| in |newHeaders|:
    1. [=header list/Append=] |header| to |headers|.
1. Let |request| be a new [=request=] with the following properties:
    :   [=request/method=]
    ::  "`POST`"
    :   [=request/URL=]
    ::  |url|
    :   [=request/header list=]
    ::  |headers|
    :   [=request/body=]
    ::  A [=/body=] whose [=body/source=] is |body|.
    :   [=request/referrer=]
    :: "`no-referrer`"
    :   [=request/client=]
    ::  `null`
    :   [=request/origin=]
    ::  |url|'s [=url/origin=]
    :   [=request/window=]
    ::  "`no-window`"
    :   [=request/service-workers mode=]
    ::  "`none`"
    :   [=request/initiator=]
    ::  ""
    :   [=request/mode=]
    ::  "`same-origin`"
    :   [=request/unsafe-request flag=]
    ::  set
    :   [=request/credentials mode=]
    ::  "`omit`"
    :   [=request/cache mode=]
    ::  "`no-store`"
1. Return |request|.

<h3 id="get-report-headers">Get report request headers</h3>

To <dfn>generate attribution report headers</dfn> given an [=attribution report=] |report|:

1. Let |newHeaders| be a new [=header list=].
1. If |report| is an [=aggregatable attribution report=]:
    1. If |report|'s [=aggregatable attribution report/serialized private state token=] is not null,
        [=header list/append=] a new [=header=] named "`Sec-Attribution-Reporting-Private-State-Token`" to |newHeaders|
        whose value is |report|'s [=aggregatable attribution report/serialized private state token=].
1. Return |newHeaders|.

<h3 id="issue-report-request">Issuing a report request</h3>

This algorithm constructs a [=request=] and attempts to deliver it to a [=suitable origin=].

To <dfn>attempt to deliver a report</dfn> given an [=attribution report=] |report|, run the following steps:

1. [=Assert=]: Neither the [=event-level report cache=] nor the
    [=aggregatable attribution report cache=] [=set/contains=] |report|.
1. The user-agent MAY ignore the report; if so, return.
1. Let |url| be the result of executing [=generate an attribution report URL=] on |report|.
1. Let |data| be the result of executing [=serialize an attribution report=] on |report|.
1. If |data| is an error, return.
1. Let |headers| be the result of executing [=generate attribution report headers=].
1. Let |request| be the result of executing [=create a report request=] on |url|, |data|, and |headers|.
1. [=Queue a task=] to [=fetch=] |request|.

Issue(220): This fetch should use a network partition key for an opaque origin.

A user agent MAY retry this algorithm in the event that there was an error.
To prevent the report recipient from learning additional information about
whether a user is online, retries might be limited in number and subject to random delays.

<h3 id="issue-debug-report-request">Issuing a debug report request</h3>

To <dfn>attempt to deliver a debug report</dfn> given an [=attribution report=] |report|:

1. The user-agent MAY ignore the report; if so, return.
1. Let |url| be the result of executing [=generate an attribution report URL=] on |report| with
    [=generate an attribution report URL/isDebugReport=] set to true.
1. Let |data| be the result of executing [=serialize an attribution report=] on |report|.
1. If |data| is an error, return.
1. Let |headers| be the result of executing [=generate attribution report headers=].
1. Let |request| be the result of executing [=create a report request=] on |url|, |data|, and |headers|.
1. [=Fetch=] |request|.

<h3 id="issue-verbose-debug-report-request">Issuing a verbose debug request</h3>

To <dfn>attempt to deliver a verbose debug report</dfn> given a [=verbose debug report=] |report|:

1. The user-agent MAY ignore the report; if so, return.
1. Let |url| be the result of executing [=generate a verbose debug report URL=] on |report|.
1. Let |data| be the result of executing [=serialize a verbose debug report=] on |report|.
1. Let |request| be the result of executing [=create a report request=] on |url| and |data|.
1. [=Fetch=] |request|.

