From 9918ead388c8948027efc3a3c8e91a0d489510b3 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Thu, 21 Nov 2024 09:15:18 -0800
Subject: [PATCH 01/39] Create explainer.md

---
 .../explainer.md                              | 107 ++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 Performance control of embedded content/explainer.md

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
new file mode 100644
index 00000000..366e35dd
--- /dev/null
+++ b/Performance control of embedded content/explainer.md	
@@ -0,0 +1,107 @@
+# Performance control of embedded content
+
+## Authors
+- [Nishitha Burman Dey](https://github.com/nishitha-burman)
+- [Luis Flores](https://github.com/lflores-ms)
+- [Andy Luhrs](https://github.com/aluhrs13)
+- [Alex Russell](https://github.com/slightlyoff)
+
+## Introduction
+This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.  
+
+Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee.  
+
+## Goals
+With global web usage continuing to rise and more companies relying on the web as a primary platform to deliver their applications, performance has become a critical factor for success. As more users access websites through mobile devices and lower-powered hardware, the need for fast responsive web experiences is non-negotiable[^1],[^2].
+When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed, these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
+This proposal has two primary goals:
+1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content.
+2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame. 
+
+### Scenarios
+* Embedded widgets: Weather forecast, stock tickets, etc.
+* Embedded Ads: Embedded ads from networks like Google AdSense or Bing Ads. 
+* Embedded calendars: Embedding calendars from services like Outlook Calendar, Google Calendar, etc. 
+
+## Proposed Solution
+There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can emable all or one of the categories. 
+
+| **Perf. Category** | **Criteria** | **Handling violations** |
+| -------------  | -------- | ------------------- |
+| **A: Basic**<br>**Description**: Basic web development best practices that are scenario-agnostic. | **- Text resources must be compressed** (HTML, CSS, JS, JSON).<br> **- Oversized unzipped assets are flagged:**<br>* Assets larger than 100KB embedded via `data:...` URLs.<br>* Image files larger than 500KB served in last generation formats.<br> * Web fonts that are larger than 300KB. | - Reporting violations via Reporting API.<br> - Assets not rendered.<br> UI indicator to block out images that are too large. |
+| **B: Early-script**<br>**Description**: JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins. | **- JS limits:**<br>* Total limits on JS served prior to user interaction: 2MB<br>* Scripts must contain `content-length` headers<br>* No non-compositor thread animations (e.g. animated SVGs, loading spinners, etc.). | - Report violations via Reporting API.<br> - Loading of scripts that violate the limit are paused/blocked.<br> - Pause/disconnect animations that are not visible, interacted with. |
+| **C: Globals**<br>**Description:** Overall media and system resource usage constraints. | **- Cumulative resource consumption limits per interaction:**<br>* Caps on total media usage. No more than a total of X.<br>* Limits on iframe count. No more than a total of 10.<br>* Limits of iframe depth. No mroe than a depth of 10.<br>* CPU usage before first interaction: XMB. | - Report violations via Reporting API.<br>- Do not load media at all. <br>- Do not load iframes that surpass the depth. |
+| **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed Xms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [in the background]. |
+
+### Discussion of different categories
+**A: Basic – Basic web development best practices that are scenario-agnostic:** This category covers fundamental web development best practices to ensure that websites are optimized for performance across all environments. This includes compressing text resources such as HTML, CSS JavaScript, and JSON to reduce load times and bandwidth usage, and compressing assets larger than 100KB that are embedded via `data: URLs` as they can slow down page rendering and increase resource consumption. Additionally, images should be served in modern, efficient formats, with any image files exceeding 500KB considered oversized and requiring optimization. Web fonts must also be kept under 300KB to avoid unnecessarily delaying page rendering. 
+
+**B: Early-script – JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins:** This category focuses on JavaScript development best practices that can be done to minimize performance issues before user interaction begins. This includes capping JavaScript resources loaded initially to avoid overwhelming devices with limited processing power or bandwidth, and serving JavaScript with constrained content-length headers to ensure predictable resource delivery and prevent bloated downloads. Additionally, animations that don’t run on the compositor thread should be avoided, as they can trigger costly layout recalculations and choppy user experiences, especially during page load or scroll events. 
+
+**C: Globals – Overall media and system resource usage constraints:** This category entails imposing limits on overall media and system resource usage during interactions to help prevent websites from over-consuming resources and degrading user experiences. This includes capping total media usage and iframe count/nesting to avoid excessive memory consumption and rendering issues because it can slow down the page and make it unresponsive, particularly on lower-end devices or in resource-constrained environments.  
+
+**D: Script – Strict JavaScript restrictions:** This category enforces restrictions on more complex JavaScript to further enhance performance. This includes limiting long tasks running on the main thread as they block the event loop and degrade interactivity leading to slow response times, and capping high CPU usage tasks, particularly those involving workers that exceed certain execution times, to ensure they don’t monopolize system resources. These restrictions ensure that JavaScript execution remains lightweight and efficient, preventing detrimental performance impacts on the user experience.  
+
+## What should be standardized?
+| **Layer of configuration** | **Standardize?** | **Notes** |
+| -------------------------- | ---------------- | --------- |
+| **Different categorizations of features:** Currently there are four and can expand in the future with new categories. | Yes | There needs to be alignment within the web community on what the key factors are that we want to allow restrictions for. This allows site developers to be on the same page and make tradeoffs accordingly. The definition for each category and number of categories need to be standardized. Standardizing this gives site developers an opportunity to optimize their performance regardless of the browser their end users are on. |
+| **Mechanism to set restrictions:** How site embedder set constraints. | Yes | Related to the different categories, the mechanism should be the same across browsers so that sites work agnostic of the browser. |
+| **Criteria for each category** | Yes | Currently, the criteria for each category is determined from observations and learnings from customer engagements. This may change or evolve with time. This should be standardized so that developers know what the expectations are across all browsers and the web platform. |
+| **Limits for each criteria** | Yes | Some of the limits have been determined based on observations, use cases, etc. This should also be browser agnostic so embedee developers know what the expectations are. |
+| **Reporting violations** | Yes | Similar to mechanism for setting restrictions, embedder developers should have the same expectations on getting violations across all browsers their site/app runs on. |
+| **How violations are handled** | No | Embedder developers should be able to opt into default behavior when restrictions are violated. There is a plethora of things that can happen when restrictions are violated. Different levels of standardization can happen here. The web platform can provide a default option for how violations are handled e.g. standard can be “some UI indicator is shown when violations are made” but it doesn’t have to be a standard what exactly is the UI. |
+
+## Non-goals
+The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold and limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
+
+## Proposed API Solution
+Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points (see discussion section), one for each of the categories above:
+A: Basic
+B: Early-script
+C: Globals
+D: Script
+
+**Note:** Names here are only monikers and expected to change in public explainer.
+
+This enables each document to:
+* Self-impose performance constraints.
+* Negotiate constraints (see discussion section) for each subresource.
+
+**Example**
+A feeds app embeds content from different sources, through iframes. To cap the performance impact of the embedded content, the host application aligns with its producers on guidelines and best practices for the embeddees to be loaded into the experience, requiring the content to be served with an agreed upon subset of policies (categories above). 
+The host app serves its main document with Document Policy directives to enforce on embedded content:<br>
+`Require-Document-Policy: basic, early-script, globals, script`
+
+Alternatively, the app can set any policy subset to individual frames:<br>
+`<iframe policy=”basic”>`<br>
+`<iframe policy=”basic, early-script”>`<br>
+
+As a result, requests to embedded content will be sent with Sec-Required-Document-Policy header matching the top-level document’s requested configuration. Per Document Policy design, embeddees receiving this request header must opt in for their content to be loaded, with the option to specify a reporting endpoint:
+`Document-Policy: basic, early-script, globals, script, *; report-to=endpoint`<br>
+`Reporting-Endpoints: endpoint="https://example.com/reports"`
+
+### Discussion
+#### Document Policy - configuration points
+Document Policy allows for a single value for each configuration point. Since the categories proposed by this solution are independent of each other, this necessitates multiple configuration points.
+
+#### Policy negotiation and enforcement
+\<why opt in necessary>
+
+* \<side channel attacks> - See NSM
+* \<unexpected behavior can break site>
+
+\<policy opt-in, policy enforcement>
+
+ Document Policy establish a mechanism for agreement of embedder and embedee about the policies to be applied. An embeddee which doesn’t agree to the embedder’s policies will not be loaded. However, this is only an agreement from the parties involved. Actual enforcement of the policy is to be defined by such policy.
+
+#### \<per document constraints>
+\<constraints are applied at document level, setting a required policy requires the same policy for each document on its own, not as part of a global budget/constraint. Best way to cap total resources/complexity is likely through frame depth restriction> 
+
+### Open questions
+
+
+### Alternatives considered
+
+[^1]: https://infrequently.org/2023/02/the-market-for-lemons/
+[^2]: https://www.thinkwithgoogle.com/marketing-strategies/app-and-mobile/page-load-time-statistics/

From 360c2c599f74a0ff90e6db7e2b28ce3de8f930fa Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Fri, 22 Nov 2024 14:55:18 -0800
Subject: [PATCH 02/39] Nits

---
 .../explainer.md                              | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 366e35dd..66161806 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -7,24 +7,24 @@
 - [Alex Russell](https://github.com/slightlyoff)
 
 ## Introduction
-This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.  
+This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
 
-Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee.  
+Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee.
 
 ## Goals
 With global web usage continuing to rise and more companies relying on the web as a primary platform to deliver their applications, performance has become a critical factor for success. As more users access websites through mobile devices and lower-powered hardware, the need for fast responsive web experiences is non-negotiable[^1],[^2].
 When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed, these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
 This proposal has two primary goals:
 1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content.
-2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame. 
+2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
 
 ### Scenarios
 * Embedded widgets: Weather forecast, stock tickets, etc.
-* Embedded Ads: Embedded ads from networks like Google AdSense or Bing Ads. 
-* Embedded calendars: Embedding calendars from services like Outlook Calendar, Google Calendar, etc. 
+* Embedded Ads: Embedded ads from networks like Google AdSense or Bing Ads.
+* Embedded calendars: Embedding calendars from services like Outlook Calendar, Google Calendar, etc.
 
 ## Proposed Solution
-There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can emable all or one of the categories. 
+There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can enable all or some of the categories.
 
 | **Perf. Category** | **Criteria** | **Handling violations** |
 | -------------  | -------- | ------------------- |
@@ -34,13 +34,13 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 | **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed Xms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [in the background]. |
 
 ### Discussion of different categories
-**A: Basic – Basic web development best practices that are scenario-agnostic:** This category covers fundamental web development best practices to ensure that websites are optimized for performance across all environments. This includes compressing text resources such as HTML, CSS JavaScript, and JSON to reduce load times and bandwidth usage, and compressing assets larger than 100KB that are embedded via `data: URLs` as they can slow down page rendering and increase resource consumption. Additionally, images should be served in modern, efficient formats, with any image files exceeding 500KB considered oversized and requiring optimization. Web fonts must also be kept under 300KB to avoid unnecessarily delaying page rendering. 
+**A: Basic – Basic web development best practices that are scenario-agnostic:** This category covers fundamental web development best practices to ensure that websites are optimized for performance across all environments. This includes compressing text resources such as HTML, CSS JavaScript, and JSON to reduce load times and bandwidth usage, and compressing assets larger than 100KB that are embedded via `data: URLs` as they can slow down page rendering and increase resource consumption. Additionally, images should be served in modern, efficient formats, with any image files exceeding 500KB considered oversized and requiring optimization. Web fonts must also be kept under 300KB to avoid unnecessarily delaying page rendering.
 
-**B: Early-script – JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins:** This category focuses on JavaScript development best practices that can be done to minimize performance issues before user interaction begins. This includes capping JavaScript resources loaded initially to avoid overwhelming devices with limited processing power or bandwidth, and serving JavaScript with constrained content-length headers to ensure predictable resource delivery and prevent bloated downloads. Additionally, animations that don’t run on the compositor thread should be avoided, as they can trigger costly layout recalculations and choppy user experiences, especially during page load or scroll events. 
+**B: Early-script – JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins:** This category focuses on JavaScript development best practices that can be done to minimize performance issues before user interaction begins. This includes capping JavaScript resources loaded initially to avoid overwhelming devices with limited processing power or bandwidth, and serving JavaScript with constrained content-length headers to ensure predictable resource delivery and prevent bloated downloads. Additionally, animations that don’t run on the compositor thread should be avoided, as they can trigger costly layout recalculations and choppy user experiences, especially during page load or scroll events.
 
-**C: Globals – Overall media and system resource usage constraints:** This category entails imposing limits on overall media and system resource usage during interactions to help prevent websites from over-consuming resources and degrading user experiences. This includes capping total media usage and iframe count/nesting to avoid excessive memory consumption and rendering issues because it can slow down the page and make it unresponsive, particularly on lower-end devices or in resource-constrained environments.  
+**C: Globals – Overall media and system resource usage constraints:** This category entails imposing limits on overall media and system resource usage during interactions to help prevent websites from over-consuming resources and degrading user experiences. This includes capping total media usage and iframe count/nesting to avoid excessive memory consumption and rendering issues because it can slow down the page and make it unresponsive, particularly on lower-end devices or in resource-constrained environments.
 
