w3c · apasel422 · May 12, 2026 · martinthomson · May 29, 2026 · martinthomson
diff --git a/impl/e2e-tests/CONFIG.json b/impl/e2e-tests/CONFIG.json
@@ -3,6 +3,7 @@
     "Values here do not meet minimums in the spec.",
     "Values are kept small so tests for limits can be small."
   ],
+  "activationSeconds": 1000,
   "aggregationServices": {
     "https://agg-service.example": "dap-18-histogram"
   },

diff --git a/impl/e2e-tests/activation.json b/impl/e2e-tests/activation.json
@@ -0,0 +1,61 @@
+{
+  "events": [
+    {
+      "seconds": 1,
+      "event": "updateActivationTimestamp",
+      "topLevelTraversable": "a"
+    },
+    {
+      "seconds": 1002,
+      "site": "publisher.example",
+      "event": "saveImpression",
+      "topLevelTraversable": "a",
+      "options": { "histogramIndex": 1 },
+      "expectedError": {
+        "error": "DOMException",
+        "name": "NotAllowedError"
+      }
+    },
+    {
+      "seconds": 1003,
+      "site": "advertiser.example",
+      "event": "measureConversion",
+      "topLevelTraversable": "a",
+      "options": {
+        "aggregationService": "https://agg-service.example",
+        "histogramSize": 3,
+        "value": 5,
+        "maxValue": 10
+      },
+      "expected": {
+        "error": "DOMException",
+        "name": "NotAllowedError"
+      }
+    },
+    {
+      "seconds": 1004,
+      "event": "updateActivationTimestamp",
+      "topLevelTraversable": "b"
+    },
+    {
+      "seconds": 2004,
+      "site": "publisher.example",
+      "event": "saveImpression",
+      "topLevelTraversable": "b",
+      "options": { "histogramIndex": 1 }
+    },
+    {
+      "seconds": 2005,
+      "site": "advertiser.example",
+      "event": "measureConversion",
+      "topLevelTraversable": "b",
+      "options": {
+        "aggregationService": "https://agg-service.example",
+        "histogramSize": 3,
+        "value": 5,
+        "maxValue": 10
+      },
+      "expected": [0, 5, 0]
+    }
+  ]
+}
diff --git a/impl/e2e.schema.json b/impl/e2e.schema.json
@@ -8,6 +8,10 @@
         "$comment": {
           "$ref": "#/$defs/comment"
         },
+        "activationSeconds": {
+          "type": "number",
+          "minimum": 1
+        },
         "aggregationServices": {
           "type": "object",
           "additionalProperties": {
@@ -77,6 +81,7 @@
         }
       },
       "required": [
+        "activationSeconds",
         "aggregationServices",
         "globalPrivacyBudgetPerEpoch",
         "impressionSiteQuotaPerEpoch",
@@ -115,6 +120,9 @@
                   },
                   "options": {
                     "$ref": "#/$defs/AttributionImpressionOptions"
+                  },
+                  "topLevelTraversable": {
+                    "type": "string"
                   }
                 },
                 "required": ["options"],
@@ -144,6 +152,9 @@
                   },
                   "options": {
                     "$ref": "#/$defs/AttributionConversionOptions"
+                  },
+                  "topLevelTraversable": {
+                    "type": "string"
                   }
                 },
                 "required": ["expected", "options"],
@@ -191,6 +202,42 @@
                   }
                 },
                 "unevaluatedProperties": false
+              },
+              {
+                "$ref": "#/$defs/commonEvent",
+                "properties": {
+                  "event": {
+                    "const": "updateActivationTimestamp"
+                  },
+                  "topLevelTraversable": {
+                    "type": "string"
+                  }
+                },
+                "required": ["topLevelTraversable"],
+                "unevaluatedProperties": false
+              },
+              {
+                "$ref": "#/$defs/commonEvent",
+                "properties": {
+                  "event": {
+                    "const": "updateActivationOnNavigate"
+                  },
+                  "initiatorOrigin": {
+                    "type": "string"
+                  },
+                  "responseOrigin": {
+                    "type": "string"
+                  },
+                  "topLevelTraversable": {
+                    "type": "string"
+                  }
+                },
+                "required": [
+                  "initiatorOrigin",
+                  "responseOrigin",
+                  "topLevelTraversable"
+                ],
+                "unevaluatedProperties": false
               }
             ]
           }

diff --git a/impl/src/backend.ts b/impl/src/backend.ts
@@ -25,6 +25,15 @@ interface Impression {
   priority: number;
 }
 
