WICG
diff --git a/‎AGGREGATE.md‎
Lines changed: 60 additions & 5 deletions b/‎AGGREGATE.md‎
Lines changed: 60 additions & 5 deletions
diff --git a/‎AGGREGATION_SERVICE_TEE.md‎
Lines changed: 9 additions & 8 deletions b/‎AGGREGATION_SERVICE_TEE.md‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎EVENT.md‎
Lines changed: 13 additions & 24 deletions b/‎EVENT.md‎
Lines changed: 13 additions & 24 deletions
diff --git a/‎aggregate_debug_reporting.md‎
Lines changed: 20 additions & 14 deletions b/‎aggregate_debug_reporting.md‎
Lines changed: 20 additions & 14 deletions
diff --git a/‎aggregate_key_discovery.md‎
Lines changed: 7 additions & 0 deletions b/‎aggregate_key_discovery.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎app_to_web.md‎
Lines changed: 5 additions & 4 deletions b/‎app_to_web.md‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎ara-tester-list.md‎
Lines changed: 5 additions & 0 deletions b/‎ara-tester-list.md‎
Lines changed: 5 additions & 0 deletions
@@ -20,6 +20,7 @@
   - [Hide the true number of attribution reports](#hide-the-true-number-of-attribution-reports)
   - [Optional: reduce report delay with trigger context ID](#optional-reduce-report-delay-with-trigger-context-id)
   - [Optional: flexible contribution filtering with filtering IDs](#optional-flexible-contribution-filtering-with-filtering-ids)
+  - [Optional: named budgets](#optional-named-budgets)
 - [Data processing through a Secure Aggregation Service](#data-processing-through-a-secure-aggregation-service)
 - [Privacy considerations](#privacy-considerations)
   - [Differential Privacy](#differential-privacy)
@@ -37,9 +38,10 @@
 
 ## Authors
 
-* csharrison@chromium.org
-* johnidel@chromium.org
-* marianar@google.com
+* Charlie Harrison (csharrison@chromium.org)
+* John Delaney (johnidel@chromium.org)
+* Mariana Raykova (marianar@google.com)
+* Nan Lin (linnan@chromium.org)
 
 ## Introduction
 
@@ -260,7 +262,7 @@ The report will be JSON encoded with the following scheme:
       "payload": "[base64-encoded HPKE encrypted data readable only by the aggregation service]",
       "key_id": "[string identifying public key used to encrypt payload]",
 
-      // Optional debugging information, if the cookie `ar_debug` is present.
+      // Optional debugging information, if cookie-based debugging is allowed.
       "debug_cleartext_payload": "[base64-encoded unencrypted payload]",
     },
   ],
@@ -269,7 +271,7 @@ The report will be JSON encoded with the following scheme:
   "aggregation_coordinator_origin": "https://publickeyservice.msmt.aws.privacysandboxservices.com",
 
   // Optional debugging information (also present in event-level reports),
-  // if the cookie `ar_debug` is present.
+  // if cookie-based debugging is allowed.
   "source_debug_key": "[64 bit unsigned integer]",
   "trigger_debug_key": "[64 bit unsigned integer]",
 
@@ -503,6 +505,9 @@ As the trigger context ID in the aggregatable report explicitly reveals the
 association between the report and the trigger, these reports can be sent
 immediately without delay.
 
+When a trigger context ID is provided, the aggregatable report will not count
+towards the limit of aggregatable reports per source, nor be limited by it.
+
 Note: This is an [alternative](https://github.com/WICG/attribution-reporting-api/blob/main/report_verification.md#could-we-just-tag-reports-with-a-trigger_id-instead-of-using-anonymous-tokens)
 considered for [report verification](https://github.com/WICG/attribution-reporting-api/blob/main/report_verification.md),
 and achieves all of the higher priority [security goals](https://github.com/WICG/attribution-reporting-api/blob/main/report_verification.md#security-goals).
@@ -551,6 +556,56 @@ as when a trigger context ID is set.
 
 See [flexible_filtering.md](https://github.com/patcg-individual-drafts/private-aggregation-api/blob/main/flexible_filtering.md) for more details.
 