<h3 id="issue-aggregatable-debug-report-request">Issuing an aggregatable debug request</h3>

To <dfn>attempt to deliver an aggregatable debug report</dfn> given an [=aggregatable debug report=] |report|:

1. The user-agent MAY ignore the report; if so, return.
1. Let |url| be the result of executing [=generate an aggregatable debug report URL=] on |report|.
1. Let |data| be the result of executing [=serialize an aggregatable debug report=] on |report|.
1. Let |request| be the result of executing [=create a report request=] on |url| and |data|.
1. [=Fetch=] |request|.

Issue(220): This fetch should use a network partition key for an opaque origin.

A user agent MAY retry this algorithm in the event that there was an error.

# Cross App and Web Algorithms # {#cross-app-and-web}

<h3 id="get-os-registrations">Get OS registrations</h3>

An <dfn>OS registration</dfn> is a [=struct=] with the following items:

<dl dfn-for="OS registration">
: <dfn>URL</dfn>
:: A [=URL=]
: <dfn>debug reporting enabled</dfn>
:: A [=boolean=]

</dl>

To <dfn noexport>get [=OS registrations=] from a header value</dfn> given a
[=header value=] |header|:

1. Let |values| be the result of [=structured header/parsing structured fields=]
    with <var ignore>input_string</var> set to |header| and
    <var ignore>header_type</var> set to "`list`".
1. If parsing failed, return null.
1. Let |registrations| be a new [=list=].
1. [=list/iterate|For each=] |value| of |values|:
     1. If |value| is not a [=string=], [=iteration/continue=].
     1. Let |url| be the result of running the [=URL parser=] on |value|.
     1. If |url| is failure or null, [=iteration/continue=].
     1. Let |debugReporting| be false.
     1. Let |params| be the [=structured header/parameters=] associated with |value|.
     1. If |params|["`debug-reporting`"] [=map/exists=] and |params|["`debug-reporting`"] is a [=boolean=],
         set |debugReporting| to |params|["`debug-reporting`"].
     1. Let |registration| be a new [=OS registration=] struct whose items are:
         : [=OS registration/URL=]
         :: |url|
         : [=OS registration/debug reporting enabled=]
         :: |debugReporting|
     1. [=list/Append=] |registration| to |registrations|.
1. If |registrations| [=list/is empty=], return null.
1. Return |registrations|.

<h3 id="set-os-support-headers">Set OS-support header</h3>

To <dfn export>get supported registrars</dfn>:

1. Let |supportedRegistrars| be a new [=list=].
1. If the user agent supports web registrations, [=list/append=] "<code>[=registrar/web=]</code>"
    to |supportedRegistrars|.
1. If the user agent supports OS registrations, [=list/append=] "<code>[=registrar/os=]</code>"
    to |supportedRegistrars|.
1. Return |supportedRegistrars|.

"<code><dfn>Attribution-Reporting-Support</dfn></code>" is a
[=structured header/dictionary|Dictionary Structured Header=]
set on a [=request=] that indicates which registrars, if
any, the corresponding [=response=] can use. Its values are not specified and
its allowed keys are the [=registrars=].

To <dfn noexport>set an OS-support header</dfn> given a [=header list=]
|headers|:

1. Let |supportedRegistrars| be the result of [=getting supported registrars=].
1. Let |dict| be the result of [=obtaining a dictionary structured header value=]
    with |supportedRegistrars| and the [=set=] containing all the [=registrars=].
1. [=header list/Set a structured field value=] given
    ("<code>[=Attribution-Reporting-Support=]</code>", |dict|) in |headers|.

<h3 id="deliver-os-registrations-debug-reports">Deliver OS registration debug reports</h3>

To <dfn>obtain and deliver debug reports on OS registrations</dfn> given an
[=OS debug data type=] |dataType|, a [=list=] of [=OS registrations=] |registrations|,
an [=origin=] |contextOrigin|, and a [=boolean=] |fenced|:

1. [=Assert=]: |registrations| is not [=list/is empty|empty=].
1. Let |contextSite| be the result of [=obtaining a site=] from |contextOrigin|.
1. [=list/iterate|For each=] |registration| of |registrations|:
    1. If |registration|'s [=OS registration/debug reporting enabled=] is false, [=iteration/continue=].
    1. Let |origin| be |registration|'s [=OS registration/URL=]'s [=url/origin=].
    1. If |origin| is not [=check if an origin is suitable|suitable=], [=iteration/continue=].
    1. Let |body| be a new [=map=] with the following key/value pairs:
        : "`context_site`"
        :: |contextSite|, <a href="https://html.spec.whatwg.org/multipage/origin.html#serialization-of-a-site">serialized</a>.
        : "`registration_url`"
        :: |registration|'s [=OS registration/URL=], [=url serializer|serialized=].

