tl;dr: it might be possible to reduce the collateral damage from a browsing history clear that forgets only some sites.
As I commented in #403, it's possible that the two arms of the algorithm where forgetSites is true might be collapsed into the more aggressive (and simpler) one.
The reason for the split was, I think, that we wanted to preserve the possibility that unrelated sites would not be affected by the forgetting of a completely different site. As long as we only had budget information for a single site, that seemed possible: a site that is forgotten might lose its budget, but maybe we could remember something about it ("the name sort-of rhymed with mace rook")... or at least enough to let all other sites keep their budgets intact.
The simplest version of that would be to have sites with any entry in the privacy budget store marked as OK, because those wouldn't have been forgotten1. As for any impressions it registered, those would disappear safely.
The same might not be possible with the impression site quotas. Those need to be cleared out too. Now, we could not worry about that: sites that are forgotten would get to take another go round at registering impressions and having those take a chunk out of the global privacy budget. But that is limited to once every history clear. Not so bad.
I guess I was looking for a reason to simplify, but I think that I've just convinced myself that a small tweak to the last browsing history clear is in really feasible. It would only require that the algorithm check that the current site has a non-empty privacy budget store before consulting that value. If it does, then it can be ignored for the purposes of determining the earliest epoch to consider. That's a pretty elegant design overall.
tl;dr: it might be possible to reduce the collateral damage from a browsing history clear that forgets only some sites.
As I commented in #403, it's possible that the two arms of the algorithm where
forgetSitesis true might be collapsed into the more aggressive (and simpler) one.The reason for the split was, I think, that we wanted to preserve the possibility that unrelated sites would not be affected by the forgetting of a completely different site. As long as we only had budget information for a single site, that seemed possible: a site that is forgotten might lose its budget, but maybe we could remember something about it ("the name sort-of rhymed with mace rook")... or at least enough to let all other sites keep their budgets intact.
The simplest version of that would be to have sites with any entry in the privacy budget store marked as OK, because those wouldn't have been forgotten1. As for any impressions it registered, those would disappear safely.
The same might not be possible with the impression site quotas. Those need to be cleared out too. Now, we could not worry about that: sites that are forgotten would get to take another go round at registering impressions and having those take a chunk out of the global privacy budget. But that is limited to once every history clear. Not so bad.
I guess I was looking for a reason to simplify, but I think that I've just convinced myself that a small tweak to the last browsing history clear is in really feasible. It would only require that the algorithm check that the current site has a non-empty privacy budget store before consulting that value. If it does, then it can be ignored for the purposes of determining the earliest epoch to consider. That's a pretty elegant design overall.
Footnotes
That isn't ideal, because it means that sites that haven't spent budget don't get to start spending until after the epoch in which they were cleared, but it's not an awful solution. The part where you have to remember something about the site, even N bits of a salted hash of its name, start to feel a bit icky very quickly. ↩