-**D: Script – Strict JavaScript restrictions:** This category enforces restrictions on more complex JavaScript to further enhance performance. This includes limiting long tasks running on the main thread as they block the event loop and degrade interactivity leading to slow response times, and capping high CPU usage tasks, particularly those involving workers that exceed certain execution times, to ensure they don’t monopolize system resources. These restrictions ensure that JavaScript execution remains lightweight and efficient, preventing detrimental performance impacts on the user experience.  
+**D: Script – Strict JavaScript restrictions:** This category enforces restrictions on more complex JavaScript to further enhance performance. This includes limiting long tasks running on the main thread as they block the event loop and degrade interactivity leading to slow response times, and capping high CPU usage tasks, particularly those involving workers that exceed certain execution times, to ensure they don’t monopolize system resources. These restrictions ensure that JavaScript execution remains lightweight and efficient, preventing detrimental performance impacts on the user experience.
 
 ## What should be standardized?
 | **Layer of configuration** | **Standardize?** | **Notes** |
@@ -69,7 +69,7 @@ This enables each document to:
 * Negotiate constraints (see discussion section) for each subresource.
 
 **Example**
-A feeds app embeds content from different sources, through iframes. To cap the performance impact of the embedded content, the host application aligns with its producers on guidelines and best practices for the embeddees to be loaded into the experience, requiring the content to be served with an agreed upon subset of policies (categories above). 
+A feeds app embeds content from different sources, through iframes. To cap the performance impact of the embedded content, the host application aligns with its producers on guidelines and best practices for the embeddees to be loaded into the experience, requiring the content to be served with an agreed upon subset of policies (categories above).
 The host app serves its main document with Document Policy directives to enforce on embedded content:<br>
 `Require-Document-Policy: basic, early-script, globals, script`
 
@@ -96,7 +96,7 @@ Document Policy allows for a single value for each configuration point. Since th
  Document Policy establish a mechanism for agreement of embedder and embedee about the policies to be applied. An embeddee which doesn’t agree to the embedder’s policies will not be loaded. However, this is only an agreement from the parties involved. Actual enforcement of the policy is to be defined by such policy.
 
 #### \<per document constraints>
-\<constraints are applied at document level, setting a required policy requires the same policy for each document on its own, not as part of a global budget/constraint. Best way to cap total resources/complexity is likely through frame depth restriction> 
+\<constraints are applied at document level, setting a required policy requires the same policy for each document on its own, not as part of a global budget/constraint. Best way to cap total resources/complexity is likely through frame depth restriction>
 
 ### Open questions
 

From db0d5ff3d10d3a68ce93f0ff449db78707dfd891 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Fri, 22 Nov 2024 14:55:50 -0800
Subject: [PATCH 03/39] Migrate and expand on sections 5.1, 5.2, 5.3

---
 .../explainer.md                              | 89 ++++++++++++++-----
 1 file changed, 67 insertions(+), 22 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 66161806..0c59574a 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -56,13 +56,13 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold and limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
 
 ## Proposed API Solution
-Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points (see discussion section), one for each of the categories above:
-A: Basic
-B: Early-script
-C: Globals
-D: Script
+Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the categories above:
+A: basic
+B: early-script
+C: globals
+D: script
 
-**Note:** Names here are only monikers and expected to change in public explainer.
+> **Note:** Names here are only monikers and expected to change.
 
 This enables each document to:
 * Self-impose performance constraints.
@@ -71,37 +71,82 @@ This enables each document to:
 **Example**
 A feeds app embeds content from different sources, through iframes. To cap the performance impact of the embedded content, the host application aligns with its producers on guidelines and best practices for the embeddees to be loaded into the experience, requiring the content to be served with an agreed upon subset of policies (categories above).
 The host app serves its main document with Document Policy directives to enforce on embedded content:<br>
-`Require-Document-Policy: basic, early-script, globals, script`
+```
+Require-Document-Policy: basic, early-script, globals, script
+```
 
 Alternatively, the app can set any policy subset to individual frames:<br>
-`<iframe policy=”basic”>`<br>
-`<iframe policy=”basic, early-script”>`<br>
+```
+<iframe policy=”basic”>
+<iframe policy=”basic, early-script”>
+```
 
-As a result, requests to embedded content will be sent with Sec-Required-Document-Policy header matching the top-level document’s requested configuration. Per Document Policy design, embeddees receiving this request header must opt in for their content to be loaded, with the option to specify a reporting endpoint:
-`Document-Policy: basic, early-script, globals, script, *; report-to=endpoint`<br>
-`Reporting-Endpoints: endpoint="https://example.com/reports"`
+As a result, requests to embedded content will be sent with `Sec-Required-Document-Policy` header matching the top-level document’s requested configuration. Per Document Policy design, embeddees receiving this request header must opt in for their content to be loaded, with the option to specify a reporting endpoint:
+
+```
+Document-Policy: basic, early-script, globals, script, *; report-to=endpoint
+Reporting-Endpoints: endpoint="https://example.com/reports"
+```
 
 ### Discussion
-#### Document Policy - configuration points
+#### Using multiple Document Policy configuration points
 Document Policy allows for a single value for each configuration point. Since the categories proposed by this solution are independent of each other, this necessitates multiple configuration points.
 
-#### Policy negotiation and enforcement
-\<why opt in necessary>
+#### Opt-in and policy negotiation
+Document Policy requires that each document opts in to the policies to be applied on such document. While this is a limitation to amount of control the embedder can have over the embeddee's performance, we consider this behavior from Document Policy as necessary due to the following reasons:
+
+* **Control flow alteration.** Direct enforcement would allow for a document to impose changes to the control flow of unwitting embedded third parties.
+* **Potential for side-channel attacks.** See more details in Security and Privacy Considerations.
+
+Despite this limitation, Document Policy allows policy negotation which would allow the embedder to require the relevant policies in this proposal. Through this mechanism, the embedder can still require conformance from the embedee to be loaded, while keeping the embeddee in charge of its own control flow.
+
+#### Negotiation vs enforcement
+
+Document Policy proposes a mechanism for policy negotiation. An embeddee which doesn’t agree to the embedder’s policies will not be loaded. This document makes a distinction between this _negotiation_ (which might result in an embedee failing to load), and _enforcement_. Enforcement of the policy (what will happen when a violation occurs) is to be defined by each aspect of the proposed configuration points.
+
+#### Per-document constraints
+Document Policy directives are effective on a per-document basis. This generally makes it harder for constraints to have the desired impact to improve performance. In this document, we propose capping the overall complexity and resources through frame depth and count restrictions.
 
-* \<side channel attacks> - See NSM
-* \<unexpected behavior can break site>
+**Open question:** what would be the appropriate frame count and depth limit? See related discussion in Security and Privacy Considerations.
 
-\<policy opt-in, policy enforcement>
+#### Open question: how to evolve best practices?
+Performance categories introduced in this proposal are based on the idea of taking the burden of determining performance best practices off of individual site and app developers. However, best practices evolve with time, and for these policies to achieve their goal, the criteria needs to evolve with them. Changing the criteria for what constitutes a policy violation would introduce compatibility issues for anyone opting-in, as things which are allowed today might not be allowed in the future. We need to define a mechanism in which this evolution can happen in a controlled manner, or decide whether it's a reasonable trade off for developers opting in to be expected to keep up with the platform as best practices evolve.
 
- Document Policy establish a mechanism for agreement of embedder and embedee about the policies to be applied. An embeddee which doesn’t agree to the embedder’s policies will not be loaded. However, this is only an agreement from the parties involved. Actual enforcement of the policy is to be defined by such policy.
+#### Open question: reporting 3pp violations to embedder
+Embedders are best equipped to influence change in the performance when they are aware of where the issues are. While Document Policy provides a Reporting API integration, this only reports violations to the endpoint of the document where the violation occurs. Embedders do not receive reports that the embedded content has incurred policy violations, which is a limitation. Currently under consideration: send a minimal report to the embedder when a violation occurs in the embedded document.
 
-#### \<per document constraints>
-\<constraints are applied at document level, setting a required policy requires the same policy for each document on its own, not as part of a global budget/constraint. Best way to cap total resources/complexity is likely through frame depth restriction>
+#### Open question: interaction with Heavy Ad Interventions
 
-### Open questions
+#### Open question: required policy and report-only mode
+It is unclear from the Document Policy explainer whether a report-only header in an embedded document satifies the requirements set by `Sec-Required-Document-Policy` header.
 
+### Security and Privacy Considerations
+
+#### Global budgets and side-channel attacks
+The criteria proposed in this document includes budgets which are shared globally across documents. This could allow for documents to learn things about cross-origin documents, as described in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits). We consider the same alternatives as NSM as viable for this proposal:
+  * Require CORS
+  * Fuzzy budgeting
+
+#### Frame depth
+As called out in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits), a limit greater than 2 would expose the depth in the treee of a document.
+
+### Dependencies on non-stable features
+* Document Policy ([explainer](https://wicg.github.io/document-policy/))
+  - general: currently, only implemented by Chromium-based browsers.
+  - Document Policy negotiation: disabled by default.
+  - `policy` attribute: currently unimplemented.
 
 ### Alternatives considered
 
+#### Custom attributes and headers
+Using Document Policy for this proposal has limitations and challenges, including 3pp violation reporting, opt-in requirement, budget-based state leaks. A custom mechanism was briefly considered, but the following was determined for such approach:
+
+*	Re-defines a mechanism for a problem already in the scope of Document Policy.
+* The challenges in Document Policy are still applicable with a custom mechanism.
+* Changes to iframe HTML element represent additional standards work.
+
+#### Levels vs categories
+It was considere to have a single configuration point based on “levels” which would restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
+
 [^1]: https://infrequently.org/2023/02/the-market-for-lemons/
 [^2]: https://www.thinkwithgoogle.com/marketing-strategies/app-and-mobile/page-load-time-statistics/

From 57ee23282f74f0ac99f0d4ee595c1737ef9ea8bb Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Fri, 22 Nov 2024 15:04:50 -0800
Subject: [PATCH 04/39] Add acknowledgements section

---
 Performance control of embedded content/explainer.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 0c59574a..dcff6f29 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -148,5 +148,10 @@ Using Document Policy for this proposal has limitations and challenges, includin
 #### Levels vs categories
 It was considere to have a single configuration point based on “levels” which would restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
 
+## Acknowledgements 
+Many thanks for the valuable feedback and advice from:
+* [Limin Zhu](https://github.com/liminzhu)
+
+
 [^1]: https://infrequently.org/2023/02/the-market-for-lemons/
 [^2]: https://www.thinkwithgoogle.com/marketing-strategies/app-and-mobile/page-load-time-statistics/

From d7ee3d08f24be3a4d5f2d33df6daea82a27b64e6 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Fri, 22 Nov 2024 15:39:15 -0800
Subject: [PATCH 05/39] Nit

Added comma
---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index dcff6f29..f3881af2 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -7,7 +7,7 @@
 - [Alex Russell](https://github.com/slightlyoff)
 
 ## Introduction
-This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
+This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers, tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
 
 Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee.
 

From bcad7e9696d7197d7b60657617fa5bf079376575 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Mon, 25 Nov 2024 16:08:10 -0800
Subject: [PATCH 06/39] Fixed typo

---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index f3881af2..2a064ab1 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -30,7 +30,7 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 | -------------  | -------- | ------------------- |
 | **A: Basic**<br>**Description**: Basic web development best practices that are scenario-agnostic. | **- Text resources must be compressed** (HTML, CSS, JS, JSON).<br> **- Oversized unzipped assets are flagged:**<br>* Assets larger than 100KB embedded via `data:...` URLs.<br>* Image files larger than 500KB served in last generation formats.<br> * Web fonts that are larger than 300KB. | - Reporting violations via Reporting API.<br> - Assets not rendered.<br> UI indicator to block out images that are too large. |
 | **B: Early-script**<br>**Description**: JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins. | **- JS limits:**<br>* Total limits on JS served prior to user interaction: 2MB<br>* Scripts must contain `content-length` headers<br>* No non-compositor thread animations (e.g. animated SVGs, loading spinners, etc.). | - Report violations via Reporting API.<br> - Loading of scripts that violate the limit are paused/blocked.<br> - Pause/disconnect animations that are not visible, interacted with. |
-| **C: Globals**<br>**Description:** Overall media and system resource usage constraints. | **- Cumulative resource consumption limits per interaction:**<br>* Caps on total media usage. No more than a total of X.<br>* Limits on iframe count. No more than a total of 10.<br>* Limits of iframe depth. No mroe than a depth of 10.<br>* CPU usage before first interaction: XMB. | - Report violations via Reporting API.<br>- Do not load media at all. <br>- Do not load iframes that surpass the depth. |
+| **C: Globals**<br>**Description:** Overall media and system resource usage constraints. | **- Cumulative resource consumption limits per interaction:**<br>* Caps on total media usage. No more than a total of X.<br>* Limits on iframe count. No more than a total of 10.<br>* Limits of iframe depth. No more than a depth of 10.<br>* CPU usage before first interaction: XMB. | - Report violations via Reporting API.<br>- Do not load media at all. <br>- Do not load iframes that surpass the depth. |
 | **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed Xms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [in the background]. |
 
 ### Discussion of different categories

From b9110f2a2366213cc21311a4ce990c52a4f6b084 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Fri, 6 Dec 2024 18:27:47 -0800
Subject: [PATCH 07/39] Fix typo

---
 Performance control of embedded content/explainer.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 2a064ab1..5aeb544a 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -146,9 +146,9 @@ Using Document Policy for this proposal has limitations and challenges, includin
 * Changes to iframe HTML element represent additional standards work.
 