    1. Let |data| be a new [=verbose debug data=] with the items:
        : [=verbose debug data/data type=]
        :: |dataType|
        : [=verbose debug data/body=]
        :: |body|
    1. Run [=obtain and deliver a verbose debug report=] with « |data| », |origin|, and |fenced|.

# Report Verification Algorithms # {#report-verification}

"<dfn><code>Sec-Attribution-Reporting-Private-State-Token</code></dfn>" is a [=structured header=] used
to orchestrate report verification.

* When [=setting trigger verification request headers=], the field is a collection of unsigned masked tokens formatted as a [=structured header/list=] of [=structured header/string=].
* When [=receiving trigger verification tokens=], the field is a collection of signed masked tokens formatted as a [=structured header/list=] of [=structured header/string=].
* When [=generating attribution report headers=], the header field is a single signed unmasked token formatted as a [=structured header/string=].

<h3 id="initiate-trigger-verification">Initiate trigger verification</h3>

To <dfn noexport>set trigger verification request headers</dfn> given a [=request=] |request|
and a [=suitable origin=] |destination|:

1. Let |issuer| be |request|'s [=request/URL=]'s [=url/origin=].
1. If |issuer| is not [=check if an origin is suitable|suitable=], return.
1. Let (|issuerKeys|, |pretokens|, |cryptoProtocolVersion|) be the result of [=looking up the key commitments=] for |issuer|.
1. If |issuerKeys| is null, return.
1. Let |ids| be a new [=list=].
1. Let |base64EncodedMaskedMessages| be a new [=list=].
1. While |ids|'s [=list/size=] is less than [=verification tokens per trigger=]:
    1. Let |id| be the result of [=generating a random UUID=].
    1. [=list/Append=] |id| to |ids|.
    1. Let |message| be the [=string/concatenate|concatenation=] of |id| and |destination|.
    1. Let |maskedMessage| be the result of [=generating masked tokens=] with |issuerKeys| and |message|.
    1. Let |base64EncodedMaskedMessage| be the [=forgiving-base64 encoding=] of |maskedMessage|.
    1. Let |fieldValue| be the result of [=structured header/serializing a string=] with |base64EncodedMaskedMessage|.
    1. [=list/Append=] |fieldValue| to |base64EncodedMaskedMessages|.
1. Let |request|'s [=request/trigger verification metadata=] be a [=trigger verification metadata=] with the items:
    : [=trigger verification metadata/pretokens=]
    :: |pretokens|
    : [=trigger verification metadata/IDs=]
    :: |ids|
1. [=header list/Set a structured field value=] given
    ("<code>[=Sec-Attribution-Reporting-Private-State-Token=]</code>", |base64EncodedMaskedMessages|)
    in |request|'s [=request/header list=].
1. [=header list/Set a structured field value=] given
    ("<code>[=Sec-Private-State-Token-Crypto-Version=]</code>", |cryptoProtocolVersion|)
    in |request|'s [=request/header list=].

Issue: Link to a generating masked tokens algorithm that receives messages.

<h3 id="handle-trigger-verification">Handle trigger verification</h3>

To <dfn noexport>receive trigger verification tokens</dfn> given an
[=url/origin=] |issuer|, a [=header list=], |headers|, and a
possibly null [=trigger verification metadata=] |metadata|:

1. If |metadata| is null, return a new [=list=].
1. If |metadata|'s [=trigger verification metadata/IDs=]'s [=list/size=] is not equal to [=verification tokens per trigger=], return a new [=list=].
1. Let |pretokens| be |metadata|'s [=trigger verification metadata/pretokens=].
1. Let |issuerKeys| be the result of [=looking up the key commitments=] for |issuer|.
1. If |issuerKeys| is null, return a new [=list=].
1. Let |fieldValue| be the result of [=header list/getting a structured field value=] given
    ("<code>[=Sec-Attribution-Reporting-Private-State-Token=]</code>", "`list`") from |response|'s [=response/header list=].
1. Let |base64EncodedMaskedTokens| be the result of [=structured header/parsing a list=] with |fieldValue|.
1. [=header list/delete|Delete=] "<code>[=Sec-Attribution-Reporting-Private-State-Token=]</code>" from |response|'s [=response/header list=].
1. If |base64EncodedMaskedTokens|'s [=list/size=] is greater than |metadata|'s [=trigger verification metadata/IDs=]'s [=list/size=], return a new [=list=].
1. Let |base64EncodedPrivateStateTokens| be a new [=list=].
1. [=list/iterate|For each=] |base64EncodedMaskedToken| of |base64EncodedMaskedTokens|:
    1. Let |base64EncodedMaskedTokenValue| be the result of [=structured header/parsing a string=] with |base64EncodedMaskedToken|.
    1. Let |maskedToken| be the [=forgiving-base64 decoding=] of |base64EncodedMaskedTokenValue|.
    1. Let |token| be the result of [=unmasking tokens=] given |issuerKeys|, |pretokens|, and |maskedToken|.
    1. If |token| is null, return a new [=list=].
    1. Let |privateStateToken| be the result of running a cryptographic redemption procedure with |token|.
    1. If |privateStateToken| is null, return a new [=list=].
    1. Let |base64EncodedPrivateStateToken| be the [=forgiving-base64 encoding=] of |privateStateToken|.
    1. [=list/Append=] |base64EncodedPrivateStateToken| to |base64EncodedPrivateStateTokens|.
1. Let |triggerVerifications| be a new [=list=].
1. [=set/iterate|For each=] integer |i| of |base64EncodedPrivateStateTokens|'s [=list/get the indices|indices=]:
    1. Let |triggerVerification| be a [=trigger verification=] with the items:
        : [=trigger verification/token=]
        :: |base64EncodedPrivateStateTokens|[i]
        : [=trigger verification/id=]
        :: |metadata|'s [=trigger verification metadata/IDs=][i]
    1. [=list/Append=] |triggerVerification| to |triggerVerifications|.
1. Return |triggerVerifications|.

Issue: Specify the cryptographic redemption procedure.

# User-Agent Automation # {#automation}

The user-agent has an associated boolean <dfn>automation local testing mode</dfn> (default false).

For the purposes of user-agent automation and website testing, this document
defines the below [[WebDriver]] [=extension commands=] to control the API
configuration.

## Set local testing mode ## {#webdriver-setlocaltestingmode}

<figure id="table-webdriver-setlocaltestingmode" class="table">
    <table class="data">
        <thead>
            <tr>
                <th>HTTP Method</th>
                <th>URI Template</th>
            </tr>
        </thead>
        <tbody>
            <tr>
                <td>POST</td>
                <td>`/session/{session id}/ara/`<dfn>`localtestingmode`</dfn></td>
            </tr>
        </tbody>
    </table>
</figure>

The [=remote end steps=] are:

1. If |parameters| is not a JSON-formatted [[ECMASCRIPT#sec-objects|Object]],
    return a [=error|WebDriver error=] with [=error code=] [=invalid argument=].

1. Let |enabled| be the result of [=getting a property=] named `"enabled"` from
    |parameters|.

1. If |enabled| is {{undefined}} or is not a boolean, return a [=error|WebDriver error=]
    with [=error code=] [=invalid argument=].

1. Set [=automation local testing mode=] to |enabled|.

1. Return [=success=] with data `null`.

Note: Without this, reports would be subject to noise and delays, making testing difficult.

## Send pending reports ## {#webdriver-sendpendingreports}

<figure id="table-webdriver-sendpendingreports" class="table">
    <table class="data">
        <thead>
            <tr>
                <th>HTTP Method</th>
                <th>URI Template</th>
            </tr>
        </thead>
        <tbody>
            <tr>
                <td>POST</td>
                <td>`/session/{session id}/ara/`<dfn>`sendpendingreports`</dfn></td>
            </tr>
        </tbody>
    </table>
</figure>

The [=remote end steps=] are:

1. [=list/iterate|For each=] |cache| of « [=event-level report cache=], [=aggregatable attribution report cache=] »:
    1. [=set/iterate|For each=] |report| of |cache|:
        1. [=set/Remove=] |report| from |cache|.
        1. [=Attempt to deliver a report|Attempt to deliver=] |report|.
1. Return [=success=] with data `null`.