+### Optional: named budgets
+
+Named budgets is an optional feature that gives API callers the ability 
+to manage `L1` contribution budget distribution across different types of
+attributions, addressing common challenges such as:
+
+- Allocating the privacy budget between different types of attributions
+  (e.g., biddable vs. non-biddable).
+- Distributing the budget across multiple product categories to prevent any
+  single product category from consuming all available privacy budget.
+
+[Source registrations](#attribution-source-registration) will accept an optional
+field `named_budgets`, which is a dictionary used to set the
+maximum contribution for each named budget for this source.
+
+```jsonc
+{
+  ..., // existing fields
+  "named_budgets": {
+    "budgetName1": 32768,  // Max contribution budget for budgetName1.
+    "budgetName2": 32768   // Max contribution budget for budgetName2.
+  }
+}
+```
+
+[Trigger registrations](#attribution-trigger-registration) will accept an
+optional field `named_budgets`, which will be used to select the
+named budget for the generated aggregatable report.
+
+```jsonc
+{
+  ..., // existing fields
+  "named_budgets": [
+    {
+      "name": "budgetName1",
+      "filters": {"source_type": ["navigation"]}
+    }
+  ]
+}
+```
+
+The first named budget from the trigger that matches the source's filter data
+will be selected. If there is no budget name specified or no matching filters, the
+`L1` contribution budget will still be applied.
+
+When generating an aggregatable report, in addition to performing the 
+current `L1` budget limit check, the contributions for the report will
+be checked against the available budget with the selected budget name, if applicable.
+If the budget is insufficient, the aggregatable report will not be generated.
+
 ## Data processing through a Secure Aggregation Service
 
 The exact design of the service is not specified here. We expect to have more
 
@@ -1,10 +1,10 @@
 # Aggregation Service for the Attribution Reporting API
 
-Authors:
-* Carlos Cela <cjcela@google.com>
-* Ruchi Lohani <rlohani@google.com>
-* Martin Pál <mpal@google.com>
-* Chanda Patel <chandapatel@google.com>
+## Authors
+* Carlos Cela (cjcela@google.com)
+* Ruchi Lohani (rlohani@google.com)
+* Martin Pál (mpal@google.com)
+* Chanda Patel (chandapatel@google.com)
 
 ## Introduction
 
@@ -96,6 +96,7 @@ throughout this proposal.
 * _Coordinator:_ an entity responsible for key management and aggregatable report
   accounting. The coordinator maintains a list of hashes of approved aggregation
   service configurations and configures access to decryption keys.
+* _Shared ID:_ A unique identifier assigned to a group of reports in combination with [filtering IDs](https://github.com/patcg-individual-drafts/private-aggregation-api/blob/main/flexible_filtering.md#proposal-filtering-id-in-the-encrypted-payload) to prevent overlap between batches of reports. This eliminates the need to track individual reports and allows for efficient privacy budget management at the group level. 
 
 ## Aggregation workflow
 
@@ -243,7 +244,7 @@ single aggregation batch (as duplicates) or in multiple batches. Because
 of this, the aggregation service enforces a "no duplicates" rule:
 
 * No aggregatable report can appear more than once within a batch. 
-* No aggregatable report can appear in more than one batch or contribute
+* No Shared ID can appear in more than one batch or contribute
   to more than one summary report. 
 
 The no-duplicates rule is enforced during aggregation. If duplicates are
@@ -254,8 +255,8 @@ found, these batches may be rejected or duplicates may be filtered out.
 It is not technically practical to keep track of every single aggregatable
 report submitted for aggregation to check for batch disjointness, that is,
 that batches are not overlapping. Instead, each aggregatable report will
-be assigned a shared ID. This ID is generated from the combined data points: API version, reporting origin, destination site, source registration time and scheduled report time. 
-These data points come from the report's [shared_info](https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATE.md#aggregatable-reports) field. 
+be assigned a shared ID. This ID is generated from the combined data points: API version, reporting origin, destination site, source registration time, scheduled report time, and filtering ID. 
+These data points come from the report's [shared_info](https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATE.md#aggregatable-reports) field and from the job parameter in the request. 
 
