Protected Audience (formerly FLEDGE)

[SecureContext]
partial interface Navigator {
  Promise<undefined> joinAdInterestGroup(AuctionAdInterestGroup group);
};

dictionary AuctionAd {
  required USVString renderURL;
  any metadata;

  USVString buyerReportingId;
  USVString buyerAndSellerReportingId;
  sequence<USVString> allowedReportingOrigins;
};

dictionary GenerateBidInterestGroup {
  required USVString owner;
  required USVString name;
  required double lifetimeMs;

  boolean enableBiddingSignalsPrioritization = false;
  record<DOMString, double> priorityVector;

  DOMString executionMode = "compatibility";
  USVString biddingLogicURL;
  USVString biddingWasmHelperURL;
  USVString updateURL;
  USVString trustedBiddingSignalsURL;
  sequence<USVString> trustedBiddingSignalsKeys;
  any userBiddingSignals;
  sequence<AuctionAd> ads;
  sequence<AuctionAd> adComponents;
};

dictionary AuctionAdInterestGroup : GenerateBidInterestGroup {
  double priority = 0.0;
  record<DOMString, double> prioritySignalsOverrides;
  DOMString additionalBidKey;
};

The joinAdInterestGroup(group) method steps are:

1. Let global be this's relevant global object.

2. If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "NotAllowedError" DOMException.

3. Let frameOrigin be this's relevant settings object's origin.

4. Assert that frameOrigin is not an opaque origin and its scheme is "https".

5. Let interestGroup be a new interest group.

6. Validate the given group and set interestGroup’s fields accordingly.

   1. Set interestGroup’s expiry to the current wall time plus group["lifetimeMs"] milliseconds.

   2. Set interestGroup’s next update after to the current wall time plus 24 hours.

   3. Set interestGroup’s owner to the result of parsing an https origin on group["owner"].

   4. If interestGroup’s owner is failure, then throw a TypeError.

   5. Optionally, throw a "NotAllowedError" DOMException.

      Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the owner's site not being enrolled.

   6. Set interestGroup’s name to group["name"].

   7. Set interestGroup’s priority to group["priority"].

   8. Set interestGroup’s enable bidding signals prioritization to group["enableBiddingSignalsPrioritization"].

   9. If group["priorityVector"] exists, then set interestGroup’s priority vector to group["priorityVector"].

   10. If group["prioritySignalsOverrides"] exists, then set interestGroup’s priority signals overrides to group["prioritySignalsOverrides"].

   11. Set interestGroup’s execution mode to group["executionMode"].

   12. For each groupMember and interestGroupField in the following table

       Group member	Interest group field
       "biddingLogicURL"	bidding url
       "biddingWasmHelperURL"	bidding wasm helper url
       "updateURL"	update url
       "trustedBiddingSignalsURL"	trusted bidding signals url

       1. If group contains groupMember:

          1. Let parsedUrl be the result of running the URL parser on group[groupMember].

          2. Throw a TypeError if any of the following conditions hold:

             • parsedUrl is failure;

             • parsedUrl is not same origin with interestGroup’s owner;

             • parsedUrl includes credentials;

             • parsedUrl fragment is not null.

          3. Set interestGroup’s interestGroupField to parsedUrl.

   13. If interestGroup’s trusted bidding signals url's query is not null, then throw a TypeError.

   14. If group["trustedBiddingSignalsKeys"] exists, then set interestGroup’s trusted bidding signals keys to group["trustedBiddingSignalsKeys"].

   15. If group["userBiddingSignals"] exists:

       1. Set interestGroup’s user bidding signals to the result of serializing a JavaScript value to a JSON string, given group["userBiddingSignals"]. This can throw a TypeError.

   16. For each groupMember and interestGroupField in the following table

       Group member	Interest group field
       "ads"	ads
       "adComponents"	ad components

       1. If group contains groupMember, for each ad of group[groupMember]:

          1. Let igAd be a new interest group ad.

          2. Let renderURL be the result of running the URL parser on ad["renderURL"].

          3. Throw a TypeError if any of the following conditions hold:

             • renderURL is failure;

             • renderURL scheme is not "https";

             • renderURL includes credentials.

          4. Set igAd’s render url to renderURL.

          5. If ad["metadata"] exists, then let igAd’s metadata be the result of serializing a JavaScript value to a JSON string, given ad["metadata"]. This can throw a TypeError.

          6. If groupMember is "ads":

             1. If ad["buyerReportingId"] exists, then set igAd’s buyer reporting ID to it.

             2. If ad["buyerAndSellerReportingId"] exists, then set igAd’s buyer and seller reporting ID to it.

             3. If ad["allowedReportingOrigins"] exists:

                1. Let allowedReportingOrigins be a new list of origins.

                2. For each originStr in ad["allowedReportingOrigins"]:

                   1. Let origin be the result of parsing an https origin on originStr.

                   2. If origin is failure, then throw a TypeError.

                   3. Append origin to allowedReportingOrigins.

                   4. If allowedReportingOrigins’s size > 10, throw a TypeError.

                3. Set igAd’s allowed reporting origins to allowedReportingOrigins.

          7. Append igAd to interestGroup’s interestGroupField.

   17. If group["additionalBidKey"] exists:

       1. Let decodedKey be the result of running forgiving-base64 decode with group["additionalBidKey"].

       2. Throw a TypeError if any of the following conditions hold:

          • decodedKey is a failure;

          • decodedKey’s length is not 32;

          • group["ads"] exists;

          • group["updateURL"] exists.

       3. Set interestGroup’s additional bid key to decodedKey.

7. If interestGroup’s estimated size > 1048576, then throw a TypeError.

8. Let p be a new promise.

9. Let queue be the result of starting a new parallel queue.

10. Enqueue the following steps to queue:

    1. Let permission be the result of checking interest group permissions with interestGroup’s owner, frameOrigin, and "join".

    2. If permission is false, then queue a global task on DOM manipulation task source, given global, to reject p with a "NotAllowedError" DOMException and abort these steps.

    3. Queue a global task on DOM manipulation task source, given global, to resolve p with undefined.

    4. If the browser is currently storing an interest group with owner and name that matches interestGroup, then set the bid counts, join counts, and previous wins of interestGroup to the values of the currently stored one and remove the currently stored one from the browser.

    5. Set interestGroup’s joining origin to this's relevant settings object's top-level origin.

    6. Set interestGroup’s join time to the current wall time.

    7. If the most recent entry in interestGroup’s join counts corresponds to the current day in UTC, increment its count. If not, insert a new tuple the time set to the current UTC day and a count of 1.

    8. Store interestGroup in the user agent's interest group set.

11. Return p.

The estimated size of an interest group ig is the sum of:

1. The length of the serialization of ig’s owner.

2. The length of ig’s name.

3. 8, which is the size of ig’s priority.

4. The length of ig’s execution mode.

5. 2, which is the size of ig’s enable bidding signals prioritization.

6. If ig’s priority vector is not null, for each key → value of priority vector:

   1. The length of key.

   2. 8, which is the size of value.

7. If ig’s priority signals overrides is not null, for each key → value of priority signals overrides:

   1. The length of key.

   2. 8, which is the size of value.

8. The length of the serialization of ig’s bidding url, if the field is not null.

9. The length of the serialization of ig’s bidding wasm helper url, if the field is not null.

10. The length of the serialization of ig’s update url, if the field is not null.

11. The length of the serialization of ig’s trusted bidding signals url, if the field is not null.

12. For each key of ig’s trusted bidding signals keys:

    1. The length of key.

13. The length of ig’s user bidding signals.

14. If ig’s ads is not null, for each ad of it:

    1. The length of the serialization of ad’s render url.

    2. The length of ad’s metadata if the field is not null.

    3. The length of ad’s buyer reporting ID if the field is not null.

    4. The length of ad’s buyer and seller reporting ID if the field is not null.

    5. If ad’s allowed reporting origins is not null, for each origin of it:

       1. The length of the serialization of origin.

15. If ig’s ad components is not null, for each ad of it:

    1. The length of the serialization of ad’s render url.

    2. The length of ad’s metadata if the field is not null.

16. If ig’s additional bid key is not null:

    1. 32, which is its size (number of bytes).

To check interest group permissions given an origin ownerOrigin, an origin frameOrigin, and an enum joinOrLeave which is "join" or "leave":

1. If ownerOrigin is same origin with frameOrigin, then return true.

2. Let encodedFrameOrigin be the result of UTF-8 percent-encoding the serialized frameOrigin using component percent-encode set.

3. Let permissionsUrl be a new URL with the following items:

   scheme

   ownerOrigin’s scheme

   host

   ownerOrigin’s host

   port

   ownerOrigin’s port

   path

   « ".well-known", "interest-group", "permissions" »

   query

   The result of concatenating « "origin=", encodedFrameOrigin »

4. Let request be a new request with the following properties:

   URL

   permissionsUrl

   header list

   «Accept: application/json»

   client

   null

   origin

   frameOrigin

   mode

   "cors"

   referrer

   "no-referrer"

   credentials mode

   "omit"

   redirect mode

   "error"

   One of the side-effects of a null client for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.

5. Let resource be null.

6. Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:

   1. If responseBody is null or failure, set resource to failure and return.

   2. Let headers be response’s header list.

   3. Let mimeType be the result of extracting a MIME type from headers.

   4. If mimeType is failure or is not a JSON MIME Type, set resource to failure and return.

   5. Set resource to responseBody.

7. Wait for resource to be set.

8. If resource is failure, then return false.

9. Let permissions be the result of parsing JSON bytes to an Infra value with resource, returning false on failure.

10. If permissions is not an ordered map, then return false.

11. If joinOrLeave is "join" and permissions["joinAdInterestGroup"] exists, then return permissions["joinAdInterestGroup"].

12. If joinOrLeave is "leave" and permissions["leaveAdInterestGroup"] exists, then return permissions["leaveAdInterestGroup"].

13. Return false.

The browser may cache requests for permissionsUrl within a network partition.

In order to prevent leaking data, the browser must request permissionsUrl regardless of whether the user is a member of the ad interest group. This prevents a leak of the user’s ad interest group membership to the server.

To perform storage maintenance:

1. Let ownersAndExpiry be a new ordered map whose keys are origins and values are moments.

   Note: The key is from owner, and value is from expiry. It’s used to determine a set of owners whose interest groups will be removed from the user agent's interest group set because the number of distinct owners exceeds the Interest group set max owners limit. It’s sorted based on their values (expiry) in descending order, in order to remove interest groups of owners expiring soonest first.

2. Let now be the current wall time.

3. For each ig of the user agent's interest group set:

   1. Let owner be ig’s owner.

   2. If ig’s expiry is before now, then remove ig from the user agent's interest group set and continue.

   3. If ownersAndExpiry[owner] exists, then set ownersAndExpiry[owner] to ig’s expiry if it comes after ownersAndExpiry[owner].

   4. Otherwise, set ownersAndExpiry[owner] to ig’s expiry.

4. If ownersAndExpiry’s size > interest group set max owners, then set ownersAndExpiry to ownersAndExpiry sorted in descending order with a being less than b if a’s value comes before b’s value, where values are expiry.

5. Let owners be the keys of ownersAndExpiry.

6. For each i in the range from 0 to owners’s size, exclusive:

   1. If i ≥ interest group set max owners, then remove interest groups from the user agent's interest group set whose owner is owners[i], and continue.

   2. Let regularIgs be a list of regular interest groups in the user agent's interest group set whose owner is owners[i].

   3. If regularIgs’s size > max regular interest groups per owner, then clear excess interest groups with regularIgs and max regular interest groups per owner.