# Security considerations # {#security-considerations}

## Same-Origin Policy ## {#same-origin-policy}

*This section is non-normative.*

Writes to the [=attribution source cache=], [=event-level report cache=], and
[=aggregatable attribution report cache=] are separated by the reporting [=origin=], and reports sent
to a given [=origin=] are generated via data only written to by that [=origin=], via
HTTP response headers.

However, the [=attribution rate-limit cache=] is not fully partitioned by [=origin=]. Reads
to that cache involve grouping together data submitted by multiple origins. This is the case
for the following limits:
- [=max destinations per rate-limit window=][0]
- [=max source reporting origins per rate-limit window=]
- [=max source reporting origins per source reporting site=]
- [=max attribution reporting origins per rate-limit window=]

These limits are explicit relaxations of the Same-Origin Policy, in that they allow
different origins to influence the API's behavior. In particular, one risk that is
introduced with these shared limits is denial of service attacks, where a group of
origins could collude to intentionally hit a rate-limit, causing subsequent origins to
be unable to access the API.

This trades off security for privacy, in that the limits are there to reduce the efficacy
of many origins colluding together to violate privacy. API deployments should monitor
for abuse using these vectors to evaluate the trade-off.

The generation of [=verbose debug reports=] involves reads to the [=attribution source cache=],
[=event-level report cache=], [=aggregatable attribution report cache=], and [=attribution rate-limit cache=],
and the [=verbose debug data=] sent to a given [=origin=] may encode non-Same-Origin
data that are generated from grouping together data submitted by multiple [=origins=],
e.g. failures due to rate-limits that are not fully compliant with the Same-Origin Policy.
This is of greater concern for source registrations as the [=attribution source/source origin=]
could intentionally hit a rate-limit to identify sensitive user data. These [=verbose debug data=]
cannot be reported explicitly and may be reported as a [=source debug data type/source-success=]
[=verbose debug report=]. This is a tradeoff between security and utility, and mitigates the
security concern with respect to the Same-Origin Policy. The risk is of less concern for
trigger registrations as [=attribution sources=] have to be registered to start with and
it requires browsing activity on multiple sites.

The [=aggregatable debug reports=] may also encode non-Same-Origin data but in
encrypted form. The security risk is further mitigated by the generation of
null debug reports and the additive noise in the aggregation service.

## Opting in to the API ## {#opting-in-to-the-api}

*This section is non-normative.*

As a general principle, the API cannot be used purely at the HTTP layer without some level of
opt-in from JavaScript or HTML. For HTML, this opt-in is in the form of the
{{HTMLAttributionSrcElementUtils/attributionSrc}} attribute, and for JavaScript, it is
the various modifications to [=fetch=], {{XMLHttpRequest}}, and the [=window open steps=].

However, this principle is only strictly applied to registering [=attribution sources=]. For
[=triggering attribution=], we waive this requirement for the sake of compatibility with existing
systems, see <a href="https://github.com/WICG/attribution-reporting-api/issues/347">347</a> for
context.

# Privacy considerations # {#privacy-considerations}

## Clearing site data ## {#clearing-site-data}

The [=attribution caches=] contain data about a user's web activity. As such,
the user agent MAY expose controls that allow the user to delete data from them.

## Cross-site information disclosure ## {#cross-site-information-disclosure}

*This section is non-normative.*

The API is concerned with protecting arbitrary cross-site information from being passed
from one site to another. For a given [=attribution source=], any outcome associated with it
is considered cross-site information. This includes:
* Whether the [=attribution source=] generates any [=attribution reports=] or not
* The contents of the associated [=attribution reports=], if present

The information embedded in the API output is arbitrary but can include things like browsing
history and other cross-site activity. The API aims to provide some protection for this information:

### Event-level reports ### {#cross-site-information-disclosure-event-level-reports}

Any given [=attribution source=] has a [=obtain a set of possible trigger states|set of possible trigger states=].
The choice of trigger state may encode cross-site information. To protect the cross-site information disclosure,
each [=attribution source=] is subject to a [=obtain a randomized response|randomized response mechanism=] [[RR]],
which will choose a state at random with [=obtain a randomized source response pick rate|pick rate=]
dependent on the source's event-level epsilon, which has an upper bound of the
user agent's [=max settable event-level epsilon=].