 The aggregation service will enforce that all aggregatable reports with
 the same ID must be included in the same batch. Conversely, if more than
 
@@ -149,15 +149,15 @@ window.open(
         attributionsrc="https://adtech.example/attribution_source?my_ad_id=123">
 ```
 
-The `attributionsrc` attribute on `<a>`, `<img>`, and `<script>` may be empty or
+The `attributionsrc` attribute on `<a>`, `<area>`, `<img>`, and `<script>` may be empty or
 non-empty. If it is non-empty, it contains a space-separated list of URLs
 to which the browser will initiate a separate `keepalive` fetch request in the
 background. If it is empty, no background requests will be made. In both
 cases, the request(s) (originating from `href`, `src`, or `attributionsrc`) will
 contain an `Attribution-Reporting-Eligible` header that indicates the types of
 registrations that are allowed in the response.
 
-For `<a>` and `window.open`, background requests, if any, are made when the user
+For `<a>`, `<area>`, and `window.open`, background requests, if any, are made when the user
 navigates. For `<img>` and `<script>`, background requests are made when the
 `attributionsrc` attribute is set on the DOM element.
 
@@ -318,7 +318,7 @@ The reporting origin may use the value of this header to determine which
 registrations, if any, to include in its response. The browser will likewise
 ignore invalid registrations:
 
-1. `<a>` and `window.open` will have `navigation-source`.
+1. `<a>`, `<area>`, and `window.open` will have `navigation-source`.
 2. Other APIs that automatically set `Attribution-Reporting-Eligible` (like
    `<img>`) will contain `event-source, trigger`.
 3. Requests from JavaScript, e.g. `window.fetch`, can set this header using an
@@ -725,28 +725,14 @@ fully understood during roll-out and help flush out any bugs (either in browser
 or caller code), and more easily compare the performance to cookie-based
 alternatives.
 
-To ensure that this data (which could enable cross-site tracking) is only
-available in a transitional phase while third-party cookies are available and
-are already capable of user tracking, the browser will check (at both source
-and trigger registration) for the presence of a special cookie
-set by the reporting origin:
-```http
-Set-Cookie: ar_debug=1; SameSite=None; Secure; HttpOnly
-```
-If a cookie of this form is not present, debugging information will be ignored. Additionally,
-browsers may choose to enable debugging for specific use-cases (for example, reporting origins
+Debugging will only be permitted if third-party cookies are
+available for the current site, and will be prohibited if
+third-party cookies are disabled generally or for a particular site.
+
+Additionally, browsers may choose to enable debugging for specific use-cases (for example, reporting origins
 can enable debugging without the cookie check for
 [Mode B groups during Chrome-facilitated testing](https://developers.google.com/privacy-sandbox/setup/web/chrome-facilitated-testing#mode-b)). 
 
-Note that in the context of proposals such as
-[CHIPS](https://github.com/privacycg/CHIPS), the cookie must be unpartitioned in
-order to allow debug keys to be registered.
-
-Responses that register sources/triggers can also set the `ar_debug` cookie to
-ensure that registration is eligible for debug reports. When using the `fetch`
-APIs to do this, it will require ensuring the request is allowed to include
-[`credentials`](https://developer.mozilla.org/en-US/docs/Web/API/fetch).
-
 #### Attribution-success debugging reports
 
 Source and trigger registrations will both accept a new field `debug_key`:
@@ -818,8 +804,11 @@ The debugging reports will be sent to a new endpoint:
 https://<reporting origin>/.well-known/attribution-reporting/debug/verbose
 ```
 
-In order to receive verbose debug reports on trigger registrations, the special
-`ar_debug` cookie needs to be present for both source and trigger registrations.
+In order to receive verbose debug reports on trigger registrations, the
+reporting origin needs to be able to access third-party cookies on the
+destination site. If the trigger is attributed to a source, the reporting
+origin also needed to be able to access third-party cookies on the source site
+at the time of source registration.
 
 TODO: Consider adding support for the top-level site to opt in to receiving
 debug reports without cross-site leak.
 