+class TopLevelTraversable {
+  attributionEnabled: boolean = false;
+  attributionActivationTimestamp: Temporal.Instant;
+
+  constructor(now: Temporal.Instant) {
+    this.attributionActivationTimestamp = now;
+  }
+}
+
 interface PrivacyBudgetKey {
   epoch: number;
   site: string;
@@ -109,6 +118,7 @@ export interface Delegate {
   readonly privacyBudgetEpoch: Temporal.Duration;
   readonly impressionSiteQuotaPerEpoch: number;
   readonly globalPrivacyBudgetPerEpoch: number;
+  readonly activationDuration: Temporal.Duration;
 
   now(): Temporal.Instant;
   fairlyAllocateCreditFraction(): number;
@@ -168,6 +178,10 @@ export class Backend {
   #impressionSiteQuotaStore: PrivacyBudgetStoreEntry[] = [];
   #lastBrowsingHistoryClear: Temporal.Instant | null = null;
 
+  // Outside the simulator, this information is owned by the browser's actual
+  // top-level traversables, but is owned by the simulator here for simplicity.
+  readonly #topLevelTraversables = new Map<string, TopLevelTraversable>();
+
   constructor(delegate: Delegate) {
     this.#delegate = delegate;
   }
@@ -192,7 +206,66 @@ export class Backend {
     return this.#lastBrowsingHistoryClear;
   }
 
+  #getOrCreateTopLevelTraversable(topKey: string): TopLevelTraversable {
+    let top = this.#topLevelTraversables.get(topKey);
+    if (top === undefined) {
+      top = new TopLevelTraversable(this.#delegate.now());
+      this.#topLevelTraversables.set(topKey, top);
+    }
+    return top;
+  }
+
+  #checkAttributionAPIActivation(topKey: string | undefined): void {
+    // Since most logic doesn't care about activation, provide a simple way to
+    // opt out of it. (This doesn't exist in the actual specification.)
+    if (topKey === undefined) {
+      return;
+    }
+
+    const top = this.#getOrCreateTopLevelTraversable(topKey);
+    if (top.attributionEnabled) {
+      return;
+    }
+    if (
+      Temporal.Instant.compare(
+        top.attributionActivationTimestamp.add(
+          this.#delegate.activationDuration,
+        ),
+        this.#delegate.now(),
+      ) < 0
+    ) {
+      throw new DOMException("invalid last activation", "NotAllowedError");
+    }
+    top.attributionActivationTimestamp = UNIX_EPOCH;
+    top.attributionEnabled = true;
+  }
+
+  // Outside the simulator, this would be called when:
+  // 1. "a user interaction cuases firing of an activation trigger input event
+  // in a Document"
+  // 2. "navigation starts, and the user navigation involvement is browser UI"
+  updateActivationTimestamp(topKey: string): void {
+    this.#getOrCreateTopLevelTraversable(
+      topKey,
+    ).attributionActivationTimestamp = this.#delegate.now();
+  }
+
+  // Outside the simulator, this would be called "when a top-level traversable
+  // is navigated as part of the navigate algorithm, after the document state is
+  // finalized and the origin of the response is known."
+  updateActivationOnNavigate(
+    topKey: string,
+    initiatorOrigin: string,
+    responseOrigin: string,
+  ): void {
+    if (parseSite(initiatorOrigin) == parseSite(responseOrigin)) {
+      return;
+    }
+    this.#getOrCreateTopLevelTraversable(topKey).attributionEnabled = false;
+  }
+
   saveImpression(
+    topKey: string | undefined,
     impressionSite: string,
     intermediarySite: string | undefined,
     {
@@ -213,7 +286,7 @@ export class Backend {
     assert(isUnsignedLong(lifetimeDays));
     assert(isLong(priority));
 
-    const timestamp = this.#delegate.now();
+    this.#checkAttributionAPIActivation(topKey);
 
     const maxHistogramSize = this.#delegate.maxHistogramSize;
     if (histogramIndex >= maxHistogramSize) {
@@ -248,7 +321,7 @@ export class Backend {
       intermediarySite,
       conversionSites: parsedConversionSites,
       conversionCallers: parsedConversionCallers,
-      timestamp,
+      timestamp: this.#delegate.now(),
       lifetime: days(lifetimeDays),
       histogramIndex,
       priority,
@@ -353,22 +426,23 @@ export class Backend {
   }
 
   measureConversion(
+    topKey: string | undefined,
     topLevelSite: string,
     intermediarySite: string | undefined,
     options: AttributionConversionOptions,
   ): AttributionConversionResult {
     assert(isValidSite(topLevelSite));
     assert(intermediarySite === undefined || isValidSite(intermediarySite));
 