 #### Levels vs categories
-It was considere to have a single configuration point based on “levels” which would restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
+It was considered to have a single configuration point based on “levels” which would restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
 
-## Acknowledgements 
+## Acknowledgements
 Many thanks for the valuable feedback and advice from:
 * [Limin Zhu](https://github.com/liminzhu)
 

From 2878ba2655f06204ebe60747429d68d02f4b8797 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Mon, 9 Dec 2024 11:49:13 -0800
Subject: [PATCH 08/39] Re-order non-goals section

---
 Performance control of embedded content/explainer.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 5aeb544a..f8870d70 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -18,6 +18,9 @@ This proposal has two primary goals:
 1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content.
 2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
 
+## Non-goals
+The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold and limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
+
 ### Scenarios
 * Embedded widgets: Weather forecast, stock tickets, etc.
 * Embedded Ads: Embedded ads from networks like Google AdSense or Bing Ads.
@@ -52,9 +55,6 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 | **Reporting violations** | Yes | Similar to mechanism for setting restrictions, embedder developers should have the same expectations on getting violations across all browsers their site/app runs on. |
 | **How violations are handled** | No | Embedder developers should be able to opt into default behavior when restrictions are violated. There is a plethora of things that can happen when restrictions are violated. Different levels of standardization can happen here. The web platform can provide a default option for how violations are handled e.g. standard can be “some UI indicator is shown when violations are made” but it doesn’t have to be a standard what exactly is the UI. |
 
-## Non-goals
-The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold and limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
-
 ## Proposed API Solution
 Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the categories above:
 A: basic

From 797c0e064ff79eff288dba6669859e4c8b9ca5fe Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Mon, 9 Dec 2024 13:40:35 -0800
Subject: [PATCH 09/39] Add 'remove burden' to goals

---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index f8870d70..bd224a96 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -15,7 +15,7 @@ Embedder developers can do this by enabling various categories of criteria that
 With global web usage continuing to rise and more companies relying on the web as a primary platform to deliver their applications, performance has become a critical factor for success. As more users access websites through mobile devices and lower-powered hardware, the need for fast responsive web experiences is non-negotiable[^1],[^2].
 When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed, these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
 This proposal has two primary goals:
-1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content.
+1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content, while removing the burden of determining individual contraints from web developers.
 2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
 
 ## Non-goals

From 820e6a3847cd4d2835fe1bba4c025337ba35c14a Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Mon, 9 Dec 2024 15:45:13 -0800
Subject: [PATCH 10/39] Re-arrange sections

---
 .../explainer.md                              | 46 ++++++++++---------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index bd224a96..64fbe820 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -88,7 +88,7 @@ Document-Policy: basic, early-script, globals, script, *; report-to=endpoint
 Reporting-Endpoints: endpoint="https://example.com/reports"
 ```
 
-### Discussion
+### API Design Discussion
 #### Using multiple Document Policy configuration points
 Document Policy allows for a single value for each configuration point. Since the categories proposed by this solution are independent of each other, this necessitates multiple configuration points.
 
@@ -101,53 +101,55 @@ Document Policy requires that each document opts in to the policies to be applie
 Despite this limitation, Document Policy allows policy negotation which would allow the embedder to require the relevant policies in this proposal. Through this mechanism, the embedder can still require conformance from the embedee to be loaded, while keeping the embeddee in charge of its own control flow.
 
 #### Negotiation vs enforcement
-
 Document Policy proposes a mechanism for policy negotiation. An embeddee which doesn’t agree to the embedder’s policies will not be loaded. This document makes a distinction between this _negotiation_ (which might result in an embedee failing to load), and _enforcement_. Enforcement of the policy (what will happen when a violation occurs) is to be defined by each aspect of the proposed configuration points.
 
-#### Per-document constraints
-Document Policy directives are effective on a per-document basis. This generally makes it harder for constraints to have the desired impact to improve performance. In this document, we propose capping the overall complexity and resources through frame depth and count restrictions.
-
-**Open question:** what would be the appropriate frame count and depth limit? See related discussion in Security and Privacy Considerations.
-
-#### Open question: how to evolve best practices?
-Performance categories introduced in this proposal are based on the idea of taking the burden of determining performance best practices off of individual site and app developers. However, best practices evolve with time, and for these policies to achieve their goal, the criteria needs to evolve with them. Changing the criteria for what constitutes a policy violation would introduce compatibility issues for anyone opting-in, as things which are allowed today might not be allowed in the future. We need to define a mechanism in which this evolution can happen in a controlled manner, or decide whether it's a reasonable trade off for developers opting in to be expected to keep up with the platform as best practices evolve.
-
-#### Open question: reporting 3pp violations to embedder
-Embedders are best equipped to influence change in the performance when they are aware of where the issues are. While Document Policy provides a Reporting API integration, this only reports violations to the endpoint of the document where the violation occurs. Embedders do not receive reports that the embedded content has incurred policy violations, which is a limitation. Currently under consideration: send a minimal report to the embedder when a violation occurs in the embedded document.
-
-#### Open question: interaction with Heavy Ad Interventions
-
 #### Open question: required policy and report-only mode
 It is unclear from the Document Policy explainer whether a report-only header in an embedded document satifies the requirements set by `Sec-Required-Document-Policy` header.
 
-### Security and Privacy Considerations
 
-#### Global budgets and side-channel attacks
+## Security and Privacy Considerations
+
+### Global budgets and side-channel attacks
 The criteria proposed in this document includes budgets which are shared globally across documents. This could allow for documents to learn things about cross-origin documents, as described in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits). We consider the same alternatives as NSM as viable for this proposal:
   * Require CORS
   * Fuzzy budgeting
 
-#### Frame depth
+### Frame depth
 As called out in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits), a limit greater than 2 would expose the depth in the treee of a document.
 
-### Dependencies on non-stable features
+## Dependencies on non-stable features
 * Document Policy ([explainer](https://wicg.github.io/document-policy/))
   - general: currently, only implemented by Chromium-based browsers.
   - Document Policy negotiation: disabled by default.
   - `policy` attribute: currently unimplemented.
 
-### Alternatives considered
+## Alternatives considered
 
-#### Custom attributes and headers
+### Custom attributes and headers
 Using Document Policy for this proposal has limitations and challenges, including 3pp violation reporting, opt-in requirement, budget-based state leaks. A custom mechanism was briefly considered, but the following was determined for such approach:
 
 *	Re-defines a mechanism for a problem already in the scope of Document Policy.
 * The challenges in Document Policy are still applicable with a custom mechanism.
 * Changes to iframe HTML element represent additional standards work.
 
-#### Levels vs categories
+### Levels vs categories
 It was considered to have a single configuration point based on “levels” which would restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
 
+## Open Issues
+
+### Per-document constraints
+Document Policy directives are effective on a per-document basis. This generally makes it harder for constraints to have the desired impact to improve performance. In this document, we propose capping the overall complexity and resources through frame depth and count restrictions.
+
+What would be the appropriate frame count and depth limit? See related discussion in Security and Privacy Considerations.
+
+### Open question: how to evolve best practices?
+Performance categories introduced in this proposal are based on the idea of taking the burden of determining performance best practices off of individual site and app developers. However, best practices evolve with time, and for these policies to achieve their goal, the criteria needs to evolve with them. Changing the criteria for what constitutes a policy violation would introduce compatibility issues for anyone opting-in, as things which are allowed today might not be allowed in the future. We need to define a mechanism in which this evolution can happen in a controlled manner, or decide whether it's a reasonable trade off for developers opting in to be expected to keep up with the platform as best practices evolve.
+
+### Reporting 3pp violations to embedder
+Embedders are best equipped to influence change in the performance when they are aware of where the issues are. While Document Policy provides a Reporting API integration, this only reports violations to the endpoint of the document where the violation occurs. Embedders do not receive reports that the embedded content has incurred policy violations, which is a limitation. Currently under consideration: send a minimal report to the embedder when a violation occurs in the embedded document.
+
+### Interaction with Heavy Ad Interventions
+
 ## Acknowledgements
 Many thanks for the valuable feedback and advice from:
 * [Limin Zhu](https://github.com/liminzhu)

From 6ca66f116e1bb0e45fc2ead19b08e3634c8124ff Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Tue, 17 Dec 2024 11:53:49 -0800
Subject: [PATCH 11/39] Category list spacing

---
 Performance control of embedded content/explainer.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 64fbe820..adc53992 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -57,10 +57,11 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 
 ## Proposed API Solution
 Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the categories above:
-A: basic
-B: early-script
-C: globals
-D: script
+
+A: `basic`
+B: `early-script`
+C: `globals`
+D: `script`
 
 > **Note:** Names here are only monikers and expected to change.
 

From 240131beb6ff6539de89d0bbfa646cef51598660 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Tue, 17 Dec 2024 11:58:24 -0800
Subject: [PATCH 12/39] Category list spacing

---
 Performance control of embedded content/explainer.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index adc53992..46833802 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -59,8 +59,11 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the categories above:
 
 A: `basic`
+
 B: `early-script`
+
 C: `globals`
+
 D: `script`
 
 > **Note:** Names here are only monikers and expected to change.

From 94ed1f840ab1950febddd29491bff8d5d107c348 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Tue, 17 Dec 2024 11:59:20 -0800
Subject: [PATCH 13/39] Category list formatting

---
 Performance control of embedded content/explainer.md | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 46833802..46beb9b7 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -58,13 +58,10 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 ## Proposed API Solution
 Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the categories above:
 
-A: `basic`
-
-B: `early-script`
-
-C: `globals`
-
-D: `script`
+* A: `basic`
+* B: `early-script`
+* C: `globals`
+* D: `script`
 
 > **Note:** Names here are only monikers and expected to change.
 

From 89e1266d2a96980ad398441008dd5b95403dfd08 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Tue, 17 Dec 2024 12:04:05 -0800
Subject: [PATCH 14/39] add internal section link: negotiation

---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 46beb9b7..93b943a1 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -67,7 +67,7 @@ Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/do
 
 This enables each document to:
 * Self-impose performance constraints.
-* Negotiate constraints (see discussion section) for each subresource.
+* Negotiate constraints (see [discussion section](#opt-in-and-policy-negotiation)) for each subresource.
 
 **Example**
 A feeds app embeds content from different sources, through iframes. To cap the performance impact of the embedded content, the host application aligns with its producers on guidelines and best practices for the embeddees to be loaded into the experience, requiring the content to be served with an agreed upon subset of policies (categories above).

From 13ae7b8824bee1652d5a3efb7775936aaf2c8021 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Tue, 17 Dec 2024 14:53:54 -0800
Subject: [PATCH 15/39] Add link to header docs

---
 Performance control of embedded content/explainer.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 93b943a1..b6109b03 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -82,7 +82,7 @@ Alternatively, the app can set any policy subset to individual frames:<br>
 <iframe policy=”basic, early-script”>
 ```
 