   4. Let negativeIgs be a list of negative interest groups in the user agent's interest group set whose owner is owners[i].

   5. If negativeIgs’s size > max negative interest groups per owner, then clear excess interest groups with negativeIgs and max negative interest groups per owner.

7. For each owner of owners:

   1. Let igs be a list of interest groups in the user agent's interest group set whose owner is owner, sorted in descending order with a being less than b if aexpiry comes before bexpiry.

   2. Let cumulativeSize be 0.

   3. For each ig of igs:

      1. If the sum of cumulativeSize and ig’s estimated size > max interest groups total size per owner, then remove ig from the user agent's interest group set.

      2. Otherwise, increment cumulativeSize by ig’s estimated size.

To clear excess interest groups with a list of interest groups igs, and an integer maxIgs:

1. Let sortedIgs be igs sorted in descending order with a being less than b if a’s expiry comes before b’s expiry.

   Note: In order to remove interest groups expiring soonest first, sort interest groups based on their expiry in descending order.

2. For each i in the range from maxIgs to igs’s size, exclusive:

   1. Remove sortedIgs[i] from the user agent's interest group set.

[SecureContext]
partial interface Navigator {
  Promise<undefined> leaveAdInterestGroup(optional AuctionAdInterestGroupKey group = {});
};

dictionary AuctionAdInterestGroupKey {
  required USVString owner;
  required USVString name;
};

The leaveAdInterestGroup(group) method steps are:

1. Let global be this's relevant global object.

2. Let frameOrigin be global’s origin.

3. Assert that frameOrigin is not an opaque origin and its scheme is "https".

4. Let p be a new promise.

5. If group is empty:

   1. Let instance be global’s browsing context's fenced frame config instance.

   2. If instance is null, then return.

   3. Let interestGroup be instance’s interest group descriptor.

   4. Run these steps in parallel:

      1. Queue a global task on DOM manipulation task source, given global, to resolve p with undefined.

      2. If interestGroup is not null:

         1. Let owner be interestGroup’s owner.

         2. If owner is same origin with frameOrigin, then remove interest groups from the user agent's interest group set whose owner is owner and name is interestGroup’s name.

6. Otherwise:

   1. If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "NotAllowedError" DOMException.

      Note: Both joining and leaving interest groups use the "join-ad-interest-group" feature.

   2. Let owner be the result of parsing an https origin with group["owner"].

   3. If owner is failure, throw a TypeError.

   4. Run these steps in parallel:

      1. Let permission be the result of checking interest group permissions with owner, frameOrigin, and "leave".

      2. If permission is false, then queue a global task on DOM manipulation task source, given global, to reject p with a "NotAllowedError" DOMException and abort these steps.

      3. Queue a global task on DOM manipulation task source, given global, to resolve p with undefined.

      4. Remove interest groups from the user agent's interest group set whose owner is owner and name is group["name"].

7. Return p.

[SecureContext]
partial interface Navigator {
  Promise<undefined> clearOriginJoinedAdInterestGroups(
      USVString owner, optional sequence<USVString> interestGroupsToKeep = []);
};

The clearOriginJoinedAdInterestGroups(owner, interestGroupsToKeep) method steps are:

1. Let frameOrigin be this's relevant settings object's origin.

2. Assert that frameOrigin is not an opaque origin and its scheme is "https".

3. Let p be a new promise.

4. Let global be this's relevant global object.

5. If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "NotAllowedError" DOMException.

   Note: Both joining and leaving interest groups use the "join-ad-interest-group" feature.

6. Let ownerOrigin be the result of parsing an https origin with owner.

7. If ownerOrigin is failure, throw a TypeError.

8. Run these steps in parallel:

   1. Let permission be the result of checking interest group permissions with ownerOrigin, frameOrigin, and "leave".

   2. If permission is false, then queue a global task on the DOM manipulation task source given global, reject p with a "NotAllowedError" DOMException and abort these steps.

   3. Queue a global task on the DOM manipulation task source given global, to resolve p with undefined.

   4. Remove interest groups from the user agent's interest group set whose owner is ownerOrigin, whose joining origin is frameOrigin, and whose name is not in interestGroupsToKeep.

9. Return p.

[SecureContext]
partial interface Navigator {
  Promise<(USVString or FencedFrameConfig)?> runAdAuction(AuctionAdConfig config);
};

dictionary AuctionAdConfig {
  required USVString seller;
  required USVString decisionLogicURL;
  USVString trustedScoringSignalsURL;
  sequence<USVString> interestGroupBuyers;
  Promise<any> auctionSignals;
  record<DOMString, DOMString> requestedSize;
  Promise<any> sellerSignals;
  Promise<DOMString> directFromSellerSignalsHeaderAdSlot;
  unsigned long long sellerTimeout;
  unsigned short sellerExperimentGroupId;
  USVString sellerCurrency;
  Promise<record<USVString, any>> perBuyerSignals;
  Promise<record<USVString, unsigned long long>> perBuyerTimeouts;
  Promise<record<USVString, unsigned long long>> perBuyerCumulativeTimeouts;
  record<USVString, unsigned short> perBuyerGroupLimits;
  record<USVString, unsigned short> perBuyerExperimentGroupIds;
  record<USVString, record<USVString, double>> perBuyerPrioritySignals;
  Promise<record<USVString, USVString>> perBuyerCurrencies;
  sequence<AuctionAdConfig> componentAuctions = [];
  Promise<undefined> additionalBids;
  DOMString auctionNonce;
  AbortSignal? signal;
  Promise<boolean> resolveToConfig;
};

The runAdAuction(config) method steps are:

1. Let global be this's relevant global object.

2. Let settings be this's relevant settings object.

3. If global’s associated Document is not allowed to use the "run-ad-auction" policy-controlled feature, then throw a "NotAllowedError" DOMException.

4. Let auctionConfig be the result of running validate and convert auction ad config with config and true.

5. If auctionConfig is failure, then throw a TypeError.

6. Optionally, throw a "NotAllowedError" DOMException.

   Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the seller's site not being enrolled.

7. Let p be a new promise.

8. Let configMapping be global’s associated Document's node navigable's traversable navigable's fenced frame config mapping.

9. Let pendingConfig be the result of constructing a pending fenced frame config with auctionConfig.

10. Let urn be the result of running store a pending config on configMapping with pendingConfig.

11. If urn is failure, then resolve p with null and return p.

12. Let bidIgs be a new list of interest groups.

13. If config["signal"] exists, then:

    1. Let signal be config["signal"].

    2. If signal is aborted, then reject p with signal’s abort reason and return p.

    3. Add the following abort steps to signal:

       1. Reject p with signal’s abort reason.

       2. Run update bid counts with bidIgs.

       3. Run interest group update with auctionConfig’s interest group buyers.

14. Let queue be the result of starting a new parallel queue.

15. Enqueue the following steps to queue:

    1. Let winnerInfo be the result of running generate and score bids with auctionConfig, null, global, settings’s top-level origin, and bidIgs.

    2. If winnerInfo is failure, then queue a global task on DOM manipulation task source, given global, to reject p with a "TypeError".

    3. If winnerInfo is null or winnerInfo’s leading bid is null, then queue a global task on DOM manipulation task source, given global, to resolve p with null.

    4. Otherwise:

       1. Let winner be winnerInfo’s leading bid.

       2. Let fencedFrameConfig be the result of filling in a pending fenced frame config with pendingConfig, auctionConfig, and winnerInfo.

       3. Finalize a pending config on configMapping with urn and fencedFrameConfig.

       4. Wait until auctionConfig’s resolve to config is a boolean.

       5. Let result be fencedFrameConfig.

       6. If auctionConfig’s resolve to config is false, then set result to urn.

       7. Queue a global task on the DOM manipulation task source, given global, to resolve p with result.

       8. Increment ad k-anonymity count given winner’s interest group and winner’s ad descriptor's url.

       9. If winner’s ad component descriptors is not null:

          1. For each adComponentDescriptor in winner’s ad component descriptors:

             1. Increment component ad k-anonymity count given adComponentDescriptor’s url.

       10. Increment reporting ID k-anonymity count given winner’s interest group and winner’s ad descriptor's url.

    5. Run interest group update with auctionConfig’s interest group buyers.

    6. Run update bid counts with bidIgs.

    7. Run update previous wins with winner.

16. Return p.

To construct a pending fenced frame config given an auction config config:

1. Return a fenced frame config with the following items:

   mapped url

   a struct with the following items:

   value

   "about:blank"

   visibility

   "opaque"

   container size

   TODO: fill this in once container size is spec’d to be in config

   content size

   null

   interest group descriptor

   a struct with the following items:

   value

   a struct with the following items:

   owner

   ""

   name

   ""

   visibility

   "opaque"

   on navigate callback

   null

   effective sandbox flags

   a struct with the following items:

   value

   TODO: fill this in once fenced frame sandbox flags are more fully specified

   visibility

   "opaque"

   effective enabled permissions

   a struct with the following items:

   value

   «"attribution-reporting", "private-aggregation", "shared-storage", "shared-storage-select-url"»

   visibility

   "opaque"

   fenced frame reporting metadata

   null

   exfiltration budget metadata

   null

   nested configs

   a struct with the following items:

   value

   an empty list «»

   visibility

   "opaque"

   embedder shared storage context

   null

To fill in a pending fenced frame config given a fenced frame config pendingConfig, auction config auctionConfig, and leading bid info winningBidInfo:

1. Let winningBid be winningBidInfo’s leading bid.

2. Set pendingConfig’s mapped url's value to winningBid’s ad descriptor's url.

3. Let adSize be winningBid’s ad descriptor's size.

4. If adSize is not null:

   1. Set pendingConfig’s content size to a struct with the following items:

      value

      adSize TODO: Resolve screen-relative sizes and macros and cast this properly.

      visibility

      "opaque"

5. Set pendingConfig’s interest group descriptor's value to a struct with the following items:

   owner

   winningBid’s interest group's owner

   name

   winningBid’s interest group's name

6. Let fencedFrameReportingMap be the map «[ "buyer" → «», "seller" → «» ]».

7. If auctionConfig’s component auctions is empty, then set fencedFrameReportingMap["component-seller"] to an empty list «».

8. Set pendingConfig’s fenced frame reporting metadata to a struct with the following items:

   value

   A struct with the following items:

   fenced frame reporting map

   fencedFrameReportingMap

   direct seller is seller

   true if auctionConfig’s component auctions is empty, false otherwise

   allowed reporting origins

   winningBid’s bid ad's allowed reporting origins

   visibility

   "opaque"

9. Set pendingConfig’s on navigate callback to an algorithm with these steps:

   1. Asynchronously finish reporting with pendingConfig’s fenced frame reporting metadata's value's fenced frame reporting map and winningBidInfo.

10. Set pendingConfig’s nested configs's value to the result of running create nested configs with winningBid’s ad component descriptors.

11. Return pendingConfig.

To asynchronously finish reporting given a fenced frame reporting map reportingMap and leading bid info leadingBidInfo:

1. Let buyerDone, sellerDone, and componentSellerDone be booleans, initially false.

2. If leadingBidInfo’s component seller is null, set componentSellerDone to true.

3. While:

   1. If buyerDone, sellerDone, and componentSellerDone are all true, then break.

   2. Wait until one of the following fields of leadingBidInfo being not null:

      • buyer reporting result;

      • seller reporting result;

      • component seller reporting result.

