Skip to content

Clearing state for safety limits#403

Merged
martinthomson merged 2 commits intomainfrom
safety-clear
Apr 23, 2026
Merged

Clearing state for safety limits#403
martinthomson merged 2 commits intomainfrom
safety-clear

Conversation

@martinthomson
Copy link
Copy Markdown
Member

@martinthomson martinthomson commented Apr 20, 2026
edited by pr-preview Bot
Loading

This is pretty straightforward once I thought it through.

Most things are left along if forgetSites is false, so that is super easy.

When it is true and the set of sites is empty, we already move the value of the last browsing history clear. So we can just drop all state. This is the easiest one.

When forgetSites is true and the set of sites is not empty, we do nothing special for the global privacy budget. We can retain that. The impression site quota is also pretty easy. We forget that site was ever there. That would reset the amount that impressions from that site can eat from the global budget, except that the last browsing history clear value will ensure that none of those sites will be able to be found anyway.

This is the small change. If you think about the effect of the last browing history clear value, it might be that the forgetting of specific sites - for this API - is effectively the same as forgetting all sites, so we can remove the distinction. I guess that the reason we have the current structure is that we wanted to retain the possibility that impressions from non-forgotten sites would be reachable at some point. With the impression site quota limit in place, that might no longer be possible. Still, baby steps.

Closes #367.

Preview | Diff

@martinthomson
Clearing state for safety limits
ff3923e 
This is pretty straightforward once I thought it through.

Most things are left along if `forgetSites` is false, so that is super easy.

When it is true and the set of sites is empty, we already move the
value of the last browsing history clear.  So we can just
drop all state.  This is the easiest one.

When `forgetSites` is true and the set of sites is not empty, we do
nothing special for the global privacy budget.  We can retain that.
The impression site quota is also pretty easy.  We forget that site was
ever there.  That would reset the amount that impressions from that site
can eat from the global budget, except that the last browsing history
clear value will ensure that none of those sites will be able to be
found anyway.

This is the small change.  If you think about the effect of the last
browing history clear value, it might be that the forgetting of specific
sites - for this API - is effectively the same as forgetting all sites,
so we can remove the distinction.  I guess that the reason we have the
current structure is that we wanted to retain the possibility that
impressions from non-forgotten sites would be reachable at some point.
With the impression site quota limit in place, that might no longer be
possible.  Still, baby steps.

Closes #367.
@martinthomson martinthomson mentioned this pull request Apr 20, 2026
Open
apasel422
apasel422 approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@apasel422 apasel422 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also addresses #393, right?

bmcase
bmcase reviewed Apr 21, 2026
View reviewed changes
Comment thread api.bs Outdated
@bmcase
Copy link
Copy Markdown
Contributor

bmcase commented Apr 21, 2026

If you think about the effect of the last browing history clear value, it might be that the forgetting of specific sites - for this API - is effectively the same as forgetting all sites, so we can remove the distinction. I guess that the reason we have the current structure is that we wanted to retain the possibility that impressions from non-forgotten sites would be reachable at some point.

Right, it seems currently because we move the last clear history we are essentially clearing for all sites (lot letting them query past impressions even if there sites was not in the set of sites to be cleared). I guess if we wanted to allow that functionality we would need to keep not just one single clear history value but a site specific store of last history clears?

@martinthomson martinthomson linked an issue Apr 23, 2026 that may be closed by this pull request
Clearing browsing history for any site effectively clears data for all sites #393
Closed
@martinthomson @bmcase
s/two/one
4e30a16 
Co-authored-by: Benjamin M. Case <35273659+bmcase@users.noreply.github.com>
@martinthomson
Copy link
Copy Markdown
Member Author

martinthomson commented Apr 23, 2026

I've opened #404 to track a less disruptive per-site state clear. That is going to be difficult.

@martinthomson martinthomson merged commit e82e5a5 into main Apr 23, 2026
2 checks passed
@apasel422 apasel422 mentioned this pull request Apr 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apasel422 apasel422 apasel422 approved these changes

+1 more reviewer

@bmcase bmcase bmcase approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clearing browsing history for any site effectively clears data for all sites Define how the safety limits interact with clear history

3 participants

@martinthomson @bmcase @apasel422