-As a result, requests to embedded content will be sent with `Sec-Required-Document-Policy` header matching the top-level document’s requested configuration. Per Document Policy design, embeddees receiving this request header must opt in for their content to be loaded, with the option to specify a reporting endpoint:
+As a result, requests to embedded content will be sent with [`Sec-Required-Document-Policy` header](https://wicg.github.io/document-policy/#sec-required-document-policy-http-header) matching the top-level document’s requested configuration. Per Document Policy design, embeddees receiving this request header must opt in for their content to be loaded, with the option to specify a reporting endpoint:
 
 ```
 Document-Policy: basic, early-script, globals, script, *; report-to=endpoint
@@ -105,7 +105,7 @@ Despite this limitation, Document Policy allows policy negotation which would al
 Document Policy proposes a mechanism for policy negotiation. An embeddee which doesn’t agree to the embedder’s policies will not be loaded. This document makes a distinction between this _negotiation_ (which might result in an embedee failing to load), and _enforcement_. Enforcement of the policy (what will happen when a violation occurs) is to be defined by each aspect of the proposed configuration points.
 
 #### Open question: required policy and report-only mode
-It is unclear from the Document Policy explainer whether a report-only header in an embedded document satifies the requirements set by `Sec-Required-Document-Policy` header.
+It is unclear from the Document Policy explainer whether a report-only header in an embedded document satifies the requirements set by [`Sec-Required-Document-Policy` header](https://wicg.github.io/document-policy/#sec-required-document-policy-http-header).
 
 
 ## Security and Privacy Considerations

From 08db46448d0d420fd4560f91fff115f7d2402ace Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Tue, 17 Dec 2024 15:10:42 -0800
Subject: [PATCH 16/39] Add single category example

---
 Performance control of embedded content/explainer.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index b6109b03..048c3f47 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -71,7 +71,14 @@ This enables each document to:
 
 **Example**
 A feeds app embeds content from different sources, through iframes. To cap the performance impact of the embedded content, the host application aligns with its producers on guidelines and best practices for the embeddees to be loaded into the experience, requiring the content to be served with an agreed upon subset of policies (categories above).
-The host app serves its main document with Document Policy directives to enforce on embedded content:<br>
+
+The host app serves its main document with Document Policy directives to enforce on embedded content. In the most simple case, the app opts in to a single category:<br>
+```
+Require-Document-Policy: basic
+```
+
+But it can opt in to more of them, each through its own Document Policy configuration point:
+
 ```
 Require-Document-Policy: basic, early-script, globals, script
 ```

From 8e92d81041ac9754b2a56dd82b764085d41cff0a Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Wed, 18 Dec 2024 16:11:19 -0800
Subject: [PATCH 17/39] Grammar fixes

---
 .../explainer.md                                   | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 048c3f47..3c84d006 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -101,7 +101,7 @@ Reporting-Endpoints: endpoint="https://example.com/reports"
 Document Policy allows for a single value for each configuration point. Since the categories proposed by this solution are independent of each other, this necessitates multiple configuration points.
 
 #### Opt-in and policy negotiation
-Document Policy requires that each document opts in to the policies to be applied on such document. While this is a limitation to amount of control the embedder can have over the embeddee's performance, we consider this behavior from Document Policy as necessary due to the following reasons:
+Document Policy requires that each document opts in to the policies to be applied on a given document. While this is a limitation to amount of control the embedder can have over the embeddee's performance, we consider this behavior as necessary due to the following reasons:
 
 * **Control flow alteration.** Direct enforcement would allow for a document to impose changes to the control flow of unwitting embedded third parties.
 * **Potential for side-channel attacks.** See more details in Security and Privacy Considerations.
@@ -118,12 +118,12 @@ It is unclear from the Document Policy explainer whether a report-only header in
 ## Security and Privacy Considerations
 
 ### Global budgets and side-channel attacks
-The criteria proposed in this document includes budgets which are shared globally across documents. This could allow for documents to learn things about cross-origin documents, as described in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits). We consider the same alternatives as NSM as viable for this proposal:
+The proposed criteria include budgets which are shared globally across documents. This could allow for documents to learn things about cross-origin documents, as described in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits). We consider the same alternatives introduced for NSM as viable for this proposal:
   * Require CORS
   * Fuzzy budgeting
 
 ### Frame depth
-As called out in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits), a limit greater than 2 would expose the depth in the treee of a document.
+As called out in the [Never Slow Mode explainer](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits), a limit greater than 2 would expose the depth in the tree of a document.
 
 ## Dependencies on non-stable features
 * Document Policy ([explainer](https://wicg.github.io/document-policy/))
@@ -134,7 +134,7 @@ As called out in the [Never Slow Mode explainer](https://github.com/slightlyoff/
 ## Alternatives considered
 
 ### Custom attributes and headers
-Using Document Policy for this proposal has limitations and challenges, including 3pp violation reporting, opt-in requirement, budget-based state leaks. A custom mechanism was briefly considered, but the following was determined for such approach:
+Using Document Policy for this proposal has limitations and challenges, including 3pp violation reporting, opt-in requirement, budget-based state leaks. A custom mechanism was briefly considered, but the following outline the reasons for moving away from such an approach:
 
 *	Re-defines a mechanism for a problem already in the scope of Document Policy.
 * The challenges in Document Policy are still applicable with a custom mechanism.
@@ -146,15 +146,15 @@ It was considered to have a single configuration point based on “levels” whi
 ## Open Issues
 
 ### Per-document constraints
-Document Policy directives are effective on a per-document basis. This generally makes it harder for constraints to have the desired impact to improve performance. In this document, we propose capping the overall complexity and resources through frame depth and count restrictions.
+Document Policy directives are effective on a per-document basis. This generally makes it harder for constraints to have the desired impact to improve performance, as the overall cap on resources increases with the complexity of the page. We propose capping the overall complexity and resources through frame depth and count restrictions to avoid an unbound upper limit to page resource consumption.
 
-What would be the appropriate frame count and depth limit? See related discussion in Security and Privacy Considerations.
+What would be the appropriate frame count and depth limit? See related discussion in [Security and Privacy Considerations](#frame-depth).
 
 ### Open question: how to evolve best practices?
 Performance categories introduced in this proposal are based on the idea of taking the burden of determining performance best practices off of individual site and app developers. However, best practices evolve with time, and for these policies to achieve their goal, the criteria needs to evolve with them. Changing the criteria for what constitutes a policy violation would introduce compatibility issues for anyone opting-in, as things which are allowed today might not be allowed in the future. We need to define a mechanism in which this evolution can happen in a controlled manner, or decide whether it's a reasonable trade off for developers opting in to be expected to keep up with the platform as best practices evolve.
 
 ### Reporting 3pp violations to embedder
-Embedders are best equipped to influence change in the performance when they are aware of where the issues are. While Document Policy provides a Reporting API integration, this only reports violations to the endpoint of the document where the violation occurs. Embedders do not receive reports that the embedded content has incurred policy violations, which is a limitation. Currently under consideration: send a minimal report to the embedder when a violation occurs in the embedded document.
+Embedders are best equipped to influence change in the performance when they are aware of where the issues are. While Document Policy provides a Reporting API integration, this only reports violations to the endpoint of the document where the violation occurs. Embedders do not receive reports that the embedded content has incurred policy violations, which is a limitation. We are currently considering sending a minimal report to the embedder when a violation occurs in the embedded document.
 
 ### Interaction with Heavy Ad Interventions
 

From 0938264bb0d6edfdc367fda7b842a06f1164e827 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Thu, 19 Dec 2024 14:32:56 -0800
Subject: [PATCH 18/39] Re-word alternatives considered

---
 .../explainer.md                              | 33 +++++++++++++++----
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 3c84d006..c2daa64a 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -85,8 +85,8 @@ Require-Document-Policy: basic, early-script, globals, script
 
 Alternatively, the app can set any policy subset to individual frames:<br>
 ```
-<iframe policy=”basic”>
-<iframe policy=”basic, early-script”>
+<iframe policy="basic">
+<iframe policy="basic, early-script">
 ```
 
 As a result, requests to embedded content will be sent with [`Sec-Required-Document-Policy` header](https://wicg.github.io/document-policy/#sec-required-document-policy-http-header) matching the top-level document’s requested configuration. Per Document Policy design, embeddees receiving this request header must opt in for their content to be loaded, with the option to specify a reporting endpoint:
@@ -134,14 +134,33 @@ As called out in the [Never Slow Mode explainer](https://github.com/slightlyoff/
 ## Alternatives considered
 
 ### Custom attributes and headers
-Using Document Policy for this proposal has limitations and challenges, including 3pp violation reporting, opt-in requirement, budget-based state leaks. A custom mechanism was briefly considered, but the following outline the reasons for moving away from such an approach:
+We considered a functionally equivalent, more scoped custom mechanism involving HTTP headers and a frame tag attribute, for example:
 
-*	Re-defines a mechanism for a problem already in the scope of Document Policy.
-* The challenges in Document Policy are still applicable with a custom mechanism.
-* Changes to iframe HTML element represent additional standards work.
+```
+Performance-Control: basic
+```
+
+```
+<iframe performance-control="basic">
+```
+
+However, this approach meant re-defining a solution for a problem already in the scope of Document Policy, with the same challenges still applying: handling of 3pp violation reports, opt-in requirement and budget-based state leaks.
+
+Furthermore, these challenges arise from the nature of the embedded-embeddee relationship where constraints are proposed. Any solution to this problem will need to address them.
 
 ### Levels vs categories
-It was considered to have a single configuration point based on “levels” which would restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
+We considered having a single Document Policy configuration point based on “levels” which would compound restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
+
+For example, with the "levels" approach, each category would map to a level and be included in the level above:
+
+| Level | Category mapping |
+|---|---|
+| level 1 | `basic` |
+| level 2 | `basic` + `early-script` |
+| level 3 | `basic` + `early-script` + `globals` |
+| level 4 | `basic` + `early-script` + `globals` + `script` |
+
+With this approach, adding a new group of constraints would only be possible by adding a new level with all previously defined constraints, or by redefining existing levels. We consider this to be an unnecessary limitation.
 
 ## Open Issues
 

From a366a0ae8f1a10fc0839615a76dbdbb43be4ea98 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Mon, 30 Dec 2024 12:05:17 -0800
Subject: [PATCH 19/39] Grammar and formatting edits.

---
 Performance control of embedded content/explainer.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index c2daa64a..a9f88132 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -13,7 +13,9 @@ Embedder developers can do this by enabling various categories of criteria that
 
 ## Goals
 With global web usage continuing to rise and more companies relying on the web as a primary platform to deliver their applications, performance has become a critical factor for success. As more users access websites through mobile devices and lower-powered hardware, the need for fast responsive web experiences is non-negotiable[^1],[^2].
-When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed, these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
+
+When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed; these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
+
 This proposal has two primary goals:
 1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content, while removing the burden of determining individual contraints from web developers.
 2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
@@ -23,8 +25,8 @@ The key factor of this solution is there are categories of focused, perf impacti
 
 ### Scenarios
 * Embedded widgets: Weather forecast, stock tickets, etc.
-* Embedded Ads: Embedded ads from networks like Google AdSense or Bing Ads.
-* Embedded calendars: Embedding calendars from services like Outlook Calendar, Google Calendar, etc.
+* Embedded Ads: Embedded ads from networks.
+* Embedded calendars: Embedding calendars from services.
 
 ## Proposed Solution
 There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can enable all or some of the categories.

From 1042bbb680fab462c42a722820d1d2141aa76ab9 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Mon, 30 Dec 2024 14:35:16 -0800
Subject: [PATCH 20/39] Acknowledgements & spelling

---
 .../explainer.md                              | 30 ++++++++++++-------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index a9f88132..d5d008fd 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -17,13 +17,13 @@ With global web usage continuing to rise and more companies relying on the web a
 When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed; these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
 
 This proposal has two primary goals:
-1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content, while removing the burden of determining individual contraints from web developers.
+1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content, while removing the burden of determining individual constraints from web developers.
 2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
 
 ## Non-goals
-The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold and limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
+The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold/limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
 
-### Scenarios
+## Scenarios
 * Embedded widgets: Weather forecast, stock tickets, etc.
 * Embedded Ads: Embedded ads from networks.
 * Embedded calendars: Embedding calendars from services.
@@ -108,13 +108,13 @@ Document Policy requires that each document opts in to the policies to be applie
 * **Control flow alteration.** Direct enforcement would allow for a document to impose changes to the control flow of unwitting embedded third parties.
 * **Potential for side-channel attacks.** See more details in Security and Privacy Considerations.
 
-Despite this limitation, Document Policy allows policy negotation which would allow the embedder to require the relevant policies in this proposal. Through this mechanism, the embedder can still require conformance from the embedee to be loaded, while keeping the embeddee in charge of its own control flow.
+Despite this limitation, Document Policy allows policy negotiation which would allow the embedder to require the relevant policies in this proposal. Through this mechanism, the embedder can still require conformance from the embedee to be loaded, while keeping the embeddee in charge of its own control flow.
 
 #### Negotiation vs enforcement
 Document Policy proposes a mechanism for policy negotiation. An embeddee which doesn’t agree to the embedder’s policies will not be loaded. This document makes a distinction between this _negotiation_ (which might result in an embedee failing to load), and _enforcement_. Enforcement of the policy (what will happen when a violation occurs) is to be defined by each aspect of the proposed configuration points.
 
 #### Open question: required policy and report-only mode
-It is unclear from the Document Policy explainer whether a report-only header in an embedded document satifies the requirements set by [`Sec-Required-Document-Policy` header](https://wicg.github.io/document-policy/#sec-required-document-policy-http-header).
+It is unclear from the Document Policy explainer whether a report-only header in an embedded document satisfies the requirements set by [`Sec-Required-Document-Policy` header](https://wicg.github.io/document-policy/#sec-required-document-policy-http-header).
 
 
 ## Security and Privacy Considerations
@@ -146,11 +146,11 @@ Performance-Control: basic
 <iframe performance-control="basic">
 ```
 
-However, this approach meant re-defining a solution for a problem already in the scope of Document Policy, with the same challenges still applying: handling of 3pp violation reports, opt-in requirement and budget-based state leaks.
+However, this approach meant re-defining a solution for a problem already in the scope of Document Policy, with the same challenges still applying: handling of 3rd party violation reports, opt-in requirement and budget-based state leaks.
 
-Furthermore, these challenges arise from the nature of the embedded-embeddee relationship where constraints are proposed. Any solution to this problem will need to address them.
+Furthermore, these challenges arise from the nature of the embedder-embedee relationship where constraints are proposed. Any solution to this problem will need to address them.
 
-### Levels vs categories
+### Levels vs. categories
 We considered having a single Document Policy configuration point based on “levels” which would compound restrictions on top of each other, but this was discarded due to increased difficulty to introduce new values in the future.
 
 For example, with the "levels" approach, each category would map to a level and be included in the level above:
@@ -174,14 +174,24 @@ What would be the appropriate frame count and depth limit? See related discussio
 ### Open question: how to evolve best practices?
 Performance categories introduced in this proposal are based on the idea of taking the burden of determining performance best practices off of individual site and app developers. However, best practices evolve with time, and for these policies to achieve their goal, the criteria needs to evolve with them. Changing the criteria for what constitutes a policy violation would introduce compatibility issues for anyone opting-in, as things which are allowed today might not be allowed in the future. We need to define a mechanism in which this evolution can happen in a controlled manner, or decide whether it's a reasonable trade off for developers opting in to be expected to keep up with the platform as best practices evolve.
 
-### Reporting 3pp violations to embedder
+### Reporting 3rd party violations to embedder
 Embedders are best equipped to influence change in the performance when they are aware of where the issues are. While Document Policy provides a Reporting API integration, this only reports violations to the endpoint of the document where the violation occurs. Embedders do not receive reports that the embedded content has incurred policy violations, which is a limitation. We are currently considering sending a minimal report to the embedder when a violation occurs in the embedded document.
 