   3. If buyerDone is false and leadingBidInfo’s buyer reporting result is not null:

      1. Let buyerMap be leadingBidInfo’s buyer reporting result's reporting beacon map.

      2. If buyerMap is null, set buyerMap to an empty map «[]».

      3. Let macroMap be leadingBidInfo’s buyer reporting result's reporting macro map.

      4. Finalize a reporting destination with reportingMap, buyer, buyerMap, and macroMap.

      5. Send report to leadingBidInfo’s buyer reporting result's report url.

      6. Set buyerDone to true.

   4. If sellerDone is false and leadingBidInfo’s seller reporting result is not null:

      1. Let sellerMap be leadingBidInfo’s seller reporting result's reporting beacon map.

      2. If sellerMap is null, set sellerMap to an empty map «[]».

      3. Finalize a reporting destination with reportingMap, seller, and sellerMap.

      4. Send report to leadingBidInfo’s seller reporting result's report url.

      5. Set sellerDone to true.

   5. If componentSellerDone is false and leadingBidInfo’s component seller reporting result is not null:

      1. Let componentSellerMap be leadingBidInfo’s component seller reporting result's reporting beacon map.

      2. If componentSellerMap is null, set componentSellerMap to an empty map «[]».

      3. Finalize a reporting destination with reportingMap, component-seller, and componentSellerMap.

      4. Send report to leadingBidInfo’s component seller reporting result's report url.

      5. Set componentSellerDone to true.

To create nested configs given ad component descriptors adComponentDescriptors:

1. Let nestedConfigs be an empty list «».

2. If adComponentDescriptors is null:

   1. Return nestedConfigs.

3. For each adComponentDescriptor of adComponentDescriptors:

   1. Let fencedFrameConfig be a fenced frame config with the following items:

      mapped url

      a struct with the following items:

      value

      adComponentDescriptor’s url

      visibility

      "opaque"

      container size

      null

      content size

      If adComponentDescriptor’s size is null, then null. Otherwise, a struct with the following items:

      value

      adComponentDescriptor’s size TODO: Resolve screen-relative sizes and macros and cast this properly.

      visibility

      "opaque"

      interest group descriptor

      null

      on navigate callback

      null

      effective sandbox flags

      a struct with the following items:

      value

      TODO: fill this in once fenced frame sandbox flags are more fully specified

      visibility

      "opaque"

      effective enabled permissions

      a struct with the following items:

      value

      «"attribution-reporting", "private-aggregation", "shared-storage", "shared-storage-select-url"»

      visibility

      "opaque"

      fenced frame reporting metadata

      null

      exfiltration budget metadata

      null

      nested configs

      a struct with the following items:

      value

      an empty list «»

      visibility

      "opaque"

      embedder shared storage context

      null

   2. Append fencedFrameConfig to nestedConfigs.

4. Return nestedConfigs.

To validate and convert auction ad config given an AuctionAdConfig config and a boolean isTopLevel:

1. Assert that these steps are not running in parallel.

2. Let auctionConfig be a new auction config.

3. Let seller be the result of parsing an https origin with config["seller"].

4. If seller is failure, then return failure.

5. Set auctionConfig’s seller to seller.

6. Let decisionLogicURL be the result of running the URL parser on config["decisionLogicURL"].

7. If decisionLogicURL is failure, or it is not same origin with auctionConfig’s seller, then return failure.

8. Set auctionConfig’s decision logic url to decisionLogicURL.

9. If config["trustedScoringSignalsURL"] exists:

   1. Let trustedScoringSignalsURL be the result of running the URL parser on config["trustedScoringSignalsURL"].

   2. If trustedScoringSignalsURL is failure, or it is not same origin with auctionConfig’s seller, then return failure.

   3. Assert: trustedScoringSignalsURL’s scheme is "https".

   4. Set auctionConfig’s trusted scoring signals url to trustedScoringSignalsURL.

10. If config["interestGroupBuyers"] exists:

    1. Let buyers be a new empty list.

    2. For each buyerString in config["interestGroupBuyers"]:

       1. Let buyer be the result of parsing an https origin with buyerString.

       2. If buyer is failure, then return failure.

       3. Append buyer to buyers.

    3. Set auctionConfig’s interest group buyers to buyers.

11. If config["auctionSignals"] exists:

    1. Set auctionConfig’s auction signals to config["auctionSignals"].

    2. Handle an input promise in configuration given auctionConfig and auctionConfig’s auction signals:

       • To parse the value result, set auctionConfig’s auction signals to the result of serializing a JavaScript value to a JSON string.

       • To handle an error, set auctionConfig’s auction signals to failure.

12. If config["requestedSize"] exists:

    1. Let requestedSize be config["requestedSize"]

    2. If requestedSize["height"] does not exist, throw a TypeError.

    3. If requestedSize["width"] does not exist, throw a TypeError.

    4. Let width and widthUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with requestedSize["width"], respectively.

    5. If width is null, throw a TypeError.

    6. Let height and heightUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with requestedSize["height"], respectively.

    7. If height is null, throw a TypeError.

    8. Let adSize be a new ad size.

    9. Set adSize’s width to width, width units to widthUnit, height to height, height units to heightUnit.

    10. Set auctionConfig’s requested size to adSize.

13. If config["sellerSignals"] exists:

    1. Set auctionConfig’s seller signals to config["sellerSignals"].

    2. Handle an input promise in configuration given auctionConfig and auctionConfig’s seller signals:

       • To parse the value result, set auctionConfig’s seller signals to the result of serializing a JavaScript value to a JSON string, given result.

       • To handle an error, set auctionConfig’s seller signals to failure.

14. If config["auctionNonce"] exists, then set auctionConfig’s

    auction nonce to the result of running get uuid from string with config["auctionNonce"].

15. If config["additionalBids"] exists:

    1. Throw a TypeError if any of the following conditions hold:

       • config["auctionNonce"] does not exist;

       • config["interestGroupBuyers"] does not exist, or is empty;

       • config["componentAuctions"] is not empty.

    2. Set auctionConfig’s expects additional bids to true.

    3. Handle an input promise in configuration given auctionConfig and config["additionalBids"]:

       Note: The JavaScript code calling runAdAuction() is responsible for not resolving config["additionalBids"] until additional bids have been retrieved from one or more `Ad-Auction-Additional-Bid` headers, as resolving this Promise early would cause a race condition in which additional bids might not be included in the auction. There are two ways that additional bids can be retrieved. The first is for the JavaScript code to issue a request whose initiator type is "fetch" and whose adAuctionHeaders option is set to true. The JavaScript code has to resolve config["additionalBids"] after the corresponding call to fetch() has resolved to a response. The JavaScript code can also choose to wait to call runAdAuction() until after the corresponding call to fetch() has resolved to a response, and can then immediately resolve config["additionalBids"].

       The second way that additional bids can be retrieved is by issuing an iframe navigation request with the adauctionheaders content attribute set to true. In this case, the JavaScript code is retrieved as part of the iframe navigation response, at which point the JavaScript code in the iframe makes the call to runAdAuction(), and config["additionalBids"] can be immediately resolved.

       • To parse the value result:

         1. Set auctionConfig’s expects additional bids to false.

       • To handle an error:

         1. Set auctionConfig’s expects additional bids to failure.

16. If config["directFromSellerSignalsHeaderAdSlot"] exists:

    1. Handle an input promise in configuration given auctionConfig and config["directFromSellerSignalsHeaderAdSlot"]:

       Note: The JavaScript code calling runAdAuction() is responsible for not resolving config["directFromSellerSignalsHeaderAdSlot"] until direct from seller signals have been retrieved from one or more `Ad-Auction-Signals` headers, as resolving this Promise early would cause a race condition in which the worklet might run without the direct from seller signals that it needs. There are two ways that direct from seller signals can be retrieved. The first is for the JavaScript code to issue a request whose initiator type is "fetch" and whose adAuctionHeaders option is set to true. The JavaScript code has to resolve config["directFromSellerSignalsHeaderAdSlot"] after the corresponding call to fetch() has resolved to a response. The JavaScript code can also choose to wait to call runAdAuction() until after the corresponding call to fetch() has resolved to a response, and can then immediately resolve config["directFromSellerSignalsHeaderAdSlot"]. The second way that direct from seller signals can be retrieved is by issuing an iframe navigation request with the adauctionheaders content attribute set to true. In this case, the JavaScript code is retrieved as part of the iframe navigation response, at which point the JavaScript code in the iframe makes the call to runAdAuction(), and config["directFromSellerSignalsHeaderAdSlot"] can be can be specified directly without a Promise.

       • To parse the value result:

         1. Set auctionConfig’s direct from seller signals header ad slot to result.

       • To handle an error:

         1. Set auctionConfig’s direct from seller signals header ad slot to failure.

17. If config["sellerTimeout"] exists, set auctionConfig’s seller timeout to config["sellerTimeout"] in milliseconds or 500 milliseconds, whichever is smaller.

18. If config["sellerExperimentGroupId"] exists, then set auctionConfig’s seller experiment group id to config["sellerExperimentGroupId"].

19. If config["sellerCurrency"] exists:

    1. If the result of checking whether a string is a valid currency tag on config["sellerCurrency"] is false, then return failure.

    2. Set auctionConfig’s seller currency to config["sellerCurrency"].

20. If config["perBuyerSignals"] exists:

    1. Set auctionConfig’s per buyer signals to config["perBuyerSignals"].

    2. Handle an input promise in configuration given auctionConfig and auctionConfig’s per buyer signals:

       • To parse the value result:

         1. Set auctionConfig’s per buyer signals to a new ordered map whose keys are origins and whose values are strings.

         2. For each key → value of result:

            1. Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a TypeError.

            2. Let signalsString be the result of serializing a JavaScript value to a JSON string, given value.

            3. Set auctionConfig’s per buyer signals[buyer] to signalsString.

       • To handle an error, set auctionConfig’s per buyer signals to failure.

21. For each idlTimeoutMember, perBuyerTimeoutField, allBuyersTimeoutField in the following table

    IDL timeout member	Per buyer timeout field	All buyers timeout field
    "perBuyerTimeouts"	per buyer timeouts	all buyers timeout
    "perBuyerCumulativeTimeouts"	per buyer cumulative timeouts	all buyers cumulative timeout

    1. If config contains idlTimeoutMember:

       1. Set auctionConfig’s perBuyerTimeoutField to config[idlTimeoutMember].

       2. Handle an input promise in configuration given auctionConfig and auctionConfig’s perBuyerTimeoutField:

          • To parse the value result:

            1. Set auctionConfig’s perBuyerTimeoutField to a new ordered map whose keys are origins and whose values are durations in milliseconds.

            2. For each key → value of result:

               1. If perBuyerTimeoutField is "perBuyerTimeouts", and value > 500, then set value to 500.

               2. If key is "*", then set auctionConfig’s allBuyersTimeoutField to value in milliseconds, and continue.

               3. Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a TypeError.

               4. Set auctionConfig’s perBuyerTimeoutField[buyer] to value in milliseconds.

          • To handle an error, set auctionConfig’s perBuyerTimeoutField to failure.