@@ -4,23 +4,29 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**
 
-- [Aggregate Debug Reporting](#aggregate-debug-reporting)
-  - [Introduction](#introduction)
-  - [API changes](#api-changes)
-    - [Opting-in aggregate debug reporting](#opting-in-aggregate-debug-reporting)
-    - [Aggregatable debug reports](#aggregatable-debug-reports)
-      - [Encrypted payload](#encrypted-payload)
-  - [Privacy and Security](#privacy-and-security)
-    - [Contribution bounding and budgeting](#contribution-bounding-and-budgeting)
-    - [Make count of reports deterministic with null reports](#make-count-of-reports-deterministic-with-null-reports)
-    - [Rate limits](#rate-limits)
-    - [No reporting delay](#no-reporting-delay)
-  - [Future considerations](#future-considerations)
-    - [Report verification with debug context ID](#report-verification-with-debug-context-id)
-    - [Application to aggregate error reporting for the Private Aggregation API](#application-to-aggregate-error-reporting-for-the-private-aggregation-api)
+- [Authors](#authors)
+- [Introduction](#introduction)
+- [API changes](#api-changes)
+  - [Opting-in aggregate debug reporting](#opting-in-aggregate-debug-reporting)
+  - [Aggregatable debug reports](#aggregatable-debug-reports)
+    - [Encrypted payload](#encrypted-payload)
+- [Privacy and Security](#privacy-and-security)
+  - [Contribution bounding and budgeting](#contribution-bounding-and-budgeting)
+  - [Make count of reports deterministic with null reports](#make-count-of-reports-deterministic-with-null-reports)
+  - [Rate limits](#rate-limits)
+  - [No reporting delay](#no-reporting-delay)
+- [Future considerations](#future-considerations)
+  - [Report verification with debug context ID](#report-verification-with-debug-context-id)
+  - [Application to aggregate error reporting for the Private Aggregation API](#application-to-aggregate-error-reporting-for-the-private-aggregation-api)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
+## Authors
+
+* John Delaney (johnidel@chromium.org)
+* Arpana Hosabettu (arpanah@chromium.org)
+* Nan Lin (linnan@chromium.org)
+
 ## Introduction
 
 The [transitional debugging reports](https://github.com/WICG/attribution-reporting-api/blob/main/EVENT.md#optional-transitional-debugging-reports),
 
@@ -1,5 +1,12 @@
 # Summary reports with key discovery
 
+## Authors
+
+* Charlie Harrison (csharrison@chromium.org)
+* Hidayet Aksu (aksu@google.com)
+  
+
+## Introduction
 This document describes possible new functionality in the server-side mechanisms for the aggregation service, which allows ad techs to query the Attribution Reporting API’s and Private Aggregation API’s summary reports without [pre-declaring every aggregation bucket](https://github.com/WICG/attribution-reporting-api/blob/main/AGGREGATION_SERVICE_TEE.md#pre-declaring-aggregation-buckets). 
 
 This proposal is backward compatible; ad techs can still work with pre-declared buckets.
 
@@ -1,9 +1,10 @@
 # Cross App and Web Attribution Measurement
 
-## Authors:
-*   Charlie Harrison
-*   Michael Thiessen
-*   John Delaney
+## Authors
+*   Arpana Hosabettu (arpanah@chromium.org)
+*   Charlie Harrison (csharrison@chromium.org)
+*   John Delaney (johnidel@chromium.org)
+*   Michael Thiessen (mthiesse@google.com)
 
 ## Participate
 See [Participate](https://github.com/WICG/conversion-measurement-api#participate).
 
@@ -57,6 +57,10 @@ The usefulness of this page depends on testers sharing information and updates;
 | KelkooGroup | Adtech services for affiliate marketing | From 01.12.2023 | | privacysandbox@kelkoogroup.com |
 | Quantcast | Demand-side platform (DSP) | Testing ongoing | | chrome-privacy-sandbox@quantcast.com |
 | Optable | Adtech services | Testing ongoing | | privacysandbox@optable.co | 
+| UOL | Adtech | | | privacysandbox@uolinc.com |
+| Taboola | Adtech | Testing ongoing | | privacy-sandbox@taboola.com |
+| Basis | DSP | 2024 | | |
+
 
 ## Table - Publishers and Advertisers Interested in Testing or Early Adoption
 Companies who may be interested in participating in tests and early adoption opportunities provided by ad tech companies.
@@ -69,3 +73,4 @@ Companies who may be interested in participating in tests and early adoption opp
 | Globo | Publisher  | | adtech-delivery@g.globo |
 | A Gazeta | Publisher | | cdutra@redegazeta.com.br |
 | Bullwhip Technologies | Analytics SaaS | | privacysandbox@bullwhip.io |
+| UOL | Publisher  | | privacysandbox@uolinc.com |