 ### Interaction with Heavy Ad Interventions
 
-## Acknowledgements
+## References & acknowledgements
+
+This proposal has been inspired by and builds on the incredible work done in:
+* [Never-Slow Mode](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file)
+* [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md)
+* [Heavy Ad Interventions](https://developer.chrome.com/blog/heavy-ad-interventions)
+
 Many thanks for the valuable feedback and advice from:
 * [Limin Zhu](https://github.com/liminzhu)
+* [Sam Fortiner](https://github.com/sfortiner)
+* [Alison Maher](https://github.com/alisonmaher) 
+* [Mike Jackson](https://github.com/mwjacksonmsft)
+* [Erik Anderson](https://github.com/erik-anderson)
 
 
 [^1]: https://infrequently.org/2023/02/the-market-for-lemons/

From 79c8fe92a79b779f8ae8b35fef052e1b9e4f3202 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 10:37:10 -0800
Subject: [PATCH 21/39] Expand on use cases and scenarios section

---
 .../explainer.md                                    | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index d5d008fd..25fbd14b 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -23,10 +23,15 @@ This proposal has two primary goals:
 ## Non-goals
 The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold/limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
 
-## Scenarios
-* Embedded widgets: Weather forecast, stock tickets, etc.
-* Embedded Ads: Embedded ads from networks.
-* Embedded calendars: Embedding calendars from services.
+## Use cases and scenarios
+
+Embedded content can unintentionally or deliberately consume disproportionate resources on a device, resulting in a negative user experience. This impact may result in visibly slow-loading websites that frustrate users or less apparent issues like increased battery drain and excessive network bandwidth consumption. Some examples include:
+1. **Embedded widgets (weather forecast, stock tickets, social media, etc.)**
+  * Heavy video and animation widget: A feeds app has a weather widget that contains complex animations, high-definition videos, and auto-play functionality for different weather conditions (heavy snowfall or pouring rain) without user interaction. This leads to significant battery drain due to prolonged hardware activity and excessive bandwidth consumption from streaming or rendering large assets. To address this issue, the feeds app may set constraints such as asset size limits, require assets are zipped, and require video/animations to pause when user is not interacting with them. 
+2. **Embedded ads from external providers**
+  * Cryptojacking ads: A site is using a 3rd party ad provider however the ad contains malicious code designed to run cryptocurrency mining scripts in the background using the user's CPU or GPU resources without their knowledge. This drains the device resources and impacts performance. To avoid such issues, the website owner (embedder) could set performance constraints on the ad by limiting the JavaScript execution or restricting excessive network or CPU usage. 
+3. Embedded calendars from services
+  * Calendar with a heavy framework: An app embeds a calendar to display upcoming events however the embedded calendar loads a full-featured JavaScript framework like Angular or React just to render a simple monthly view. Poorly optimized code results in unnecessary large network payloads and inefficient rendering, causing visible lag during simple user interactions (scrolling or mouse movements). To address these issues, the app can set constraints on the embedded calendar for loading and JavaScript execution times. Through the reporting mechanism, the embedded app may learn that they can make optimizations such as reducing the bundle size, avoiding the need for full frameworks, and use simple solutions for rendering the calendar. 
 
 ## Proposed Solution
 There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can enable all or some of the categories.

From 904b8160f46d578f9d9e24bd98584c092e26126d Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 10:54:14 -0800
Subject: [PATCH 22/39] Remove concrete numbers for limits & fix typos in
 proposal table

---
 Performance control of embedded content/explainer.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 25fbd14b..612f6967 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -38,10 +38,10 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 
 | **Perf. Category** | **Criteria** | **Handling violations** |
 | -------------  | -------- | ------------------- |
-| **A: Basic**<br>**Description**: Basic web development best practices that are scenario-agnostic. | **- Text resources must be compressed** (HTML, CSS, JS, JSON).<br> **- Oversized unzipped assets are flagged:**<br>* Assets larger than 100KB embedded via `data:...` URLs.<br>* Image files larger than 500KB served in last generation formats.<br> * Web fonts that are larger than 300KB. | - Reporting violations via Reporting API.<br> - Assets not rendered.<br> UI indicator to block out images that are too large. |
-| **B: Early-script**<br>**Description**: JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins. | **- JS limits:**<br>* Total limits on JS served prior to user interaction: 2MB<br>* Scripts must contain `content-length` headers<br>* No non-compositor thread animations (e.g. animated SVGs, loading spinners, etc.). | - Report violations via Reporting API.<br> - Loading of scripts that violate the limit are paused/blocked.<br> - Pause/disconnect animations that are not visible, interacted with. |
-| **C: Globals**<br>**Description:** Overall media and system resource usage constraints. | **- Cumulative resource consumption limits per interaction:**<br>* Caps on total media usage. No more than a total of X.<br>* Limits on iframe count. No more than a total of 10.<br>* Limits of iframe depth. No more than a depth of 10.<br>* CPU usage before first interaction: XMB. | - Report violations via Reporting API.<br>- Do not load media at all. <br>- Do not load iframes that surpass the depth. |
-| **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed Xms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [in the background]. |
+| **A: Basic**<br>**Description**: Basic web development best practices that are scenario-agnostic. | **- Text resources must be compressed** (HTML, CSS, JS, JSON).<br> - **Unzipped assets are flagged**<br> - **Oversized assets are flagged:**<br>* Assets larger than ?KB embedded via `data:...` URLs.<br>* Image files larger than ?KB served in last generation formats.<br> * Web fonts that are larger than ?KB. | - Reporting violations via Reporting API.<br> - Assets not rendered.<br> UI indicator to block out images that are too large. |
+| **B: Early-script**<br>**Description**: JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins. | **- JS limits:**<br>* Total limits on JS served prior to user interaction: ?MB<br>* Scripts must contain `content-length` headers<br>* No non-compositor thread animations (e.g. animated SVGs, loading spinners, etc.). | - Report violations via Reporting API.<br> - Loading of scripts that violate the limit are paused/blocked.<br> - Pause/disconnect animations that are not visible, interacted with. |
+| **C: Globals**<br>**Description:** Overall media and system resource usage constraints. | **- Cumulative resource consumption limits per interaction:**<br>* Caps on total media usage. No more than a total of ?.<br>* Limits on iframe count. No more than a total of ?.<br>* Limits of iframe depth. No more than a depth of ?.<br>* CPU usage before first interaction: ?MB. | - Report violations via Reporting API.<br>- Do not load media at all. <br>- Do not load iframes that surpass the depth. |
+| **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed ?ms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [no user interaction/running in the background]. |
 
 ### Discussion of different categories
 **A: Basic – Basic web development best practices that are scenario-agnostic:** This category covers fundamental web development best practices to ensure that websites are optimized for performance across all environments. This includes compressing text resources such as HTML, CSS JavaScript, and JSON to reduce load times and bandwidth usage, and compressing assets larger than 100KB that are embedded via `data: URLs` as they can slow down page rendering and increase resource consumption. Additionally, images should be served in modern, efficient formats, with any image files exceeding 500KB considered oversized and requiring optimization. Web fonts must also be kept under 300KB to avoid unnecessarily delaying page rendering.

From 235ed21d37d27c71eba9c02bedf6829cd7abb9e1 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 11:19:36 -0800
Subject: [PATCH 23/39] Add more context about what to do with reports in the
 intro section

---
 Performance control of embedded content/explainer.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 612f6967..cd40f265 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -9,7 +9,11 @@
 ## Introduction
 This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers, tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
 
-Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee.
+Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee. If those constraints are violated, they are reported to the embedder and embedee to:
+1.  Inform the embedder so it can make decisions accordingly, to make the right tradeoffs for their app and give their users an optimal experience.
+2.  Inform the embedee so they can be aware of issues and learn about improvement opportunities. 
+
+Additionally, embedders can opt into default behavior the platform makes to address violations.
 
 ## Goals
 With global web usage continuing to rise and more companies relying on the web as a primary platform to deliver their applications, performance has become a critical factor for success. As more users access websites through mobile devices and lower-powered hardware, the need for fast responsive web experiences is non-negotiable[^1],[^2].
@@ -44,7 +48,7 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 | **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed ?ms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [no user interaction/running in the background]. |
 
 ### Discussion of different categories
-**A: Basic – Basic web development best practices that are scenario-agnostic:** This category covers fundamental web development best practices to ensure that websites are optimized for performance across all environments. This includes compressing text resources such as HTML, CSS JavaScript, and JSON to reduce load times and bandwidth usage, and compressing assets larger than 100KB that are embedded via `data: URLs` as they can slow down page rendering and increase resource consumption. Additionally, images should be served in modern, efficient formats, with any image files exceeding 500KB considered oversized and requiring optimization. Web fonts must also be kept under 300KB to avoid unnecessarily delaying page rendering.
+**A: Basic – Basic web development best practices that are scenario-agnostic:** This category covers fundamental web development best practices to ensure that websites are optimized for performance across all environments. This includes compressing text resources such as HTML, CSS JavaScript, and JSON to reduce load times and bandwidth usage, and compressing assets larger than ?KB that are embedded via `data: URLs` as they can slow down page rendering and increase resource consumption. Additionally, images should be served in modern, efficient formats, with any image files exceeding ?KB considered oversized and requiring optimization. Web fonts must also be kept under ?KB to avoid unnecessarily delaying page rendering.
 
 **B: Early-script – JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins:** This category focuses on JavaScript development best practices that can be done to minimize performance issues before user interaction begins. This includes capping JavaScript resources loaded initially to avoid overwhelming devices with limited processing power or bandwidth, and serving JavaScript with constrained content-length headers to ensure predictable resource delivery and prevent bloated downloads. Additionally, animations that don’t run on the compositor thread should be avoided, as they can trigger costly layout recalculations and choppy user experiences, especially during page load or scroll events.
 

From 34ccf2d05a6b304208e8a6196c2166475e903080 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 15:59:08 -0800
Subject: [PATCH 24/39] Add note in proposed solution about source of proposal

---
 Performance control of embedded content/explainer.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index cd40f265..acd9c051 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -38,11 +38,13 @@ Embedded content can unintentionally or deliberately consume disproportionate re
   * Calendar with a heavy framework: An app embeds a calendar to display upcoming events however the embedded calendar loads a full-featured JavaScript framework like Angular or React just to render a simple monthly view. Poorly optimized code results in unnecessary large network payloads and inefficient rendering, causing visible lag during simple user interactions (scrolling or mouse movements). To address these issues, the app can set constraints on the embedded calendar for loading and JavaScript execution times. Through the reporting mechanism, the embedded app may learn that they can make optimizations such as reducing the bundle size, avoiding the need for full frameworks, and use simple solutions for rendering the calendar. 
 
 ## Proposed Solution
+> **Note:** This proposal is grounded in experience working with embedded web content and reviewing & evaluating numerous websites. We've identified recurring issues that can lead well-intentioned sites to unintentionally deliver suboptimal user experiences. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. 
+
 There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can enable all or some of the categories.
 
 | **Perf. Category** | **Criteria** | **Handling violations** |
 | -------------  | -------- | ------------------- |
-| **A: Basic**<br>**Description**: Basic web development best practices that are scenario-agnostic. | **- Text resources must be compressed** (HTML, CSS, JS, JSON).<br> - **Unzipped assets are flagged**<br> - **Oversized assets are flagged:**<br>* Assets larger than ?KB embedded via `data:...` URLs.<br>* Image files larger than ?KB served in last generation formats.<br> * Web fonts that are larger than ?KB. | - Reporting violations via Reporting API.<br> - Assets not rendered.<br> UI indicator to block out images that are too large. |
+| **A: Basic**<br>**Description**: Basic web development best practices that are scenario-agnostic. | **- Text resources must be compressed** (HTML, CSS, JS, JSON).<br> - **Unzipped assets are flagged.**<br> - **Oversized assets are flagged:**<br>* Assets larger than ?KB embedded via `data:...` URLs.<br>* Image files larger than ?KB served in last generation formats.<br> * Web fonts that are larger than ?KB. | - Reporting violations via Reporting API.<br> - Assets not rendered.<br> UI indicator to block out images that are too large. |
 | **B: Early-script**<br>**Description**: JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins. | **- JS limits:**<br>* Total limits on JS served prior to user interaction: ?MB<br>* Scripts must contain `content-length` headers<br>* No non-compositor thread animations (e.g. animated SVGs, loading spinners, etc.). | - Report violations via Reporting API.<br> - Loading of scripts that violate the limit are paused/blocked.<br> - Pause/disconnect animations that are not visible, interacted with. |
 | **C: Globals**<br>**Description:** Overall media and system resource usage constraints. | **- Cumulative resource consumption limits per interaction:**<br>* Caps on total media usage. No more than a total of ?.<br>* Limits on iframe count. No more than a total of ?.<br>* Limits of iframe depth. No more than a depth of ?.<br>* CPU usage before first interaction: ?MB. | - Report violations via Reporting API.<br>- Do not load media at all. <br>- Do not load iframes that surpass the depth. |
 | **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed ?ms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [no user interaction/running in the background]. |

From f2397847e4212415b3a2cb29e6b89dac2427bad9 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 16:24:15 -0800
Subject: [PATCH 25/39] Clean up description of basic category

---
 Performance control of embedded content/explainer.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index acd9c051..c3888988 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -38,7 +38,7 @@ Embedded content can unintentionally or deliberately consume disproportionate re
   * Calendar with a heavy framework: An app embeds a calendar to display upcoming events however the embedded calendar loads a full-featured JavaScript framework like Angular or React just to render a simple monthly view. Poorly optimized code results in unnecessary large network payloads and inefficient rendering, causing visible lag during simple user interactions (scrolling or mouse movements). To address these issues, the app can set constraints on the embedded calendar for loading and JavaScript execution times. Through the reporting mechanism, the embedded app may learn that they can make optimizations such as reducing the bundle size, avoiding the need for full frameworks, and use simple solutions for rendering the calendar. 
 