22. If config["perBuyerGroupLimits"] exists, for each key → value of config["perBuyerGroupLimits"]:

    1. If value is 0, then return failure.

    2. If key is "*", then set auctionConfig’s all buyers group limit to value, and continue.

    3. Let buyer be the result of parsing an https origin with key.

    4. If buyer is failure, then return failure.

    5. Set auctionConfig’s per buyer group limits[buyer] to value.

23. If config["perBuyerExperimentGroupIds"] exists, for each key → value of config["perBuyerExperimentGroupIds"]:

    1. If key is "*", then set auctionConfig’s all buyer experiment group id to value, and continue.

    2. Let buyer the result of parsing an https origin with key.

    3. If buyer is failure, then return failure.

    4. Set auctionConfig’s per buyer experiment group ids[buyer] to value.

24. If config["perBuyerPrioritySignals"] exists, for each key → value of config["perBuyerPrioritySignals"]:

    1. Let signals be an ordered map whose keys are strings and whose values are double.

    2. for each k → v of value:

       1. If k starts with "browserSignals.", throw a TypeError.

       2. Set signals[k] to v.

    3. If key is "*", then set auctionConfig’s all buyers priority signals to value, and continue.

    4. Let buyer be the result of parsing an https origin with key.

    5. If buyer is failure, then return failure.

    6. Set auctionConfig’s per buyer priority signals[buyer] to signals.

25. If config["perBuyerCurrencies"] exists:

    1. Set auctionConfig’s per buyer currencies to config["perBuyerCurrencies"]

    2. Handle an input promise in configuration given auctionConfig and auctionConfig’s per buyer currencies:

       • To parse the value result:

         1. Set auctionConfig’s per buyer currencies to a new ordered map whose keys are origins and whose values are currency tags.

         2. for each key → value of result:

            1. If the result of checking whether a string is a valid currency tag given value is false, throw a TypeError.

            2. If key is "*", then set auctionConfig’s all buyers currency to value, and continue.

            3. Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a TypeError.

            4. Set auctionConfig’s per buyer currencies[buyer] to value.

       • To handle an error, set auctionConfig’s per buyer currencies to failure.

26. If config["componentAuctions"] is not empty:

    1. If config["interestGroupBuyers"] exists and is not empty, then return failure.

27. For each component in config["componentAuctions"]:

    1. If isTopLevel is false, then return failure.

    2. Let componentAuction be the result of running validate and convert auction ad config with component and false.

    3. If componentAuction is failure, then return failure.

    4. Append componentAuction to auctionConfig’s component auctions.

28. Set auctionConfig’s config idl to config.

29. If config["resolveToConfig"] exists:

    1. Let auctionConfig’s resolve to config be config["resolveToConfig"].

    2. TODO: What should happen if this rejects?

    3. Upon fulfillment of auctionConfig’s resolve to config with resolveToConfig, set auctionConfig’s resolve to config to resolveToConfig.

30. Return auctionConfig.

To parse an https origin given a string input:

1. Let url be the result of running the URL parser on input.

2. If url is failure, or its scheme is not "https", then return failure.

3. Return url’s origin.

To update bid count given a list of interest groups igs:

1. For each ig in igs:

   1. Let loadedIg be the interest group from the user agent's interest group set whose owner is ig’s owner and whose name is ig’s name, continue if none found.

   2. If the most recent entry in loadedIg’s bid counts corresponds to the current day in UTC, increment its count. If not, insert a new tuple of the time set to the current UTC day and a count of 1.

   3. Replace the interest group that has loadedIg’s owner and name in the user agent's interest group set with loadedIg.

To update previous wins given a generated bid bid:

1. Let ig be bid’s interest group.

2. Let loadedIg be the interest group from the user agent's interest group set whose owner is ig’s owner and whose name is ig’s name, return if none found.

3. Let win be a new previous win.

4. Set win’s time to the current wall time.

5. Let ad be an interest group ad whose render url is bid’s bid ad's render url, and whose metadata is bid’s bid ad's metadata.

6. Set win’s ad json to the result of serializing an Infra value to a JSON string given ad.

7. Append win to loadedIg’s previous wins.

8. Replace the interest group that has loadedIg’s owner and name in the user agent's interest group set with loadedIg.

To build bid generators map given an auction config auctionConfig:

1. Let bidGenerators be a new ordered map whose keys are origins and whose values are per buyer bid generators.

2. Let negativeTargetInfo be a new negative target info.

3. For each buyer in auctionConfig’s interest group buyers:

   1. For each ig of the user agent's interest group set whose owner is buyer:

      1. Let igName be ig’s name.

      2. If ig’s additional bid key is not null:

         1. Set negativeTargetInfo[(buyer, igName)] to (ig’s joining origin, ig’s additional bid key).

      3. Continue if any of the following conditions hold:

         • ig’s bidding url is null;

         • ig’s ads is null, or is empty.

      4. Let signalsUrl be ig’s trusted bidding signals url.

      5. Let joiningOrigin be ig’s joining origin.

      6. If bidGenerators does not contain buyer:

         1. Let perBuyerGenerator be a new per buyer bid generator.

         2. Let perSignalsUrlGenerator be a new per signals url bid generator.

         3. Set perSignalsUrlGenerator[joiningOrigin] to « ig ».

         4. Set perBuyerGenerator[signalsUrl] to perSignalsUrlGenerator.

         5. Set bidGenerators[buyer] to perBuyerGenerator.

         6. TODO: add a perBiddingScriptUrlGenerator layer that replaces the list of IGs with a map from biddingScriptUrl to a list of IGs.

      7. Otherwise:

         1. Let perBuyerGenerator be bidGenerators[buyer].

         2. If perBuyerGenerator does not contain signalsUrl:

            1. Let perSignalsUrlGenerator be a new per signals url bid generator.

            2. Set perSignalsUrlGenerator[joiningOrigin] to « ig ».

            3. Set perBuyerGenerator[signalsUrl] to perSignalsUrlGenerator.

         3. Otherwise:

            1. Let perSignalsUrlGenerator be perBuyerGenerator[signalsUrl].

            2. If perSignalsUrlGenerator does not contain joiningOrigin, then set perSignalsUrlGenerator[joiningOrigin] to « ig ».

            3. Otherwise, append ig to perSignalsUrlGenerator[joiningOrigin].

4. Return « bidGenerators, negativeTargetInfo ».

To generate a bid given an ordered map allTrustedBiddingSignals, a string auctionSignals, a BiddingBrowserSignals browserSignals, a string-or-null perBuyerSignals, a DirectFromSellerSignalsForBuyer directFromSellerSignalsForBuyer, a duration perBuyerTimeout in milliseconds, a currency tag expectedCurrency, an interest group ig, and a moment auctionStartTime:

1. Let igGenerateBid be the result of building an interest group passed to generateBid with ig.

2. Set browserSignals["joinCount"] to the sum of ig’s join counts for all days within the last 30 days.

3. Set browserSignals["recency"] to the current wall time minus ig’s join time, in milliseconds.

4. Set browserSignals["bidCount"] to the sum of ig’s bid counts for all days within the last 30 days.

5. Let prevWins be a new sequence<PreviousWin>.

6. For each prevWin of ig’s previous wins for all days within the the last 30 days:

   1. Let timeDelta be auctionStartTime minus prevWin’s time.

   2. Set timeDelta to 0 if timeDelta is negative, timeDelta’s nearest second (rounding down) otherwise.

   3. Let prevWinIDL be a new PreviousWin.

   4. Set prevWinIDL["timeDelta"] to timeDelta.

   5. Set prevWinIDL["adJSON"] to prevWin’s ad json.

   6. Append prevWinIDL to prevWins.

7. Set browserSignals["prevWinsMs"] to prevWins.

8. Let biddingScript be the result of fetching script with ig’s bidding url.

9. If biddingScript is failure, return failure.

10. If ig’s bidding wasm helper url is not null:

    1. Let wasmModuleObject be the result of fetching WebAssembly with ig’s bidding wasm helper url.

    2. If wasmModuleObject is not failure, then set browserSignals["wasmHelper"] to wasmModuleObject.

11. Let trustedBiddingSignals be an ordered map whose keys are strings and whose values are any.

12. For each key of ig’s trusted bidding signals keys:

    1. If allTrustedBiddingSignals is an ordered map and allTrustedBiddingSignals[key] exists, then set trustedBiddingSignals[key] to allTrustedBiddingSignals[key].

13. Return the result of evaluating a bidding script with biddingScript, ig, expectedCurrency, igGenerateBid, auctionSignals, perBuyerSignals, trustedBiddingSignals, browserSignals, directFromSellerSignalsForBuyer, and perBuyerTimeout.

To generate and score bids given an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, a global object global, an origin topLevelOrigin, and a list of interest groups bidIgs:

1. Assert that these steps are running in parallel.

2. Let auctionStartTime be the current wall time.

3. Let decisionLogicScript be the result of fetching script with auctionConfig’s decision logic url.

4. If decisionLogicScript is failure, return null.

5. Let « bidGenerators, negativeTargetInfo » be the result of running build bid generators map with auctionConfig.

6. Let leadingBidInfo be a new leading bid info.

7. Let queue be the result of starting a new parallel queue.

8. Let capturedAuctionHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured ad auction signals headers.

9. If auctionConfig’s component auctions are not empty:

   1. Assert topLevelAuctionConfig is null.

   2. Let pendingComponentAuctions be auctionConfig’s component auctions's size.

   3. Let topLevelDirectFromSellerSignalsForSeller be null.

   4. Let topLevelDirectFromSellerSignalsRetrieved be false.

   5. For each component in auctionConfig’s component auctions, enqueue the following steps to queue:

      1. Let compWinner be the result of running generate and score bids with component, auctionConfig, global, and topLevelOrigin.

      2. If compWinner is failure, return failure.

      3. If recursively wait until configuration input promises resolve given auctionConfig returns failure, return failure.

      4. If topLevelDirectFromSellerSignalsRetrieved is false:

         1. Let topLevelDirectFromSellerSignals be the result of running get direct from seller signals given auctionConfig’s seller, auctionConfig’s direct from seller signals header ad slot, and capturedAuctionHeaders.

         2. Let topLevelDirectFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given topLevelDirectFromSellerSignals.

         3. Set topLevelDirectFromSellerSignalsRetrieved to true.

      5. If compWinner is not null, then run score and rank a bid with auctionConfig, compWinner, leadingBidInfo, decisionLogicScript, null, "top-level-auction", null, and topLevelOrigin.

      6. Decrement pendingComponentAuctions by 1.

   6. Wait until pendingComponentAuctions is 0.

   7. If leadingBidInfo’s leading bid is null, return null.

   8. Let winningComponentConfig be leadingBidInfo’s auction config.

   9. Set leadingBidInfo’s auction config to auctionConfig.

   10. Set leadingBidInfo’s component seller to winningComponentConfig’s seller.

   11. Let « topLevelSellerSignals, unusedTopLevelReportResultBrowserSignals » be the result of running report result with leadingBidInfo, topLevelDirectFromSellerSignalsForSeller, winningComponentConfig, and global.

   12. Set leadingBidInfo’s auction config to winningComponentConfig.

   13. Set leadingBidInfo’s component seller to null.

   14. Set leadingBidInfo’s top level seller to auctionConfig’s seller.

   15. Set leadingBidInfo’s top level seller signals to topLevelSellerSignals.

   16. Let directFromSellerSignals be the result of running get direct from seller signals given winningComponentConfig’s seller, winningComponentConfig’s direct from seller signals header ad slot, and capturedAuctionHeaders.

   17. Let directFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given directFromSellerSignals.

   18. Let directFromSellerSignalsForBuyer be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and leadingBidInfo’s leading bid's interest group's owner.

   19. Let « sellerSignals, reportResultBrowserSignals » be the result of running report result with leadingBidInfo, directFromSellerSignalsForSeller, null, and global.

