Remove the ar_debug requirement for cookie-based debug reporting while keeping the requirement for third-party cookie availability

[linnan-github]

Currently Attribution Reporting API cookie-based debug reporting is allowed when third-party cookies are available AND the special unpartitioned ar_debug cookie is set.

To make it easier for reporting origins to set up cookie-based debug reporting, we propose to keep the requirement of third-party cookies accessibility for the reporting origin on the source/destination sites, but remove the ar_debug cookie requirement.

There is no significant difference from either privacy or utility perspectives.

• Ad-techs can only set the ar_debug cookie if they have access to third-party cookies on the source/destination sites. Therefore, third-party cookie accessibility is equivalent to the ad-techs’ ability to set the ar_debug cookie, and thus there is no privacy regression.
• From the utility perspective, reporting origins can still control whether to enable cookie-based debug reporting via debug_key(attribution-success debug reports) or debug_reporting(verbose debug reporting) fields, and thus there is no utility regression.

This proposal brings ARA debugging more aligned with PAA which doesn’t require any API-specific cookie to be set. There may also be a slight utility improvement where ARA debug reports are not received due to misconfigured cookies (example).

[dmdabbs]

Ad-techs can only set the ar_debug cookie if they have access to third-party cookies on the source/destination sites. Therefore, third-party cookie accessibility is equivalent to the ad-techs’ ability to set the ar_debug cookie, and thus there is no privacy regression.

An embedded cross-site resource may set a partitioned cookie even when unpartitioned cookies are blocked/disabled, as I understand CHIPs reason for being.

[linnan-github]

Ad-techs can only set the ar_debug cookie if they have access to third-party cookies on the source/destination sites. Therefore, third-party cookie accessibility is equivalent to the ad-techs’ ability to set the ar_debug cookie, and thus there is no privacy regression.

An embedded cross-site resource may set a partitioned cookie even when unpartitioned cookies are blocked/disabled, as I understand CHIPs reason for being.

Thanks @dmdabbs. It's true that embedded cross-site resource can still set a partitioned cookie, and that's exactly why we require ar_debug to be unpartitioned currently. And to be clear, third-party cookie availability refers to unpartitioned cookies.