 ## Proposed Solution
-> **Note:** This proposal is grounded in experience working with embedded web content and reviewing & evaluating numerous websites. We've identified recurring issues that can lead well-intentioned sites to unintentionally deliver suboptimal user experiences. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. 
+> **Note:** This proposal is grounded in experience working with embedded web content and evaluation of numerous websites. We've identified recurring issues that can lead well-intentioned web content to unintentionally deliver suboptimal user experiences. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. 
 
 There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can enable all or some of the categories.
 
@@ -50,7 +50,7 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 | **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed ?ms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [no user interaction/running in the background]. |
 
 ### Discussion of different categories
-**A: Basic – Basic web development best practices that are scenario-agnostic:** This category covers fundamental web development best practices to ensure that websites are optimized for performance across all environments. This includes compressing text resources such as HTML, CSS JavaScript, and JSON to reduce load times and bandwidth usage, and compressing assets larger than ?KB that are embedded via `data: URLs` as they can slow down page rendering and increase resource consumption. Additionally, images should be served in modern, efficient formats, with any image files exceeding ?KB considered oversized and requiring optimization. Web fonts must also be kept under ?KB to avoid unnecessarily delaying page rendering.
+**A: Basic – Basic web development best practices that are scenario-agnostic:** This category encompasses fundamental web development best practices to ensure websites are optimized for performance across various environments. These tasks are typically simple to implement but are frequently overlooked, leading to significant performance issues.
 
 **B: Early-script – JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins:** This category focuses on JavaScript development best practices that can be done to minimize performance issues before user interaction begins. This includes capping JavaScript resources loaded initially to avoid overwhelming devices with limited processing power or bandwidth, and serving JavaScript with constrained content-length headers to ensure predictable resource delivery and prevent bloated downloads. Additionally, animations that don’t run on the compositor thread should be avoided, as they can trigger costly layout recalculations and choppy user experiences, especially during page load or scroll events.
 

From 6d94c6664a23e9dc84a22df92f3463d248353eb4 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 16:55:53 -0800
Subject: [PATCH 26/39] Add context to "what should be standardized" section

---
 Performance control of embedded content/explainer.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index c3888988..c5570b3a 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -59,6 +59,8 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 **D: Script – Strict JavaScript restrictions:** This category enforces restrictions on more complex JavaScript to further enhance performance. This includes limiting long tasks running on the main thread as they block the event loop and degrade interactivity leading to slow response times, and capping high CPU usage tasks, particularly those involving workers that exceed certain execution times, to ensure they don’t monopolize system resources. These restrictions ensure that JavaScript execution remains lightweight and efficient, preventing detrimental performance impacts on the user experience.
 
 ## What should be standardized?
+There are various layers of configuration that can happen and we need to ensure alignment on what should be a web standard vs. what is left to browsers to determine. Here is a discussion of what we propose:
+
 | **Layer of configuration** | **Standardize?** | **Notes** |
 | -------------------------- | ---------------- | --------- |
 | **Different categorizations of features:** Currently there are four and can expand in the future with new categories. | Yes | There needs to be alignment within the web community on what the key factors are that we want to allow restrictions for. This allows site developers to be on the same page and make tradeoffs accordingly. The definition for each category and number of categories need to be standardized. Standardizing this gives site developers an opportunity to optimize their performance regardless of the browser their end users are on. |

From 055b3cf6d4c7410b77bfaa145c271ec722930c1a Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 17:15:39 -0800
Subject: [PATCH 27/39] Clarify non-goals section

---
 Performance control of embedded content/explainer.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index c5570b3a..2b03fbab 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -7,6 +7,7 @@
 - [Alex Russell](https://github.com/slightlyoff)
 
 ## Introduction
+
 This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers, tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
 
 Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee. If those constraints are violated, they are reported to the embedder and embedee to:
@@ -16,6 +17,7 @@ Embedder developers can do this by enabling various categories of criteria that
 Additionally, embedders can opt into default behavior the platform makes to address violations.
 
 ## Goals
+
 With global web usage continuing to rise and more companies relying on the web as a primary platform to deliver their applications, performance has become a critical factor for success. As more users access websites through mobile devices and lower-powered hardware, the need for fast responsive web experiences is non-negotiable[^1],[^2].
 
 When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed; these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
@@ -25,11 +27,13 @@ This proposal has two primary goals:
 2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
 
 ## Non-goals
-The key factor of this solution is there are categories of focused, perf impacting features that developers can choose to enforce restrictions on their apps. The threshold/limits and specific criteria within a category may evolve over time and is determined by the platform. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.**
+
+1. Granular control of limits or individual criteria within a category. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.** The key factor of this solution is there are predefined categories of focused, perf impacting features that embedder developers can choose to enforce restrictions on the embedded content in their app/site. This is to simplify the process and remove the burden from the embedder developer to determine individual constraints. 
 
 ## Use cases and scenarios
 
 Embedded content can unintentionally or deliberately consume disproportionate resources on a device, resulting in a negative user experience. This impact may result in visibly slow-loading websites that frustrate users or less apparent issues like increased battery drain and excessive network bandwidth consumption. Some examples include:
+
 1. **Embedded widgets (weather forecast, stock tickets, social media, etc.)**
   * Heavy video and animation widget: A feeds app has a weather widget that contains complex animations, high-definition videos, and auto-play functionality for different weather conditions (heavy snowfall or pouring rain) without user interaction. This leads to significant battery drain due to prolonged hardware activity and excessive bandwidth consumption from streaming or rendering large assets. To address this issue, the feeds app may set constraints such as asset size limits, require assets are zipped, and require video/animations to pause when user is not interacting with them. 
 2. **Embedded ads from external providers**
@@ -38,7 +42,8 @@ Embedded content can unintentionally or deliberately consume disproportionate re
   * Calendar with a heavy framework: An app embeds a calendar to display upcoming events however the embedded calendar loads a full-featured JavaScript framework like Angular or React just to render a simple monthly view. Poorly optimized code results in unnecessary large network payloads and inefficient rendering, causing visible lag during simple user interactions (scrolling or mouse movements). To address these issues, the app can set constraints on the embedded calendar for loading and JavaScript execution times. Through the reporting mechanism, the embedded app may learn that they can make optimizations such as reducing the bundle size, avoiding the need for full frameworks, and use simple solutions for rendering the calendar. 
 
 ## Proposed Solution
-> **Note:** This proposal is grounded in experience working with embedded web content and evaluation of numerous websites. We've identified recurring issues that can lead well-intentioned web content to unintentionally deliver suboptimal user experiences. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. 
+
+> **Note:** This proposal is grounded in experience working with embedded web content and evaluation of numerous websites. We've identified recurring issues that can lead well-intentioned web content to unintentionally deliver suboptimal user experiences. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. Additionally, the threshold/limits and specific criteria within a category may evolve over time and is determined by the platform.
 
 There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can enable all or some of the categories.
 
@@ -50,6 +55,7 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 | **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed ?ms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [no user interaction/running in the background]. |
 
 ### Discussion of different categories
+
 **A: Basic – Basic web development best practices that are scenario-agnostic:** This category encompasses fundamental web development best practices to ensure websites are optimized for performance across various environments. These tasks are typically simple to implement but are frequently overlooked, leading to significant performance issues.
 
 **B: Early-script – JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins:** This category focuses on JavaScript development best practices that can be done to minimize performance issues before user interaction begins. This includes capping JavaScript resources loaded initially to avoid overwhelming devices with limited processing power or bandwidth, and serving JavaScript with constrained content-length headers to ensure predictable resource delivery and prevent bloated downloads. Additionally, animations that don’t run on the compositor thread should be avoided, as they can trigger costly layout recalculations and choppy user experiences, especially during page load or scroll events.
@@ -59,6 +65,7 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 **D: Script – Strict JavaScript restrictions:** This category enforces restrictions on more complex JavaScript to further enhance performance. This includes limiting long tasks running on the main thread as they block the event loop and degrade interactivity leading to slow response times, and capping high CPU usage tasks, particularly those involving workers that exceed certain execution times, to ensure they don’t monopolize system resources. These restrictions ensure that JavaScript execution remains lightweight and efficient, preventing detrimental performance impacts on the user experience.
 
 ## What should be standardized?
+
 There are various layers of configuration that can happen and we need to ensure alignment on what should be a web standard vs. what is left to browsers to determine. Here is a discussion of what we propose:
 
 | **Layer of configuration** | **Standardize?** | **Notes** |
@@ -71,6 +78,7 @@ There are various layers of configuration that can happen and we need to ensure
 | **How violations are handled** | No | Embedder developers should be able to opt into default behavior when restrictions are violated. There is a plethora of things that can happen when restrictions are violated. Different levels of standardization can happen here. The web platform can provide a default option for how violations are handled e.g. standard can be “some UI indicator is shown when violations are made” but it doesn’t have to be a standard what exactly is the UI. |
 
 ## Proposed API Solution
+
 Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the categories above:
 
 * A: `basic`

From d1462c6efb4e81cdfccc42a3c36176ebdd0d7731 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 17:23:41 -0800
Subject: [PATCH 28/39] Clarify the different script categories

---
 Performance control of embedded content/explainer.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 2b03fbab..e23ab6e1 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -50,9 +50,9 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 | **Perf. Category** | **Criteria** | **Handling violations** |
 | -------------  | -------- | ------------------- |
 | **A: Basic**<br>**Description**: Basic web development best practices that are scenario-agnostic. | **- Text resources must be compressed** (HTML, CSS, JS, JSON).<br> - **Unzipped assets are flagged.**<br> - **Oversized assets are flagged:**<br>* Assets larger than ?KB embedded via `data:...` URLs.<br>* Image files larger than ?KB served in last generation formats.<br> * Web fonts that are larger than ?KB. | - Reporting violations via Reporting API.<br> - Assets not rendered.<br> UI indicator to block out images that are too large. |
-| **B: Early-script**<br>**Description**: JavaScript constraints to enhance performance and minimize impact on user experience before interaction begins. | **- JS limits:**<br>* Total limits on JS served prior to user interaction: ?MB<br>* Scripts must contain `content-length` headers<br>* No non-compositor thread animations (e.g. animated SVGs, loading spinners, etc.). | - Report violations via Reporting API.<br> - Loading of scripts that violate the limit are paused/blocked.<br> - Pause/disconnect animations that are not visible, interacted with. |
+| **B: Early-script**<br>**Description**: JavaScript constraints during load to enhance performance and minimize impact on user experience before interaction begins. | **- JS limits:**<br>* Total limits on JS served prior to user interaction: ?MB<br>* Scripts must contain `content-length` headers<br>* No non-compositor thread animations (e.g. animated SVGs, loading spinners, etc.). | - Report violations via Reporting API.<br> - Loading of scripts that violate the limit are paused/blocked.<br> - Pause/disconnect animations that are not visible, interacted with. |
 | **C: Globals**<br>**Description:** Overall media and system resource usage constraints. | **- Cumulative resource consumption limits per interaction:**<br>* Caps on total media usage. No more than a total of ?.<br>* Limits on iframe count. No more than a total of ?.<br>* Limits of iframe depth. No more than a depth of ?.<br>* CPU usage before first interaction: ?MB. | - Report violations via Reporting API.<br>- Do not load media at all. <br>- Do not load iframes that surpass the depth. |
-| **D: Script**<br>**Description:** Strict JavaScript restrictions. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed ?ms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [no user interaction/running in the background]. |
+| **D: Script**<br>**Description:** Strict JavaScript restrictions while running/post-load. | **-Additional JS limits:**<br>* Long tasks in the main thread.<br>* High CPU usage.<br>* Workers with long tasks that exceed ?ms.<br> | - Report violations via Reporting API.<br>- Stopping JavaScript if [no user interaction/running in the background]. |
 
 ### Discussion of different categories
 

From da9c878208e5403d27f0a30cee855a362737c0f8 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 17:26:16 -0800
Subject: [PATCH 29/39] Fix formatting

---
 Performance control of embedded content/explainer.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index e23ab6e1..184b4597 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -38,7 +38,7 @@ Embedded content can unintentionally or deliberately consume disproportionate re
   * Heavy video and animation widget: A feeds app has a weather widget that contains complex animations, high-definition videos, and auto-play functionality for different weather conditions (heavy snowfall or pouring rain) without user interaction. This leads to significant battery drain due to prolonged hardware activity and excessive bandwidth consumption from streaming or rendering large assets. To address this issue, the feeds app may set constraints such as asset size limits, require assets are zipped, and require video/animations to pause when user is not interacting with them. 
 2. **Embedded ads from external providers**
   * Cryptojacking ads: A site is using a 3rd party ad provider however the ad contains malicious code designed to run cryptocurrency mining scripts in the background using the user's CPU or GPU resources without their knowledge. This drains the device resources and impacts performance. To avoid such issues, the website owner (embedder) could set performance constraints on the ad by limiting the JavaScript execution or restricting excessive network or CPU usage. 
-3. Embedded calendars from services
+3. **Embedded calendars from services**
   * Calendar with a heavy framework: An app embeds a calendar to display upcoming events however the embedded calendar loads a full-featured JavaScript framework like Angular or React just to render a simple monthly view. Poorly optimized code results in unnecessary large network payloads and inefficient rendering, causing visible lag during simple user interactions (scrolling or mouse movements). To address these issues, the app can set constraints on the embedded calendar for loading and JavaScript execution times. Through the reporting mechanism, the embedded app may learn that they can make optimizations such as reducing the bundle size, avoiding the need for full frameworks, and use simple solutions for rendering the calendar. 
 