   20. Run report win with leadingBidInfo, sellerSignals, reportResultBrowserSignals, and directFromSellerSignalsForBuyer.

   21. Return leadingBidInfo’s leading bid.

10. If waiting until configuration input promises resolve given auctionConfig returns failure, then return failure.

11. Let allBuyersExperimentGroupId be auctionConfig’s all buyer experiment group id.

12. Let allBuyersGroupLimit be auctionConfig’s all buyers group limit.

13. Let auctionSignals be auctionConfig’s auction signals.

14. Let directFromSellerSignals be the result of running get direct from seller signals given auctionConfig’s seller, auctionConfig’s direct from seller signals header ad slot, and capturedAuctionHeaders.

15. Let directFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given directFromSellerSignals.

16. Let browserSignals be a BiddingBrowserSignals.

17. Let topLevelHost be the result of running the host serializer on topLevelOrigin’s host.

18. Set browserSignals["topWindowHostname"] to topLevelHost.

19. Set browserSignals["seller"] to the serialization of auctionConfig’s seller.

20. Let auctionLevel be "single-level-auction".

21. Let componentAuctionExpectedCurrency be null.

22. If topLevelAuctionConfig is not null:

    1. Set browserSignals["topLevelSeller"]] to the serialization of topLevelAuctionConfig’s seller.

    2. Set auctionLevel to "component-auction".

    3. Set componentAuctionExpectedCurrency to the result of looking up per-buyer currency with topLevelAuctionConfig and auctionConfig’s seller.

23. Let pendingBuyers be bidGenerators’s size.

24. Let additionalBids be the result of running validate and convert additional bids with auctionConfig, topLevelAuctionConfig, negativeTargetInfo and global.

25. Let pendingAdditionalBids be the size of additionalBids.

26. For each additionalBid of additionalBids, run the following steps in parallel:

    1. Score and rank a bid with auctionConfig, additionalBid, leadingBidInfo, decisionLogicScript, null, auctionLevel, componentAuctionExpectedCurrency, and topLevelOrigin.

    2. Decrement pendingAdditionalBids by 1.

27. For each buyer → perBuyerGenerator of bidGenerators, enqueue the following steps to queue:

    1. Let perBuyerCumulativeTimeout be auctionConfig’s all buyers cumulative timeout.

    2. If auctionConfig’s per buyer cumulative timeouts is not null and per buyer cumulative timeouts[buyer] exists, then set perBuyerCumulativeTimeout to auctionConfig’s per buyer cumulative timeouts[buyer].

    3. Let buyerExperimentGroupId be allBuyersExperimentGroupId.

    4. Let perBuyerExperimentGroupIds be auctionConfig’s per buyer experiment group ids.

    5. If perBuyerExperimentGroupIds is not null and perBuyerExperimentGroupIds[buyer] exists, then set buyerExperimentGroupId to perBuyerExperimentGroupIds[buyer].

    6. Apply interest groups limits to prioritized list:

       1. Let buyerGroupLimit be allBuyersGroupLimit.

       2. Let perBuyerGroupLimits be auctionConfig’s per buyer group limits.

       3. If perBuyerGroupLimits is not null and perBuyerGroupLimits[buyer] exists, then set buyerGroupLimit to perBuyerGroupLimits[buyer].

       4. Let igs be a new list of interest groups.

       5. For each signalsUrl → perSignalsUrlGenerator of perBuyerGenerator:

          1. For each joiningOrigin → groups of perSignalsUrlGenerator:

             1. Extend igs with groups.

       6. Sort in descending order igs, with a being less than b if a’s priority is less than b’s priority.

       7. Remove the first buyerGroupLimit items from igs.

       8. For each signalsUrl → perSignalsUrlGenerator of perBuyerGenerator:

          1. For each joiningOrigin → groups of perSignalsUrlGenerator:

             1. Remove from groups any interest group contained in igs.

    7. Let perBuyerSignals be null.

    8. If auctionConfig’s per buyer signals is not null and per buyer signals[buyer] exists, then set perBuyerSignals to auctionConfig’s per buyer signals[buyer].

    9. Let perBuyerTimeout be auctionConfig’s all buyers timeout.

    10. If auctionConfig’s per buyer timeouts is not null and per buyer timeouts[buyer] exists, then set perBuyerTimeout to auctionConfig’s per buyer timeouts[buyer].

    11. Let expectedCurrency be the result of looking up per-buyer currency with auctionConfig and buyer.

    12. For each signalsUrl → perSignalsUrlGenerator of perBuyerGenerator:

        1. Let keys be a new ordered set.

        2. Let igNames be a new ordered set.

        3. Let fetchSignalStartTime be settings’s current monotonic time.

        4. For each joiningOrigin → groups of perSignalsUrlGenerator:

           1. For each ig of groups:

              1. Append ig’s trusted bidding signals keys to keys.

              2. Append ig’s name to igNames.

        5. Let biddingSignalsUrl be the result of building trusted bidding signals url with signalsUrl, keys, igNames, buyerExperimentGroupId, and topLevelOrigin.

        6. Let « allTrustedBiddingSignals, dataVersion » be the result of fetching trusted signals with biddingSignalsUrl and true.

        7. If dataVersion is not null, then set browserSignals["dataVersion"] to dataVersion.

        8. Let fetchSignalDuration be the duration from fetchSignalStartTime to settings’s current monotonic time, in milliseconds.

        9. If perBuyerCumulativeTimeout is not null:

           1. Decrement perBuyerCumulativeTimeout by fetchSignalDuration.

           2. If perBuyerCumulativeTimeout is negative, then break;

        10. For each joiningOrigin → groups of perSignalsUrlGenerator:

            1. For each ig of groups:

               1. If ig’s bidding url is null, continue.

               2. If perBuyerCumulativeTimeout is not null and is less than perBuyerTimeout, then set perBuyerTimeout to perBuyerCumulativeTimeout.

               3. Let generateBidStartTime be settings’s current monotonic time.

               4. Let generatedBid be the result of generate a bid given allTrustedBiddingSignals, auctionSignals, a clone of browserSignals, perBuyerSignals, perBuyerTimeout, expectedCurrency, ig, and auctionStartTime.

               5. Let generateBidDuration be the duration from generateBidStartTime to settings’s current monotonic time, in milliseconds.

               6. If perBuyerCumulativeTimeout is not null, decrement perBuyerCumulativeTimeout by generateBidDuration.

               7. If generatedBid is failure, continue.

               8. If query generated bid k-anonymity count given generatedBid returns false:

                  Note: Generate a bid is now rerun with only k-anonymous ads to give the buyer a chance to generate a bid for k-anonymous ads. Allowing the buyer to first generate a bid for non-k-anonymous ads provides a mechanism to bootstrap the k-anonymity count, otherwise no ads would ever trigger increment k-anonymity count and all ads would fail query k-anonymity count.

                  1. TODO: Run score and rank a bid on generatedBid to find the highest scoring bid that isn’t k-anonymous. After the auction, if the highest scoring bid that isn’t k-anonymous has a higher score than the highest scoring k-anonymous bid, then call increment ad k-anonymity count on it.

                  2. Let originalAds be ig’s ads.

                  3. If originalAds is not null:

                     1. Set ig’s ads to a new list of interest group ad.

                     2. For each ad in originalAds:

                        1. If query ad k-anonymity count given ig and ad’s render url returns true, append ad to ig’s ads.

                  4. Let originalAdComponents be ig’s ad components.

                  5. If originalAdComponents is not null:

                     1. Set ig’s ad components to a new list of interest group ad.

                     2. For each adComponent in originalAdComponents:

                        1. If query component ad k-anonymity count given adComponent’s render url returns true, append adComponent to ig’s ad components.

                  6. If perBuyerCumulativeTimeout is not null and is less than perBuyerTimeout, then set perBuyerTimeout to perBuyerCumulativeTimeout.

                  7. Let generateBidStartTime be settings’s current monotonic time.

                  8. Set generatedBid to the result of generate a bid given allTrustedBiddingSignals, auctionSignals, a clone of browserSignals, perBuyerSignals, directFromSellerSignalsForBuyer, perBuyerTimeout, expectedCurrency, and ig.

                  9. Set ig’s ads to originalAds.

                  10. Set ig’s ad components to originalAdComponents.

                  11. Let generateBidDuration be the duration from generateBidStartTime to settings’s current monotonic time, in milliseconds.

                  12. If perBuyerCumulativeTimeout is not null, then decrement perBuyerCumulativeTimeout by generateBidDuration.

                  13. If generatedBid is failure, continue.

               9. Insert generatedBid’s interest group in bidIgs.

               10. Score and rank a bid with auctionConfig, generatedBid, leadingBidInfo, decisionLogicScript, directFromSellerSignalsForSeller, dataVersion, auctionLevel, componentAuctionExpectedCurrency, and topLevelOrigin.

    13. Decrement pendingBuyers by 1.

28. Wait until both pendingBuyers and pendingAdditionalBids are 0.

29. If leadingBidInfo’s leading bid is null, return null.

30. If topLevelAuctionConfig is null:

    1. Let « sellerSignals, reportResultBrowserSignals » be the result of running report result with leadingBidInfo, directFromSellerSignalsForSeller, null, and global.

    2. Let directFromSellerSignalsForWinner be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and leadingBidInfo’s leading bid's interest group's owner.

    3. Run report win with leadingBidInfo, sellerSignals, reportResultBrowserSignals, and directFromSellerSignalsForWinner.

31. Return leadingBidInfo’s leading bid.

To build an interest group passed to generateBid given an interest group ig:

1. Let igGenerateBid be a new GenerateBidInterestGroup with the following fields:

   owner

   The serialization of ig’s owner

   name

   ig’s name

   enableBiddingSignalsPrioritization

   ig’s enable bidding signals prioritization

   priorityVector

   ig’s priority vector if not null, otherwise undefined

   executionMode

   ig’s execution mode

   biddingLogicURL

   The serialization-or-undefined of ig’s bidding url

   biddingWasmHelperURL

   The serialization of ig’s bidding wasm helper url

   updateURL

   The serialization of ig’s update url

   trustedBiddingSignalsURL

   The serialization of ig’s trusted bidding signals url

   trustedBiddingSignalsKeys

   ig’s trusted bidding signals keys

   userBiddingSignals

   Parse a JSON string to a JavaScript value given ig’s user bidding signals

   ads

   ig’s ads converted to an AuctionAd sequence

   adComponents

   ig’s ad components converted to an AuctionAd sequence

2. Return igGenerateBid.

To serialize a URL given a URL-or-null url:

1. If url is null, then return undefined.

2. Return the serialization of url.

To convert to an AuctionAd sequence given a list-or-null ads:

1. If ads is null, then return undefined.

2. Let adsIDL be a new sequence<AuctionAd>.

3. For each ad of ads:

   1. Let adIDL be a new AuctionAd.

   2. Set adIDL["renderURL"] to the serialization of ad’s render url.

   3. If ad’s metadata is not null, then set adIDL["metadata"] to the result of parsing a JSON string to a JavaScript value given ad’s metadata.

