Not clear that this is OK, but the problems are likely inherent, rather than a result of this change.

Consider asking for privacy review to validate the claim that calling this API doesn't have a significant privacy cost.

Postponed to Breakout B.

Martin: the race on picking the 2 issuers gets worse with this change, so this would be a good time to insist on finding a better way for the top-level page to pick its issuers.

There is a set of entities that can run script. That set is probably smaller than the set of entities that might get framed in. Therefore, this change increases the by-default exposure of a page to entities that might "use up" its limit of 2 token-issuing origins.

Jeffrey: Last week we said we should ask them to get a privacy review.

satisfied with concerns:

We discussed this in a breakout and have a couple concerns:

• This change increases the by-default exposure of the page to entities that might "use up" its limit of 2 issuers. You've suggested that the top-level page should call the API to explicitly pick its issuers, before allowing 3p script to run. We're skeptical that that's a practical defense. You're right that it's a pre-existing issue with the API, but because this change makes the risk worse, it would be good to improve the defense before making this change.

• We're not the right body to judge whether the privacy implications are reasonable. Could you ask the Privacy WG to review this system?