 ## Proposed Solution
@@ -64,7 +64,7 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 
 **D: Script – Strict JavaScript restrictions:** This category enforces restrictions on more complex JavaScript to further enhance performance. This includes limiting long tasks running on the main thread as they block the event loop and degrade interactivity leading to slow response times, and capping high CPU usage tasks, particularly those involving workers that exceed certain execution times, to ensure they don’t monopolize system resources. These restrictions ensure that JavaScript execution remains lightweight and efficient, preventing detrimental performance impacts on the user experience.
 
-## What should be standardized?
+### What should be standardized?
 
 There are various layers of configuration that can happen and we need to ensure alignment on what should be a web standard vs. what is left to browsers to determine. Here is a discussion of what we propose:
 

From 5775239b9f1595094068fbfa14f2e38261c2d2e2 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 31 Dec 2024 17:34:25 -0800
Subject: [PATCH 30/39] Added open questions

---
 Performance control of embedded content/explainer.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 184b4597..9c9de199 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -200,6 +200,11 @@ Embedders are best equipped to influence change in the performance when they are
 
 ### Interaction with Heavy Ad Interventions
 
+
+### Open question: how can we ensure fair restrictions for various types of devices (e.g. low end vs. high end devices)?
+
+### Open question: how to determine categories/criteria/limits for desktop vs. mobile?
+
 ## References & acknowledgements
 
 This proposal has been inspired by and builds on the incredible work done in:

From 972aadee7b95d56aa6701e22f9e92d5f18d8f94e Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Mon, 6 Jan 2025 17:27:08 -0800
Subject: [PATCH 31/39] Nit

---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 9c9de199..1ff7b24d 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -8,7 +8,7 @@
 
 ## Introduction
 
-This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, browsers, tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
+This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
 
 Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee. If those constraints are violated, they are reported to the embedder and embedee to:
 1.  Inform the embedder so it can make decisions accordingly, to make the right tradeoffs for their app and give their users an optimal experience.

From f53e4320cc40054839b5770ad4323b98195be0d8 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Mon, 6 Jan 2025 22:28:00 -0800
Subject: [PATCH 32/39] Nit

---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 1ff7b24d..0200dbce 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -8,7 +8,7 @@
 
 ## Introduction
 
-This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (iframes, tabs, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
+This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (tabs, iframes, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
 
 Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee. If those constraints are violated, they are reported to the embedder and embedee to:
 1.  Inform the embedder so it can make decisions accordingly, to make the right tradeoffs for their app and give their users an optimal experience.

From 2889db645cc0a357aab9435f7ef8cb499ce4f410 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Mon, 6 Jan 2025 16:30:53 -0800
Subject: [PATCH 33/39] Re-work 'best practices' section

---
 .../explainer.md                              | 45 +++++++++++++++----
 1 file changed, 37 insertions(+), 8 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 0200dbce..a06b7a67 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -12,7 +12,7 @@ This document proposes platform functionality to give embedders (browsers, websi
 
 Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee. If those constraints are violated, they are reported to the embedder and embedee to:
 1.  Inform the embedder so it can make decisions accordingly, to make the right tradeoffs for their app and give their users an optimal experience.
-2.  Inform the embedee so they can be aware of issues and learn about improvement opportunities. 
+2.  Inform the embedee so they can be aware of issues and learn about improvement opportunities.
 
 Additionally, embedders can opt into default behavior the platform makes to address violations.
 
@@ -28,18 +28,18 @@ This proposal has two primary goals:
 
 ## Non-goals
 
-1. Granular control of limits or individual criteria within a category. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.** The key factor of this solution is there are predefined categories of focused, perf impacting features that embedder developers can choose to enforce restrictions on the embedded content in their app/site. This is to simplify the process and remove the burden from the embedder developer to determine individual constraints. 
+1. Granular control of limits or individual criteria within a category. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.** The key factor of this solution is there are predefined categories of focused, perf impacting features that embedder developers can choose to enforce restrictions on the embedded content in their app/site. This is to simplify the process and remove the burden from the embedder developer to determine individual constraints.
 
 ## Use cases and scenarios
 
 Embedded content can unintentionally or deliberately consume disproportionate resources on a device, resulting in a negative user experience. This impact may result in visibly slow-loading websites that frustrate users or less apparent issues like increased battery drain and excessive network bandwidth consumption. Some examples include:
 
 1. **Embedded widgets (weather forecast, stock tickets, social media, etc.)**
-  * Heavy video and animation widget: A feeds app has a weather widget that contains complex animations, high-definition videos, and auto-play functionality for different weather conditions (heavy snowfall or pouring rain) without user interaction. This leads to significant battery drain due to prolonged hardware activity and excessive bandwidth consumption from streaming or rendering large assets. To address this issue, the feeds app may set constraints such as asset size limits, require assets are zipped, and require video/animations to pause when user is not interacting with them. 
+  * Heavy video and animation widget: A feeds app has a weather widget that contains complex animations, high-definition videos, and auto-play functionality for different weather conditions (heavy snowfall or pouring rain) without user interaction. This leads to significant battery drain due to prolonged hardware activity and excessive bandwidth consumption from streaming or rendering large assets. To address this issue, the feeds app may set constraints such as asset size limits, require assets are zipped, and require video/animations to pause when user is not interacting with them.
 2. **Embedded ads from external providers**
-  * Cryptojacking ads: A site is using a 3rd party ad provider however the ad contains malicious code designed to run cryptocurrency mining scripts in the background using the user's CPU or GPU resources without their knowledge. This drains the device resources and impacts performance. To avoid such issues, the website owner (embedder) could set performance constraints on the ad by limiting the JavaScript execution or restricting excessive network or CPU usage. 
+  * Cryptojacking ads: A site is using a 3rd party ad provider however the ad contains malicious code designed to run cryptocurrency mining scripts in the background using the user's CPU or GPU resources without their knowledge. This drains the device resources and impacts performance. To avoid such issues, the website owner (embedder) could set performance constraints on the ad by limiting the JavaScript execution or restricting excessive network or CPU usage.
 3. **Embedded calendars from services**
-  * Calendar with a heavy framework: An app embeds a calendar to display upcoming events however the embedded calendar loads a full-featured JavaScript framework like Angular or React just to render a simple monthly view. Poorly optimized code results in unnecessary large network payloads and inefficient rendering, causing visible lag during simple user interactions (scrolling or mouse movements). To address these issues, the app can set constraints on the embedded calendar for loading and JavaScript execution times. Through the reporting mechanism, the embedded app may learn that they can make optimizations such as reducing the bundle size, avoiding the need for full frameworks, and use simple solutions for rendering the calendar. 
+  * Calendar with a heavy framework: An app embeds a calendar to display upcoming events however the embedded calendar loads a full-featured JavaScript framework like Angular or React just to render a simple monthly view. Poorly optimized code results in unnecessary large network payloads and inefficient rendering, causing visible lag during simple user interactions (scrolling or mouse movements). To address these issues, the app can set constraints on the embedded calendar for loading and JavaScript execution times. Through the reporting mechanism, the embedded app may learn that they can make optimizations such as reducing the bundle size, avoiding the need for full frameworks, and use simple solutions for rendering the calendar.
 
 ## Proposed Solution
 
@@ -192,8 +192,37 @@ Document Policy directives are effective on a per-document basis. This generally
 
 What would be the appropriate frame count and depth limit? See related discussion in [Security and Privacy Considerations](#frame-depth).
 
-### Open question: how to evolve best practices?
-Performance categories introduced in this proposal are based on the idea of taking the burden of determining performance best practices off of individual site and app developers. However, best practices evolve with time, and for these policies to achieve their goal, the criteria needs to evolve with them. Changing the criteria for what constitutes a policy violation would introduce compatibility issues for anyone opting-in, as things which are allowed today might not be allowed in the future. We need to define a mechanism in which this evolution can happen in a controlled manner, or decide whether it's a reasonable trade off for developers opting in to be expected to keep up with the platform as best practices evolve.
+### Criteria and category definition, evolution
+This proposal provides an affordance for web developers to gain back control over the performance of their web property. A set of performance-impacting criteria was derived from [Never Slow Mode](https://github.com/slightlyoff/never_slow_mode?tab=readme-ov-file#global-limits) and experience in the field (see note in [Proposed Solution](#proposed-solution)). These criteria were then grouped into buckets, taking into account their overall impact, stage in the document lifetime and estimated effort from the developer to fix.
+
+The result is a set of criteria mapped to a smaller set of policies/categories. This mapping is an explicit design choice to remove the burden of determining criteria from individual sites and app developers.
+
+We expect these criteria and their specific limits to evolve with the web, which poses the question of how to best evolve the API. We are considering the following options:
+
+1. **Define once, no changes**
+    **Pros**
+    * Web developers can anticipate and address violations.
+    * Consistent behavior after site opts into the policy.
+
+    **Cons**
+    * Criteria fixed to today's recommendations.
+
+2. **Updating criteria under the same category tags**
+    **Pros**
+    * Sites opting in are kept to the latest criteria under each category.
+
+    **Cons**
+    * Sites subject to changing platform behavior.
+    * Actual criteria and limits are fragmented with the web.
+
+3. **Updated criteria under new category tags**
+    **Pros**
+    * Web developers can anticipate and address violations.
+
+    **Cons**
+    * Requires changes from sites each time there's a change in a category.
+
+An ideal mechanism would allow for this evolution go happen in a controlled, predictable manner. An open point for discussion is whether it's a reasonable trade off for developers opting in to be expected to keep up with the platform as criteria evolves.
 
 ### Reporting 3rd party violations to embedder
 Embedders are best equipped to influence change in the performance when they are aware of where the issues are. While Document Policy provides a Reporting API integration, this only reports violations to the endpoint of the document where the violation occurs. Embedders do not receive reports that the embedded content has incurred policy violations, which is a limitation. We are currently considering sending a minimal report to the embedder when a violation occurs in the embedded document.
@@ -215,7 +244,7 @@ This proposal has been inspired by and builds on the incredible work done in:
 Many thanks for the valuable feedback and advice from:
 * [Limin Zhu](https://github.com/liminzhu)
 * [Sam Fortiner](https://github.com/sfortiner)
-* [Alison Maher](https://github.com/alisonmaher) 
+* [Alison Maher](https://github.com/alisonmaher)
 * [Mike Jackson](https://github.com/mwjacksonmsft)
 * [Erik Anderson](https://github.com/erik-anderson)
 

From 48385a8d61ed2e4d258ee23060e652dc48450d82 Mon Sep 17 00:00:00 2001
From: Luis Flores <luflore@microsoft.com>
Date: Mon, 6 Jan 2025 16:51:18 -0800
Subject: [PATCH 34/39] Merge Proposed Solution/API Design Details

---
 .../explainer.md                              | 59 ++++++++++---------
 1 file changed, 30 insertions(+), 29 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index a06b7a67..53fc0a81 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -45,7 +45,21 @@ Embedded content can unintentionally or deliberately consume disproportionate re
 
 > **Note:** This proposal is grounded in experience working with embedded web content and evaluation of numerous websites. We've identified recurring issues that can lead well-intentioned web content to unintentionally deliver suboptimal user experiences. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. Additionally, the threshold/limits and specific criteria within a category may evolve over time and is determined by the platform.
 
-There are four categories (A, B, C, D) of performance impacting criteria that developers can enforce on embedded content. Based on the scenarios, the app can enable all or some of the categories.
+Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the following performance-impacting categories:
+
+* A: `basic`
+* B: `early-script`
+* C: `globals`
+* D: `script`
+
+> **Note:** Names here are only monikers and expected to change.
+
+This enables each document to:
+* Self-impose performance constraints.
+* Negotiate constraints (see [discussion section](#opt-in-and-policy-negotiation)) for each subresource.
+
+
+### Categories and criteria
 
 | **Perf. Category** | **Criteria** | **Handling violations** |
 | -------------  | -------- | ------------------- |
@@ -64,35 +78,8 @@ There are four categories (A, B, C, D) of performance impacting criteria that de
 
 **D: Script – Strict JavaScript restrictions:** This category enforces restrictions on more complex JavaScript to further enhance performance. This includes limiting long tasks running on the main thread as they block the event loop and degrade interactivity leading to slow response times, and capping high CPU usage tasks, particularly those involving workers that exceed certain execution times, to ensure they don’t monopolize system resources. These restrictions ensure that JavaScript execution remains lightweight and efficient, preventing detrimental performance impacts on the user experience.
 