   4. Append adIDL to adsIDL.

4. Return adsIDL.

To score and rank a bid given an auction config auctionConfig, a generated bid generatedBid, a leading bid info leadingBidInfo, a string decisionLogicScript, a DirectFromSellerSignalsForSeller directFromSellerSignalsForSeller, an unsigned long-or-null biddingDataVersion, an enum auctionLevel, which is "single-level-auction", "top-level-auction", or "component-auction", a currency tag componentAuctionExpectedCurrency, and an origin topLevelOrigin:

1. Let renderURL be serialized generatedBid’s ad descriptor's url.

2. Let adComponentRenderURLs be a new empty list.

3. If generatedBid’s ad component descriptors is not null:

   1. For each adComponentDescriptor in generatedBid’s ad component descriptors:

      1. Append serialized adComponentDescriptor’s url to adComponentRenderURLs.

4. Let fullSignalsUrl be the result of building trusted scoring signals url with auctionConfig’s trusted scoring signals url, «renderURL», adComponentRenderURLs, auctionConfig’s seller experiment group id, and topLevelOrigin.

   Implementations may batch requests by collecting render URLs and ad component render URLs from multiple invocations of score and rank a bid and passing them all to a single invocation of building trusted scoring signals url -- the network response has to be parsed to pull out the pieces relevant to each evaluation of a scoring script.

5. Let trustedScoringSignals be null.

6. Let «allTrustedScoringSignals, scoringDataVersion» be the result of fetching trusted signals with fullSignalsUrl and false.

7. If allTrustedScoringSignals is an ordered map:

   1. Set trustedScoringSignals to a new empty map.

   2. Set trustedScoringSignals["renderURL"] to a new empty map.

   3. If allTrustedScoringSignals["renderURLs"] exists and allTrustedScoringSignals["renderURLs"][renderURL] exists, then set trustedScoringSignals["renderURL"][renderURL] to allTrustedScoringSignals["renderURLs"][renderURL].

   4. If adComponentRenderURLs is not empty:

      1. Let adComponentRenderURLsValue be a new empty map.

      2. If allTrustedScoringSignals["adComponentRenderURLs"] exists, for each adComponentRenderURL in adComponentRenderURLs:

         1. If allTrustedScoringSignals["adComponentRenderURLs"][adComponentRenderURL] exists, then set adComponentRenderURLsValue[adComponentRenderURL] to allTrustedScoringSignals["adComponentRenderURLs"][adComponentRenderURL].

      3. Set trustedScoringSignals["adComponentRenderURLs"] to adComponentRenderURLsValue.

8. Let adMetadata be generatedBid’s ad.

9. Let bidValue be generatedBid’s bid.

10. If generatedBid’s modified bid is not null, then set bidValue to generatedBid’s modified bid.

11. Let owner be generatedBid’s interest group's owner.

12. Let browserSignals be a ScoringBrowserSignals with the following fields:

    topWindowHostname

    The result of running the host serializer on topLevelOrigin’s host

    interestGroupOwner

    Serialized owner

    renderURL

    The result of running the URL serializer on generatedBid’s ad descriptor's url

    biddingDurationMsec

    generatedBid’s bid duration

    bidCurrency

    The result of serializing a currency tag with generatedBid’s bid's currency

    dataVersion

    scoringDataVersion if it is not null, undefined otherwise

    adComponents

    generatedBid’s ad component descriptors converted to a string sequence

13. Let scoreAdResult be the result of evaluating a scoring script with decisionLogicScript, adMetadata, bidValue’s value, auctionConfig’s config idl, trustedScoringSignals, browserSignals, directFromSellerSignalsForSeller, and auctionConfig’s seller timeout.

14. Let scoreAdOutput be result of processing scoreAd output with scoreAdResult.

15. If scoreAdOutput is failure, return.

16. If auctionLevel is not "single-level-auction", and scoreAdOutput ["allowComponentAuction"] is false, return.

17. Let score be scoreAdOutput["desirability"].

18. If score is negative or 0, return.

19. If auctionLevel is "component-auction":

    1. Let bidToCheck be generatedBid’s bid.

    2. If scoreAdOutput["bid"] exists:

       1. Let modifiedBidValue be scoreAdOutput["bid"].

       2. If modifiedBidValue is negative or 0, return.

       3. Let modifiedBidCurrency be null.

       4. If scoreAdOutput["bidCurrency] exists, then set modifiedBidCurrency to scoreAdOutput["bidCurrency].

       5. Set generatedBid’s modified bid to a bid with currency with value modifiedBidValue and currency modifiedBidCurrency.

       6. Set bidToCheck to generatedBid’s modified bid.

    3. If the result of checking a currency tag with componentAuctionExpectedCurrency and bidToCheck’s currency is false, return.

    4. If the result of checking a currency tag with auctionConfig’s seller currency and bidToCheck’s currency is false, return.

20. If auctionConfig’s seller currency is not null:

    1. If generatedBid’s bid's currency is equal to auctionConfig’s seller currency:

       1. Set generatedBid’s bid in seller currency to generatedBid’s bid's value.

       2. If scoreAdOutput["incomingBidInSellerCurrency"] exists and does not equal generatedBid’s bid in seller currency, return.

    2. Otherwise if scoreAdOutput["incomingBidInSellerCurrency"] exists, then set generatedBid’s bid in seller currency to scoreAdOutput["incomingBidInSellerCurrency"]

21. Let updateLeadingBid be false.

22. If leadingBidInfo’s leading bid is null, or score is greater than leadingBidInfo’s top score:

    1. Set updateLeadingBid to true.

    2. Set leadingBidInfo’s top bids count to 1.

    3. Set leadingBidInfo’s at most one top bid owner to true.

23. Otherwise if score equals leadingBidInfo’s top score:

    1. Increment leadingBidInfo’s top bids count by 1.

    2. Set updateLeadingBid to true with 1 in leadingBidInfo’s top bids count chance.

    3. If updateLeadingBid is false, then update highest scoring other bid with score, leadingBidInfo’s leading bid, and leadingBidInfo.

    4. If owner is not same origin with leadingBidInfo’s leading bid's interest group's owner, then set leadingBidInfo’s at most one top bid owner to false.

24. Otherwise if score is greater than or equal to leadingBidInfo’s second highest score, then update highest scoring other bid with score, bidValue, and leadingBidInfo.

25. If updateLeadingBid is true:

    1. If leadingBidInfo’s leading bid is not null, then update highest scoring other bid with leadingBidInfo’s top score, leadingBidInfo’s leading bid, and leadingBidInfo.

    2. Set leadingBidInfo’s top score to score.

    3. Set leadingBidInfo’s leading bid to generatedBid.

    4. Set leadingBidInfo’s auction config to auctionConfig.

    5. Set leadingBidInfo’s bidding data version to biddingDataVersion.

    6. Set leadingBidInfo’s scoring data version to scoringDataVersion.

To convert to a string sequence given a list-or-null adComponents:

1. If adComponents is null, return undefined.

2. Let result be a new sequence<USVString>.

3. For each component of adComponents:

   1. Append serialized component’s url to result.

4. Return result.

To update highest scoring other bid given a double score, a generated bid-or-null bid, and a leading bid info leadingBidInfo:

1. If bid is null, return.

2. Let owner be bid’s interest group's owner.

3. If score is greater than leadingBidInfo’s second highest score:

   1. Set leadingBidInfo’s highest scoring other bid to bid.

   2. Set leadingBidInfo’s highest scoring other bids count to 1.

   3. Set leadingBidInfo’s second highest score to score.

   4. Set leadingBidInfo’s highest scoring other bid owner to owner if leadingBidInfo’s at most one top bid owner is true, null otherwise.

4. Otherwise if score is equal to leadingBidInfo’s second highest score:

   1. Increment leadingBidInfo’s highest scoring other bids count by 1.

   2. Set leadingBidInfo’s highest scoring other bid to bid with 1 in leadingBidInfo’s highest scoring other bids count chance.

   3. If leadingBidInfo’s highest scoring other bid owner is not null and owner is not same origin with leadingBidInfo’s highest scoring other bid owner, then set leadingBidInfo’s highest scoring other bid owner to null.

To validate fetching response given a response response, null, failure, or a byte sequence responseBody, and a string mimeType:

1. If responseBody is null or failure, return false.

2. If getting `Ad-Auction-Allowed` and "item" from response’s header list does not return a true value, return false.

3. Let headerMimeType be the result of extracting a MIME type from response’s header list.

4. Return false if any of the following conditions hold:

   • headerMimeType is failure;

   • mimeType is "text/javascript" and headerMimeType is not a JavaScript MIME type;

   • mimeType is "application/json" and headerMimeType is not a JSON MIME type.

5. Let mimeTypeCharset be headerMimeType’s parameters["charset"].

6. Return false if any of the following conditions hold:

   • mimeTypeCharset does not exist, or mimeTypeCharset is "utf-8", and responseBody is not UTF-8 encoded;

   • mimeTypeCharset is "us-ascii", and not all bytes in responseBody are ASCII bytes.

7. Return true.

To fetch script given a URL url:

1. Let request be a new request with the following properties:

   URL

   url

   header list

   «Accept: text/javascript»

   client

   null

   mode

   "no-cors"

   referrer

   "no-referrer"

   credentials mode

   "omit"

   redirect mode

   "error"

   One of the side-effects of a null client for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.

   Stop using "no-cors" mode where possible (WICG/turtledove#667).

2. Let script be null.

3. Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:

   1. If validate fetching response with response, responseBody and "text/javascript" returns false, set script to failure and return.

   2. Set script to responseBody.

4. Wait for script to be set.

5. Return script.

To fetch WebAssembly given a URL url:

1. Let request be a new request with the following properties:

   URL

   url

   header list

   «Accept: application/wasm»

   client

   null

   mode

   "no-cors"

   referrer

   "no-referrer"

   credentials mode

   "omit"

   redirect mode

   "error"

   One of the side-effects of a null client for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.

   Stop using "no-cors" mode where possible (WICG/turtledove#667).

2. Let moduleObject be null.

3. Fetch request with processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:

   1. Set moduleObject to failure and return, if any of the following conditions hold:

      • responseBody is null or failure;

      • Getting `Ad-Auction-Allowed` and "item" from response’s header list does not return a true value.

   2. Let module be the result of compiling a WebAssembly module response.

   3. If module is error, set moduleObject to failure.

   4. Otherwise, set moduleObject to module.

4. Wait for moduleObject to be set.

5. Return moduleObject.

To fetch trusted signals given a URL url, and a boolean isBiddingSignal:

1. Let request be a new request with the following properties:

   URL

   url

   header list

   «Accept: application/json»

   client

   null

   mode

   "no-cors"

   referrer

   "no-referrer"

   credentials mode

   "omit"

   redirect mode

   "error"

   One of the side-effects of a null client for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.

   Stop using "no-cors" mode where possible (WICG/turtledove#667).

2. Let signals be null.

3. Let dataVersion be null.

4. Let formatVersion be null.

5. Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:

   1. If validate fetching response with response, responseBody and "application/json" returns false, set signals to failure and return.

   2. Let headers be response’s header list.

   3. Set dataVersion to the result of getting a structured field value given `Data-Version` and "item" from headers.

   4. If dataVersion is not null:

      1. If dataVersion is not an integer, or is less than 0 or more than 2³²−1, set signals to failure and return.

   5. If isBiddingSignal is true, then set formatVersion to the result of getting a structured field value given `X-fledge-bidding-signals-format-version` and "item" from headers.