This introduces some level of plausible deniability into the resulting [=event-level reports=] (or lack thereof),
as there is always a chance that the output was generated from a random process. We can reason about the
protection this gives an individual [=attribution source=] from the lens of differential privacy [[DP]].

Additionally, [=event-level reports=] limit the *amount* of relative cross-site information associated with
a particular [=attribution source=]. We model this using the notion of channel capacity [[CHAN]].  For every [=attribution source=],
it is possible to model its output as a noisy channel. The number of input/output symbols is governed by its associated
[=obtain a set of possible trigger states|set of possible trigger states=]. With the randomized response mechanism,
this allows us to analyze the output as a q-ary symmetric channel [[Q-SC]], with `q` equal to the [=set/size=] of the
[=obtain a set of possible trigger states|set of possible trigger states=]. This is normatively defined in the
[=compute the channel capacity of a source=] algorithm.

Note that [=source type/navigation=] [=attribution sources=] and [=source type/event=] [=attribution sources=] may
have different channel capacities, given that [=source type/event=] [=attribution sources=] can be registered without
[=user activation=] or top-level navigation. Maximum capacity for each type is governed by the vendor-defined
[=max event-level channel capacity per source=].

### Aggregatable attribution reports ### {#cross-site-information-disclosure-aggregatable-attribution-reports}

Aggregatable attribution reports protect against cross-site information disclosure in two primary ways:
1. For a given [=attribution trigger=], whether it is [=triggering attribution|attributed=] to a
    source is subject to one-way noise via [=generate null attribution reports|generating null attribution reports=] with
    some probability. Note that because the noise does not drop true reports, this is only a partial
    mitigation, as if an [=attribution source=] never generates an [=aggregatable attribution report=], an
    adversary can learn with 100% certainty that an [=attribution source=] was never matched with
    an [=attribution trigger=].
1. Cross-site information embedded in an [=aggregatable attribution report=]'s [=aggregatable attribution report/contributions=]
    is encrypted with a [=obtain the public key for encryption|public key=], ensuring that individual
    contributions cannot be accessed until an aggregation service subjects them to aggregation
    and an additive noise process.

Issue: add links to the aggregation service noise addition algorithm.

Issue: model the channel capacity of a trigger registration.

### Debug reports ### {#cross-site-information-disclosure-debug-reports}

Fine-grained cross-site information may be embedded in [=attribution reports=] sent with
[=generate an attribution report URL/isDebugReport=] being true and certain [=debug data type|types=]
of [=verbose debug reports=]. These reports will only be [=check if cookie-based debugging is allowed|allowed=]
when third-party cookies are available, in which case the API caller
had the capability to learn the underlying information.

## Protecting against cross-site recognition ## {#protecting-against-cross-site-recognition}

*This section is non-normative.*

A primary privacy goal of the API is to make linking identity between two different top-level sites
difficult. This happens when either a request or a JavaScript environment has two user IDs from two
different sites simultaneously. Both [=event-level reports=] and [=aggregatable attribution reports=] were
designed to make this kind of recognition difficult:

### Event-level reports ### {#cross-site-recognition-event-level-reports}

[=Event-level reports=] come bearing a fine-grained [=event-level report/event id=] that can
uniquely identify the source event, which may be joinable with a user's identity. As such, for
[=event-level reports=] to protect the cross-site recognition risk, they contain only a small
amount (measured via channel capacity) of relative cross-site information from any of the
[=attribution source/attribution destinations=]. By limiting the amount of relative cross-site
information embedded in [=event-level reports=], we make it difficult for an identifier to be passed
through this channel to enable cross-site recognition alone.