-    const now = this.#delegate.now();
+    this.#checkAttributionAPIActivation(topKey);
 
     const validatedOptions = this.#validateConversionOptions(options);
 
     const report = this.enabled
       ? this.#doAttributionAndFillHistogram(
           topLevelSite,
           intermediarySite,
-          now,
+          this.#delegate.now(),
           validatedOptions,
         )
       : allZeroHistogram(validatedOptions.histogramSize);

diff --git a/impl/src/clear.test.ts b/impl/src/clear.test.ts
@@ -29,7 +29,7 @@ const siteTable: readonly SiteTableEntry[] = [
 function setupImpressions(config?: TestConfig): Backend {
   const backend = makeBackend(config);
   for (const entry of siteTable) {
-    backend.saveImpression(entry.impression, undefined, {
+    backend.saveImpression(/*top=*/ undefined, entry.impression, undefined, {
       histogramIndex: 1,
       conversionSites: entry.conversion,
     });
@@ -45,11 +45,16 @@ void test("clear-site-state", () => {
   assert.throws(() => backend.clearState([], false));
 
   // Run one query with the affected site.
-  const before = backend.measureConversion("conv-one.example", undefined, {
-    aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
-    histogramSize: defaultConfig.maxHistogramSize,
-    epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
-  });
+  const before = backend.measureConversion(
+    /*top=*/ undefined,
+    "conv-one.example",
+    undefined,
+    {
+      aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
+      histogramSize: defaultConfig.maxHistogramSize,
+      epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
+    },
+  );
   assert.ok(before.unencryptedHistogram!.some((v) => v > 0));
 
   backend.clearState(["conv-one.example"], false);
@@ -66,11 +71,16 @@ void test("clear-site-state", () => {
   );
 
   // Re-run a query and it should return an all zero result.
-  const after = backend.measureConversion("conv-one.example", undefined, {
-    aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
-    histogramSize: defaultConfig.maxHistogramSize,
-    epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
-  });
+  const after = backend.measureConversion(
+    /*top=*/ undefined,
+    "conv-one.example",
+    undefined,
+    {
+      aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
+      histogramSize: defaultConfig.maxHistogramSize,
+      epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
+    },
+  );
   assert.ok(after.unencryptedHistogram!.every((v) => v === 0));
 
   // And all entries in the privacy budget table are for the cleared site.
@@ -111,11 +121,16 @@ void test("forget-one-site-conversions", () => {
   const now = Temporal.Instant.from("2025-01-01T00:00Z");
   const backend = setupImpressions({ now, ...defaultConfig });
 
-  const before = backend.measureConversion("conv-one.example", undefined, {
-    aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
-    histogramSize: defaultConfig.maxHistogramSize,
-    epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
-  });
+  const before = backend.measureConversion(
+    /*top=*/ undefined,
+    "conv-one.example",
+    undefined,
+    {
+      aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
+      histogramSize: defaultConfig.maxHistogramSize,
+      epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
+    },
+  );
   assert.ok(before.unencryptedHistogram!.some((v) => v > 0));
 
   assert.ok(backend.privacyBudgetEntries.length > 0);
@@ -128,11 +143,16 @@ void test("forget-one-site-conversions", () => {
   assert.deepEqual(backend.lastBrowsingHistoryClear, now);
 
   // Re-run a query and it should return an all zero result.
-  const after = backend.measureConversion("conv-one.example", undefined, {
-    aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
-    histogramSize: defaultConfig.maxHistogramSize,
-    epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
-  });
+  const after = backend.measureConversion(
+    /*top=*/ undefined,
+    "conv-one.example",
+    undefined,
+    {
+      aggregationService: Object.keys(defaultConfig.aggregationServices)[0]!,
+      histogramSize: defaultConfig.maxHistogramSize,
+      epsilon: defaultConfig.perSitePrivacyBudget / 1e6 / 10,
+    },
+  );
   assert.ok(after.unencryptedHistogram!.every((v) => v === 0));
 
   // Privacy budget entries aren't added; this epoch is off-limits.