   6. Set signals to the result of parsing JSON bytes to an Infra value responseBody.

6. Wait for signals to be set.

7. If signals is a parsing exception, or if signals is not an ordered map, return « null, null ».

8. For each key → value of signals:

   1. Set signals[key] to the result of serializing an Infra value to a JSON string given value.

9. If formatVersion is 2:

   1. If signals["keys"] does not exist, return « null, null ».

   2. Set signals to signals["keys"].

   3. If signals is not an ordered map, return « null, null ».

   4. TODO: handle priority vector.

10. Return « signals, dataVersion ».

To encode trusted signals keys given an ordered set of strings keys:

1. Let list be a new empty list.

2. Let keysStr be the result of concatenating keys with separator set to ",".

3. Append the result of UTF-8 percent-encoding keysStr using component percent-encode set to list.

   The Chrome implementation encodes 0x20 (SP) to U+002B (+), while UTF-8 percent-encoding encodes it to "%20".

4. Return list.

To build trusted bidding signals url given a URL signalsUrl, an ordered set of strings keys, an ordered set of strings igNames, an unsigned short-or-null experimentGroupId, and an origin topLevelOrigin:

1. Let queryParamsList be a new empty list.

   Note: These steps create a query of the form "&<name>=<values in comma-delimited list>". E.g., "hostname=publisher1.com&keys=key1,key2&interestGroupNames=ad+platform,name2&experimentGroupId=1234".
   
   These steps don’t use the application/x-www-form-urlencoded serializer to construct the query string because it repeats a key if it has multiple values instead of a comma-demilited list (e.g., "keys=key1&keys=key2", instead of "keys=key1,key2"), and it also uses a different percent encode set from the Chrome implementation.

2. Append "hostname=" to queryParamsList.

3. Append the result of UTF-8 percent-encoding the serialized topLevelOrigin using component percent-encode set to queryParamsList.

4. If keys is not empty:

   1. Append "&keys=" to queryParamsList.

   2. Extend queryParamsList with the result of encode trusted signals keys with keys.

5. If igNames is not empty:

   1. Append "&interestGroupNames=" to queryParamsList.

   2. Extend queryParamsList with the result of encode trusted signals keys with igNames.

6. If experimentGroupId is not null:

   1. Append "&experimentGroupId=" to queryParamsList.

   2. Append serialized experimentGroupId to queryParamsList.

7. Let fullSignalsUrl be signalsUrl.

8. Set fullSignalsUrl’s query to the result of concatenating queryParamsList.

9. return fullSignalsUrl.

To build trusted scoring signals url given a URL signalsUrl, a list of strings renderURLs, an ordered set of strings adComponentRenderURLs, an unsigned short experimentGroupId, and an origin topLevelOrigin:

Note: When trusted scoring signals fetches are not batched, renderURLs’s size is 1.

1. Let queryParamsList be a new empty list.

2. Append "hostname=" to queryParamsList.

3. Append the result of UTF-8 percent-encoding topLevelOrigin using component percent-encode set to queryParamsList.

4. If renderURLs is not empty:

   1. Append "&renderURLs=" to queryParamsList.

   2. Extend queryParamsList with the result of encode trusted signals keys with renderURLs.

5. If adComponentRenderURLs is not empty:

   1. Append "&adComponentRenderURLs=" to queryParamsList.

   2. Extend queryParamsList with the result of encode trusted signals keys with adComponentRenderURLs.

6. If experimentGroupId is not null:

   1. Append "&experimentGroupId=" to queryParamsList.

   2. Append serialized experimentGroupId to queryParamsList.

7. Set signalsUrl’s query to the result of concatenating queryParamsList.

8. return signalsUrl.

To send report given a URL url:

1. Let request be a new request with the following properties:

   URL

   url

   client

   null

   mode

   "no-cors"

   referrer

   "no-referrer"

   credentials mode

   "omit"

   redirect mode

   "error"

   Stop using "no-cors" mode where possible (WICG/turtledove#667).

2. Fetch request with useParallelQueue set to true.

To serialize an integer, represent it as a string of the shortest possible decimal number.

This would ideally be replaced by a more descriptive algorithm in Infra. See infra/201

To round a value given a double value:

1. If value is not a valid floating-point number, return value.

2. Let valueExp be value’s IEEE 754 biased exponent field minus 1023.

3. Let normValue be value multiplied by 2^{(−1 × valueExp)}.

4. If valueExp is less than −128:

   1. If value is less than 0, return −0.

   2. Otherwise, return 0.

5. If valueExp is greater than 127:

   1. If value is less than 0, return −∞.

   2. Otherwise, return ∞.

6. Let precisionScaledValue be normValue multiplied by 256.

7. Let noisyScaledValue be precisionScaledValue plus a random double value greater than or equal to 0 but less than 1.

8. Let truncatedScaledValue be the largest integer not greater than noisyScaledValue.

9. Return truncatedScaledValue multiplied by 2^{(valueExp − 8)}.

To get direct from seller signals given an origin seller, a string-or-null adSlot, and a map capturedAuctionHeaders:

1. If adSlot is not a string, then return null.

2. Let directFromSellerSignals be null.

3. Let directFromSellerSignalsKey be a new direct from seller signals key with its seller set to seller, and ad slot set to adSlot.

4. If capturedAuctionHeaders[directFromSellerSignalsKey] exists:

   1. Set directFromSellerSignals to capturedAuctionHeaders[directFromSellerSignalsKey].

5. Return directFromSellerSignals.

To get direct from seller signals for a seller given a direct from seller signals-or-null directFromSellerSignals:

1. Let directFromSellerSignalsForSeller be a new DirectFromSellerSignalsForSeller.

2. If directFromSellerSignals is null, then return directFromSellerSignalsForSeller.

3. Set directFromSellerSignalsForSeller["auctionSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s auction signals.

4. Set directFromSellerSignalsForSeller["sellerSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s seller signals.

5. Return directFromSellerSignalsForSeller.

To get direct from seller signals for a buyer given a direct from seller signals-or-null directFromSellerSignals, and an origin owner:

1. Let directFromSellerSignalsForBuyer be a new DirectFromSellerSignalsForBuyer.

2. If directFromSellerSignals is null, then return directFromSellerSignalsForBuyer.

3. Set directFromSellerSignalsForBuyer["auctionSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s auction signals.

4. If directFromSellerSignals’s per buyer signals[owner] exists:

   1. Set directFromSellerSignalsForBuyer["perBuyerSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s per buyer signals[owner].

5. Return directFromSellerSignalsForBuyer.

To report result given a leading bid info leadingBidInfo, a direct from seller signals-or-null directFromSellerSignals, an auction config-or-null winningComponentConfig, and a global object global:

1. Let config be leadingBidInfo’s auction config.

2. Let bidCurrency be null.

3. If winningComponentConfig is not null:

   1. Assert that leadingBidInfo’s component seller is not null.

   2. Set bidCurrency to winningComponentConfig’s seller currency.

   3. If bidCurrency is null, then set bidCurrency to the result of looking up per-buyer currency with config and leadingBidInfo’s component seller.

4. Otherwise, set bidCurrency to the result of looking up per-buyer currency with config and leadingBidInfo’s leading bid's interest group's owner.

5. Let winner be leadingBidInfo’s leading bid.

6. Let sellerCurrency be leadingBidInfo’s auction config's seller currency.

7. Let highestScoringOtherBid be leadingBidInfo’s highest scoring other bid's bid in seller currency (or 0 if encountered a null).

8. If sellerCurrency is null, then set highestScoringOtherBid to leadingBidInfo’s highest scoring other bid's bid's value (or 0 if encountered a null).

9. Let bid be winner’s bid's value.

10. Let modifiedBid be null.

11. If winner’s modified bid is not null:

    1. If leadingBidInfo’s component seller is not null, then set bid to winner’s modified bid.

    2. Otherwise, set modifiedBid to winner’s modified bid.

12. Let browserSignals be a ReportResultBrowserSignals with the following fields:

    topWindowHostname

    The result of running the host serializer on global’s top-level origin's host.

    interestGroupOwner

    Serialized winner’s interest group's owner.

    renderURL

    Serialized winner’s ad descriptor's url

    bid

    Stochastically rounded bid

    bidCurrency

    The result of serializing a currency tag with bidCurrency

    highestScoringOtherBid

    highestScoringOtherBid

    highestScoringOtherBidCurrency

    sellerCurrency if it is not null, "???" otherwise

    topLevelSeller

    leadingBidInfo’s top level seller if it is not null, undefined otherwise

    componentSeller

    leadingBidInfo’s component seller if it is not null, undefined otherwise

    desirability

    Stochastically rounded leadingBidInfo’s top score

    topLevelSellerSignals

    leadingBidInfo’s top level seller signals if it is not null, undefined otherwise

    modifiedBid

    Stochastically rounded modifiedBid if it is not null, undefined otherwise

    dataVersion

    leadingBidInfo’s scoring data version if it is not null, undefined otherwise

13. Let igAd be the interest group ad from winner’s interest group's ads whose render url is winner’s ad descriptor's url.

14. If igAd’s buyer and seller reporting ID exists and the result of query reporting ID k-anonymity count given winner’s interest group and igAd is true, then set browserSignals["buyerAndSellerReportingId"] to igAd’s buyer and seller reporting ID.

15. Let sellerReportingScript be the result of fetching script with config’s decision logic url.

16. Let « sellerSignals, reportUrl, reportingBeaconMap, ignored » be the result of evaluating a reporting script with sellerReportingScript, "reportResult", and « config’s config idl, browserSignals, directFromSellerSignals ».

17. Let reportingResult be a reporting result with the following items:

    report url

    reportUrl

    reporting beacon map

    reportingBeaconMap

18. If leadingBidInfo’s top level seller is null (i.e., if we are reporting for a component seller), set leadingBidInfo’s component seller reporting result to reportingResult.

19. Otherwise, set leadingBidInfo’s seller reporting result to reportingResult.

20. Remove browserSignals["desirability"].

21. Remove browserSignals["modifiedBid"].

22. Remove browserSignals["topLevelSellerSignals"].

23. Remove browserSignals["dataVersion"].

    Note: Remove fields specific to ReportResultBrowserSignals which only sellers can learn about, so that they are not passed to "reportWin()".

24. Return « sellerSignals, browserSignals ».

To report win given a leading bid info leadingBidInfo, a string sellerSignals, a ReportingBrowserSignals browserSignals, and a direct from seller signals-or-null directFromSellerSignals:

1. Let config be leadingBidInfo’s auction config.

2. Let winner be leadingBidInfo’s leading bid.

3. Let perBuyerSignals be config’s per buyer signals.

4. Let buyer be winner’s interest group's owner.

5. Let perBuyerSignalsForBuyer be perBuyerSignals[buyer] if that member exists, and null otherwise.

6. Let reportWinBrowserSignals be a ReportWinBrowserSignals with the members that are declared on ReportingBrowserSignals initialized to their values in browserSignals.

7. Add the following fields to reportWinBrowserSignals:

   dataVersion

   leadingBidInfo’s bidding data version if it is not null, undefined otherwise.

   adCost

   Rounded winner’s ad cost

   seller

   Serialized config’s seller

   madeHighestScoringOtherBid

   Set to true if leadingBidInfo’s highest scoring other bid owner is not null, and buyer is same origin with leadingBidInfo’s highest scoring other bid owner, false otherwise

   modelingSignals

   winner’s modeling signals if it is not null, undefined otherwise (TODO: noise and bucket this signal)

8. Let igAd be the interest group ad from winner’s interest group's ads whose render url is winner’s ad descriptor's url.