### Aggregatable attribution reports ### {#cross-site-recognition-aggregatable-attribution-reports}

[=Aggregatable attribution reports=] only contain fine-grained cross-site information in encrypted form.
In cleartext, they contain only coarse-grained information from the [=attribution source/source site=]
and [=aggregatable attribution report/effective attribution destination=]. This makes it difficult for an
[=aggregatable attribution report=] to be associated with a user from either site.

The cross-site recognition risk of the data encrypted in "`aggregation_service_payloads`" is
mitigated by the additive noise addition in the aggregation service.

## Mitigating against repeated API use ## {#mitigating-against-repeated-API-use}

Issue: fill in this section

## Protecting against browsing history reconstruction ## {#protecting-against-browsing-history-reconstruction}

Issue: fill in this section

## Reporting-delay concerns ## {#reporting-delay-concerns}

*This section is non-normative.*

Sending reports some time after attribution occurs enables side-channel leakage
in some situations.

### Cross-network reporting-origin leakage ### {#cross-network-reporting-origin-leakage}

A report may be *stored* while the browser is connected to one network but
*sent* while the browser is connected to a different network, potentially
enabling cross-network leakage of the reporting origin.

Example: A user runs the browser with a particular browsing profile on their
home network. An attribution report with a particular reporting origin is stored
with a scheduled report time in the future. After the scheduled report time is
reached, the user runs the browser with the same browsing profile on their
employer's network, at which point the browser sends the report to the reporting
origin. Although the report itself may be sent over HTTPS, the reporting origin
may be visible to the network administrator via DNS or the TLS client hello
(which can be mitigated with
<a href="https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni">ECH</a>).
Some reporting origins may be known to operate only or primarily on sensitive sites,
so this could leak information about the user's browsing activity to the user's
employer without their knowledge or consent.

Possible mitigations:

1. Only send reports with a given reporting origin when the browser has already
    made a request to that origin on the same network. This prevents the network
    administrator from gaining additional information from the Attribution
    Reporting API. However, it increases report loss and report delays, which
    reduces the utility of the API for the reporting origin. It might also
    increase the effectiveness of timing attacks, as the origin may be able to
    better link the report with the user's request that allowed the report to be released.
1. Send reports immediately: This reduces the likelihood of a report being
    stored and sent on different networks. However, it increases the likelihood
    that the reporting origin can correlate the original request made to the
    reporting origin for attribution to the report, which weakens the
    attribution-side privacy controls of the API. In particular,
    this destroys the differential privacy framework we have
    for event-level reports. It would also make the
    [=event-level report/trigger priority=] functionality impossible, as there
    would be no way to replace a lower-priority report that was already sent.
1. Use a trusted proxy server to send reports: This effectively moves the
    reporting origin into the report body, so only the proxy server would be
    visible to the network administrator.
1. Require <a href="https://datatracker.ietf.org/doc/html/rfc8484">DNS over HTTPS</a>:
    This effectively hides the reporting origin from the network administrator, but is
    likely impractical to enforce and is itself perhaps circumventable by the network
    administrator.

### User-presence tracking ### {#user-presence-tracking}

The browser only tries to send reports while it is running and while it has
internet connectivity (even without an explicit check for connectivity,
naturally the report will fail to be sent if there is none), so receiving or not
receiving an [=event-level report=] at the expected time leaks information about the user's
presence. Additionally, because the report request inherently includes an IP
address, this could reveal the user's IP-derived whereabouts to the reporting
origin, including at-home vs. at-work or approximate real-world geolocation,
or reveal patterns in the user's browsing activity.

Possible mitigations:

1. Send reports immediately: This effectively eliminates the presence tracking,
    as the original request made to the reporting origin is in close temporal
    proximity to the report request. However, it increases the likelihood that
    the reporting origin can correlate the two requests, which weakens the
    attribution-side privacy controls of the API. It would also make the
    [=event-level report/trigger priority=] functionality impossible, as there
    would be no way to replace a lower-priority report that was already sent.
1. Send reports immediately to a trusted proxy server, which would itself send
    the report to the reporting origin with additional delay. This would
    effectively hide both the user's IP address and their online-offline
    presence from the reporting origin. Compared to the previous mitigation, the
    proxy server could itself handle the [=event-level report/trigger priority=]
    functionality, at the cost of increased complexity in the proxy.