-### What should be standardized?
-
-There are various layers of configuration that can happen and we need to ensure alignment on what should be a web standard vs. what is left to browsers to determine. Here is a discussion of what we propose:
-
-| **Layer of configuration** | **Standardize?** | **Notes** |
-| -------------------------- | ---------------- | --------- |
-| **Different categorizations of features:** Currently there are four and can expand in the future with new categories. | Yes | There needs to be alignment within the web community on what the key factors are that we want to allow restrictions for. This allows site developers to be on the same page and make tradeoffs accordingly. The definition for each category and number of categories need to be standardized. Standardizing this gives site developers an opportunity to optimize their performance regardless of the browser their end users are on. |
-| **Mechanism to set restrictions:** How site embedder set constraints. | Yes | Related to the different categories, the mechanism should be the same across browsers so that sites work agnostic of the browser. |
-| **Criteria for each category** | Yes | Currently, the criteria for each category is determined from observations and learnings from customer engagements. This may change or evolve with time. This should be standardized so that developers know what the expectations are across all browsers and the web platform. |
-| **Limits for each criteria** | Yes | Some of the limits have been determined based on observations, use cases, etc. This should also be browser agnostic so embedee developers know what the expectations are. |
-| **Reporting violations** | Yes | Similar to mechanism for setting restrictions, embedder developers should have the same expectations on getting violations across all browsers their site/app runs on. |
-| **How violations are handled** | No | Embedder developers should be able to opt into default behavior when restrictions are violated. There is a plethora of things that can happen when restrictions are violated. Different levels of standardization can happen here. The web platform can provide a default option for how violations are handled e.g. standard can be “some UI indicator is shown when violations are made” but it doesn’t have to be a standard what exactly is the UI. |
-
-## Proposed API Solution
+### Example
 
-Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the categories above:
-
-* A: `basic`
-* B: `early-script`
-* C: `globals`
-* D: `script`
-
-> **Note:** Names here are only monikers and expected to change.
-
-This enables each document to:
-* Self-impose performance constraints.
-* Negotiate constraints (see [discussion section](#opt-in-and-policy-negotiation)) for each subresource.
-
-**Example**
 A feeds app embeds content from different sources, through iframes. To cap the performance impact of the embedded content, the host application aligns with its producers on guidelines and best practices for the embeddees to be loaded into the experience, requiring the content to be served with an agreed upon subset of policies (categories above).
 
 The host app serves its main document with Document Policy directives to enforce on embedded content. In the most simple case, the app opts in to a single category:<br>
@@ -138,6 +125,20 @@ Document Policy proposes a mechanism for policy negotiation. An embeddee which d
 It is unclear from the Document Policy explainer whether a report-only header in an embedded document satisfies the requirements set by [`Sec-Required-Document-Policy` header](https://wicg.github.io/document-policy/#sec-required-document-policy-http-header).
 
 
+### What should be standardized?
+
+There are various layers of configuration that can happen and we need to ensure alignment on what should be a web standard vs. what is left to browsers to determine. Here is a discussion of what we propose:
+
+| **Layer of configuration** | **Standardize?** | **Notes** |
+| -------------------------- | ---------------- | --------- |
+| **Different categorizations of features:** Currently there are four and can expand in the future with new categories. | Yes | There needs to be alignment within the web community on what the key factors are that we want to allow restrictions for. This allows site developers to be on the same page and make tradeoffs accordingly. The definition for each category and number of categories need to be standardized. Standardizing this gives site developers an opportunity to optimize their performance regardless of the browser their end users are on. |
+| **Mechanism to set restrictions:** How site embedder set constraints. | Yes | Related to the different categories, the mechanism should be the same across browsers so that sites work agnostic of the browser. |
+| **Criteria for each category** | Yes | Currently, the criteria for each category is determined from observations and learnings from customer engagements. This may change or evolve with time. This should be standardized so that developers know what the expectations are across all browsers and the web platform. |
+| **Limits for each criteria** | Yes | Some of the limits have been determined based on observations, use cases, etc. This should also be browser agnostic so embedee developers know what the expectations are. |
+| **Reporting violations** | Yes | Similar to mechanism for setting restrictions, embedder developers should have the same expectations on getting violations across all browsers their site/app runs on. |
+| **How violations are handled** | No | Embedder developers should be able to opt into default behavior when restrictions are violated. There is a plethora of things that can happen when restrictions are violated. Different levels of standardization can happen here. The web platform can provide a default option for how violations are handled e.g. standard can be “some UI indicator is shown when violations are made” but it doesn’t have to be a standard what exactly is the UI. |
+
+
 ## Security and Privacy Considerations
 
 ### Global budgets and side-channel attacks

From 64c98ed4541527df4fbbc68819d55f33b5d01ec5 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 7 Jan 2025 11:24:56 -0800
Subject: [PATCH 35/39] Small edit in goals section

---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 0200dbce..84b6247d 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -24,7 +24,7 @@ When it comes to optimizing performance, websites and apps are limited by the pe
 
 This proposal has two primary goals:
 1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content, while removing the burden of determining individual constraints from web developers.
-2.	Provide information to help developers improve the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
+2.	Provide information to help developers understand the performance of web sites and apps through reporting when performance is negatively impacting end-users and/or applications hosting the site in a frame.
 
 ## Non-goals
 

From cb091df0784759fdf87c226a9e8d8e94e7e269fc Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 28 Jan 2025 14:50:49 -0800
Subject: [PATCH 36/39] Define categories and criteria early on

---
 Performance control of embedded content/explainer.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index b2e551d7..784b549e 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -10,7 +10,7 @@
 
 This document proposes platform functionality to give embedders (browsers, websites, hosting applications) the ability to put constraints on resources allocated to embedees (tabs, iframes, WebViews) to minimize the performance impact that embedded web content can have on an user’s device. Additionally, violations of the constraints will be reported to the embedder to inform and improve the ecosystem.
 
-Embedder developers can do this by enabling various categories of criteria that constrain performance impacting features on the embedee. If those constraints are violated, they are reported to the embedder and embedee to:
+Embedder developers can do this by setting policies that constrain the performance impacting features of the embedee. If those constraints are violated, they are reported to the embedder and embedee to:
 1.  Inform the embedder so it can make decisions accordingly, to make the right tradeoffs for their app and give their users an optimal experience.
 2.  Inform the embedee so they can be aware of issues and learn about improvement opportunities.
 
@@ -28,7 +28,7 @@ This proposal has two primary goals:
 
 ## Non-goals
 
-1. Granular control of limits or individual criteria within a category. **The developer will not have control over granular values of each limit or individual criteria within a category. This is determined by the platform.** The key factor of this solution is there are predefined categories of focused, perf impacting features that embedder developers can choose to enforce restrictions on the embedded content in their app/site. This is to simplify the process and remove the burden from the embedder developer to determine individual constraints.
+1. Granular control of limits for each policy. **The developer will not have control over granular values of limits or criteria for each policy. Policies and limits are determined by the platform.** The key factor of this solution is there are predefined policies constraining focused, perf impacting features that embedder developers can set to enforce restrictions on the embedded content in their app/site. This is to simplify the process and remove the burden from the embedder developer to determine individual constraints.
 
 ## Use cases and scenarios
 
@@ -43,7 +43,7 @@ Embedded content can unintentionally or deliberately consume disproportionate re
 
 ## Proposed Solution
 
-> **Note:** This proposal is grounded in experience working with embedded web content and evaluation of numerous websites. We've identified recurring issues that can lead well-intentioned web content to unintentionally deliver suboptimal user experiences. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. Additionally, the threshold/limits and specific criteria within a category may evolve over time and is determined by the platform.
+> **Note:** This proposal is grounded in experience working with embedded web content and evaluation of numerous websites. We've identified recurring issues that can lead well-intentioned web content to unintentionally deliver suboptimal user experiences. We have formalized patterns of recurring issues into **categories** (policies) comprised of various **criteria** items. The categories and criteria are open to modification and the limits will be determined based on data, from sources like the [Web Almanac](https://almanac.httparchive.org/en/2024/), and feedback from experts. Additionally, the threshold/limits and specific criteria within a category may evolve over time and is determined by the platform.
 
 Introduce [Document Policy](https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md) configuration points, one for each of the following performance-impacting categories:
 

From 166954221f10f1bab7ab082d960abdce3a162899 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Tue, 28 Jan 2025 15:05:06 -0800
Subject: [PATCH 37/39] Added more details to the problem we are trying to
 solve.

---
 Performance control of embedded content/explainer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Performance control of embedded content/explainer.md b/Performance control of embedded content/explainer.md
index 784b549e..9e0d4ec2 100644
--- a/Performance control of embedded content/explainer.md	
+++ b/Performance control of embedded content/explainer.md	
@@ -20,7 +20,7 @@ Additionally, embedders can opt into default behavior the platform makes to addr
 
 With global web usage continuing to rise and more companies relying on the web as a primary platform to deliver their applications, performance has become a critical factor for success. As more users access websites through mobile devices and lower-powered hardware, the need for fast responsive web experiences is non-negotiable[^1],[^2].
 
-When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed; these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
+When it comes to optimizing performance, websites and apps are limited by the performance of the external content they embed; these can be 3rd party sites, 3rd party apps, and even content from other organizations within a company. Additionally, in cases where heavyweight apps transition to embedded scenarios, they may be optimized for standalone use but cause issues in an embedded context, impacting the overall performance of the app. As a result, being able to control the performance of embedded content is crucial to improving the overall performance of a site or app.
 
 This proposal has two primary goals:
 1.	Improve users’ satisfaction with their OS, browser, and applications via formalizing methods of constraining the resources available to web content, while removing the burden of determining individual constraints from web developers.

From 55899d8a1c5bc6dd97e8299a3d66c0541da0afdd Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Thu, 30 Jan 2025 13:23:38 -0800
Subject: [PATCH 38/39] Update README

---
 .../explainer.md                                                | 0
 README.md                                                       | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename {Performance control of embedded content => PerformanceControlOfEmbeddedContent}/explainer.md (100%)

diff --git a/Performance control of embedded content/explainer.md b/PerformanceControlOfEmbeddedContent/explainer.md
similarity index 100%
rename from Performance control of embedded content/explainer.md
rename to PerformanceControlOfEmbeddedContent/explainer.md
diff --git a/README.md b/README.md
index 31a33c54..1144ef32 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,7 @@ we move them into the [Alumni section](#alumni-) below.
 | [Handwriting attribute](Handwriting/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/Handwriting"> ![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/Handwriting?label=issues)</a> | [New issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=adettenb&labels=Handwriting&template=Handwriting.md&title=%5BHandwriting%5D+Issue) | HTML |
 | [AudioContext Interrupted State](https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/AudioContextInterruptedState/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/AudioContext%20Interrupted%20State">![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/AudioContext%20Interrupted%20State?label=issues)</a> | [New Issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=gabrielbrito&labels=AudioContext+Interrupted+State&title=%5BAudioContext+Interrupted+State%5D+%3CTITLE+HERE%3E) | WebAudio |
 | [IndexedDB getAllRecords()](https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/IndexedDbGetAllEntries/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/IndexedDB%20GetAllRecords">![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/IndexedDB%20GetAllRecords?label=issues)</a> | [New Issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=SteveBeckerMSFT&labels=IndexedDB%20GetAllRecords&title=%5BIndexedDB+getAllRecords()%5D+%3CTITLE+HERE%3E) | IndexedDB |
-
+| [Performance Control of Embedded Content](https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/PerformanceControlOfEmbeddedContent/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/PerformanceControlOfEmbeddedContent">![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/PerformanceControlOfEmbeddedContent?label=issues)</a> | [New Issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=nishitha-burman&labels=PerformanceControlOfEmbeddedContent&title=%5BPerformanceControlOfEmbeddedContent%5D+%3CTITLE+HERE%3E) | IndexedDB |
 
 # Alumni 🎓
 

From f50572b29283b3eebe53920c82730f1582c4baf2 Mon Sep 17 00:00:00 2001
From: nishitha-burman <nishithaburman@gmail.com>
Date: Thu, 30 Jan 2025 13:25:28 -0800
Subject: [PATCH 39/39] Add group in README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1144ef32..60671ac1 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,7 @@ we move them into the [Alumni section](#alumni-) below.
 | [Handwriting attribute](Handwriting/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/Handwriting"> ![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/Handwriting?label=issues)</a> | [New issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=adettenb&labels=Handwriting&template=Handwriting.md&title=%5BHandwriting%5D+Issue) | HTML |
 | [AudioContext Interrupted State](https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/AudioContextInterruptedState/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/AudioContext%20Interrupted%20State">![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/AudioContext%20Interrupted%20State?label=issues)</a> | [New Issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=gabrielbrito&labels=AudioContext+Interrupted+State&title=%5BAudioContext+Interrupted+State%5D+%3CTITLE+HERE%3E) | WebAudio |
 | [IndexedDB getAllRecords()](https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/IndexedDbGetAllEntries/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/IndexedDB%20GetAllRecords">![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/IndexedDB%20GetAllRecords?label=issues)</a> | [New Issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=SteveBeckerMSFT&labels=IndexedDB%20GetAllRecords&title=%5BIndexedDB+getAllRecords()%5D+%3CTITLE+HERE%3E) | IndexedDB |
-| [Performance Control of Embedded Content](https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/PerformanceControlOfEmbeddedContent/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/PerformanceControlOfEmbeddedContent">![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/PerformanceControlOfEmbeddedContent?label=issues)</a> | [New Issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=nishitha-burman&labels=PerformanceControlOfEmbeddedContent&title=%5BPerformanceControlOfEmbeddedContent%5D+%3CTITLE+HERE%3E) | IndexedDB |
+| [Performance Control of Embedded Content](https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/PerformanceControlOfEmbeddedContent/explainer.md) | <a href="https://github.com/MicrosoftEdge/MSEdgeExplainers/labels/PerformanceControlOfEmbeddedContent">![GitHub issues by-label](https://img.shields.io/github/issues/MicrosoftEdge/MSEdgeExplainers/PerformanceControlOfEmbeddedContent?label=issues)</a> | [New Issue...](https://github.com/MicrosoftEdge/MSEdgeExplainers/issues/new?assignees=nishitha-burman&labels=PerformanceControlOfEmbeddedContent&title=%5BPerformanceControlOfEmbeddedContent%5D+%3CTITLE+HERE%3E) | Performance |
 
 # Alumni 🎓