9. If igAd’s buyer and seller reporting ID does not exist and the result of query reporting ID k-anonymity count given winner’s interest group and igAd is true:

   1. If igAd’s buyer reporting ID exists, set reportWinBrowserSignals["buyerReportingId"] to igAd’s buyer reporting ID.

   2. Otherwise, Set reportWinBrowserSignals["interestGroupName"] to winner’s interest group name.

10. Let buyerReportingScript be the result of fetching script with winner’s interest group's bidding url.

11. Let reportFunctionName be "reportWin".

12. If winner’s provided as additional bid is true:

    1. Set reportFunctionName be "reportAdditionalBidWin".

13. Let « ignored, resultUrl, reportingBeaconMap, reportingMacroMap » be the result of evaluating a reporting script with buyerReportingScript, "reportWin", and « leadingBidInfo’s auction config's config idl's auctionSignals, perBuyerSignalsForBuyer, sellerSignals, reportWinBrowserSignals, directFromSellerSignals ».

14. Set leadingBidInfo’s buyer reporting result to a reporting result with the following items:

    report url

    resultUrl

    reporting beacon map

    reportingBeaconMap

    reporting macro map

    reportingMacroMap

[SecureContext]
partial interface Navigator {
  Promise<DOMString> createAuctionNonce();
};

The createAuctionNonce() method steps are:

1. Let p be a new promise.

2. Run the following steps in parallel:

   1. Let nonce be the string representation of a version 4 UUID.

   Because we’re going in parallel:

   • There is no guarantee that the promise will be resolved before other tasks get queued on the main thread;

   • ...which gives browsers the freedom to generate this UUID in another process, and asynchronously send it back to the main thread at an arbitrary future time.

   1. Queue a global task on DOM manipulation task source, given this's relevant global object, to resolve p with nonce.

3. Return p.

const additionalBid = {
  "bid": {
    "ad": 'ad-metadata',
    "adCost": 2.99,
    "bid": 1.99,
    "bidCurrency": "USD",
    "render": "https://www.example-dsp.com/ad/123.jpg",
    "adComponents": [adComponent1, adComponent2],
    "allowComponentAuction": true,
    "modelingSignals": 123,
  },
  "interestGroup": {
    "owner": "https://www.example-dsp.com"
    "name": "campaign123",
    "biddingLogicURL": "https://www.example-dsp.com/bid_logic.js"
  },
  "negativeInterestGroups": {
    joiningOrigin: "https://www.example-advertiser.com",
    interestGroupNames: [
      "example_advertiser_negative_interest_group_a",
      "example_advertiser_negative_interest_group_b",
    ]
  },
  "auctionNonce": "12345678-90ab-cdef-fedcba09876543210",
  "seller": "https://www.example-ssp.com",
  "topLevelSeller": "https://www.another-ssp.com"
}

To validate and convert additional bids given an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, a negative target info negativeTargetInfo, and a global object global:

1. Assert that these steps are running in parallel.

2. Assert that auctionConfig’s auction nonce is not null.

3. Let auctionNonce be the string representation of auctionConfig’s auction nonce.

4. Let capturedAdditionalBidsHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured additional bids headers.

5. Let additionalBids be a new list of decoded additional bids.

6. For each encodedSignedAdditionalBid of capturedAdditionalBidsHeaders[auctionNonce]:

   1. Let signedAdditionalBid be the result of running forgiving-base64 decode with encodedSignedAdditionalBid.

   2. If signedAdditionalBid is failure, then continue.

   3. Let additionalBid be the result of running parse a signed additional bid given signedAdditionalBid, auctionConfig, topLevelAuctionConfig, and negativeTargetInfo.

   4. If additionalBid is not null, then append additionalBid to additionalBids.

7. Return additionalBids.

To parse a signed additional bid given a byte sequence signedAdditionalBid, an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, and a negative target info negativeTargetInfo:

1. Assert that these steps are running in parallel.

2. Let parsedSignedAdditionalBid be the result of running parse a JSON string to an infra value given signedAdditionalBid.

3. Return null if any of the following conditions hold:

   • parsedSignedAdditionalBid is not a map;

   • parsedSignedAdditionalBid["bid"] does not exist, or is not a string;

   • parsedSignedAdditionalBid["signatures"] does not exist, or is not a list.

4. Let signatures be a new list of signed additional bid signatures.

5. Let decodeSignatureFailed be false.

6. For each sig of parsedSignedAdditionalBid["signatures"]:

   1. Set decodeSignatureFailed to true and break if any of the following conditions hold:

      • sig is not a map;

      • sig["key"] does not exist, or is not a string;

      • sig["signature"] does not exist, or is not a string.

   2. Let maybeKey be the result of running forgiving-base64 decode with sig["key"].

   3. Let maybeSignature be the result of running forgiving-base64 decode with sig["signature"].

   4. Set decodeSignatureFailed to true and break if any of the following conditions hold:

      • maybeKey is failure, or its length is not 32;

      • maybeSignature is failure, or its length is not 64;

   5. Let signature be a signed additional bid signatures, whose key is maybeKey, and signature is maybeSignature.

   6. Append signature to signatures.

7. If decodeSignatureFailed is true, then return null.

8. Let decodedAdditionalBid be the result of decode an additional bid json given parsedSignedAdditionalBid["bid"], auctionConfig and topLevelAuctionConfig.

9. Return null if any of the following conditions hold:

   • decodedAdditionalBid is failure;

   • The result of checking a currency tag with decodedAdditionalBid’s bid's bid's currency and the result of running look up per-buyer currency with auctionConfig.

10. Let verifiedSignatureKeys be a new set of byte sequences.

11. For each signature of signatures:

    1. Let isSignatureValid be the result of running verify signature’s signature on message parsedSignedAdditionalBid["bid"] using signature’s key, with 0 for Ed25519ctx.

    2. If isSignatureValid is true, then append signature’s key to verifiedSignatureKeys.

12. If the result of checking whether negative targeted given decodedAdditionalBid, verifiedSignatureKeys and negativeTargetInfo is true, then return null.

13. Return decodedAdditionalBid.

To decode an additional bid json given a string additionalBidJson, an auction config auctionConfig, and an auction config-or-null topLevelAuctionConfig:

1. Assert that these steps are running in parallel.

2. Let parsedAdditionalBid be the result of parse a JSON string to an infra value given additionalBidJson.

3. If parsedAdditionalBid is not a map, then return failure.

4. Let result be a new decoded additional bid.

5. Return failure if any of the following conditions hold:

   • parsedAdditionalBid["auctionNonce"] does not exist;

   • parsedAdditionalBid["auctionNonce"] is not the string representation of auctionConfig’s auction nonce;

   • parsedAdditionalBid["seller"] does not exist;

   • The result of running the parse an https origin with parsedAdditionalBid["seller"] is failure, or not same origin with auctionConfig’s seller.

6. If topLevelAuctionConfig is null:

   1. If parsedAdditionalBid["topLevelSeller"] exists, then return failure.

7. Otherwise:

   1. If parsedAdditionalBid["topLevelSeller"] does not exist, then return failure.

   2. Let bidTopLevelSeller be the result of running the parse an https origin with parsedAdditionalBid["topLevelSeller"].

   3. If bidTopLevelSeller is failure, or bidTopLevelSeller is not same origin with topLevelAuctionConfig’s seller, then return failure.

8. If parsedAdditionalBid["interestGroup"] does not exist, then return failure.

9. Let igMap be parsedAdditionalBid["interestGroup"].

10. Return failure if any the following conditions hold:

    • igMap is not a map;

    • igMap["name"] does not exist, or is not a string;

    • igMap["biddingLogicURL"] does not exist, or is not a string;

    • igMap["owner"] does not exist, or is not a string;

11. Let igOwner be the result of running parse an https origin given igMap["owner"].

12. Let igName be igMap["name"].

13. Let igBiddingUrl be the result of running url parser on igMap["biddingLogicURL"].

14. Return failure if any of the following conditions hold:

    • igOwner is failure;

    • auctionConfig’s interest group buyers does not contain igOwner;

    • igBiddingUrl is failure;

    • igOwner is not same origin with igBiddingUrl.

15. Let ig be a new interest group with the following properties:

    owner

    igOwner

    name

    igName

    bidding url

    igBiddingUrl

16. If parsedAdditionalBid["bid"] does not exist, or is not a map, return failure.

17. Let bidMap be parsedAdditionalBid["bid"].

18. If bidMap["render"] does not exist or is not a string, then return failure.

19. Let renderUrl be the result of running URL parser on bidMap["render"].

20. If renderUrl is failure, then return failure.

21. Let ad be a new interest group ad whose render url is renderUrl.

22. Set ig’s ads to « ad ».

23. Let bidVal be bidMap["bid"] if it exists, otherwise return failure.

24. If bidVal is not a double, or is less than or equal to 0, then return failure.

25. Let adMetadata be "null".

26. If bidMap["ad"] exists:

    1. Set adMetadata to the result of running serialize an Infra value to a JSON string with bidMap["ad"].

27. Let bidCurrency be null.

28. If bidMap["bidCurrency"] exists:

    1. If bidMap["bidCurrency"] is not a string, or the result of checking whether a string is a valid currency tag is failure, then return failure.

    2. Set bidCurrency to bidMap["bidCurrency"].

29. Let adCost be null.

30. If bidMap["adCost"] exists:

    1. If bidMap["adCost"] is not a double, then return failure.

    2. Set adCost to bidMap["adCost"].

31. Let modelingSignals be null.

32. If bidMap["modelingSignals"] exists:

    1. If bidMap["modelingSignals"] is not a double, then return failure.

    2. If bidMap["modelingSignals"] ≥ 0, and < 4096, then set modelingSignals to bidMap["modelingSignals"].

33. Let adComponents be a new list of ad descriptors.

34. If bidMap["adComponents"] exists:

    1. If bidMap["adComponents"] is not a list, then return failure.

    2. For each component of bidMap["adComponents"]:

       1. If component is not a string, then return failure.

       2. Let componentUrl be the result of running URL parser on component.

       3. If componentUrl is failure, then return failure.

       4. Let componentDescriptor be a new ad descriptor whose url is componentUrl.

       5. Append componentDescriptor to adComponents.

    3. Set ig’s ad components to adComponents.

35. If parsedAdditionalBid["negativeInterestGroup"] exists:

    1. If parsedAdditionalBid["negativeInterestGroups"] exists, or parsedAdditionalBid["negativeInterestGroup"] is not a string, then return failure.

    2. Append parsedAdditionalBid["negativeInterestGroup"] to result’s negative target interest group names.

36. If parsedAdditionalBid["negativeInterestGroups"] exists:

    1. Let multipleNegativeIg be parsedAdditionalBid["negativeInterestGroups"].

    2. Return failure if any of the following conditions hold:

       • multipleNegativeIg is not a map;

       • multipleNegativeIg["joiningOrigin"] does not exist, or is not a string;

       • multipleNegativeIg["interestGroupNames"] does not exist, or is not a list.

    3. Let joiningOrigin be the result of running parse an https origin with multipleNegativeIg["joiningOrigin"].

    4. If joiningOrigin is failure, then return failure.

    5. Set result’s negative target joining origin to joiningOrigin.

    6. For each igName of multipleNegativeIg["interestGroupNames"]:

       1. If igName is not a string, then return failure.

       2. Append igName to result’s negative target interest group names.

37. Set result’s bid to a new generated bid with the following properties:

    bid

    A bid with currency whose value is bidVal, and currency is bidCurrency

    ad

    adMetadata

    ad descriptor

    An ad descriptor whose url is renderUrl

    ad component descriptors

    adComponents

    ad cost

    adCost

    modeling signals

    modelingSignals

    interest group

    ig

    bid ad

    A interest group ad whose render url is renderUrl, and metadata is adMetadata

    provided as additional bid

    true

38. Return result.