Description
Setting the Permission-Policy will require some sites to make an administrative change, with impact on either:
-
If the default was off: Small publishers and retailers that want attribution tracking but do not have a lot of development skills would have to do some work in order to change the policy.
-
If the default was on: Non-commercial sensitive or high-risk sites, that do not run ads or commerce, but have previously included a general-purpose third-party script that is later modified to call the API, would need to do some work to prevent the script from using the API.
The maintainers of sensitive non-commercial sites have limited options in the event a third-party script on such a site begins sending events from a high-risk context. If they even notice it they would have to remove the whole script (possibly breaking site functionality) switch hosting, or take the site down.
Sites that intend to participate in attribution tracking have more options. Because these sites are commercial, they have access to development skills and hosting support. Web hosts providing services to these commercial sites could turn the Permissions-Policy on for "business plan" customers, and leave it off for "basic" or "non-commercial" plans -- which would give both groups of site maintainers the right thing. Web CMSs and retail software could also in many cases set the header appropriately for contexts where the site maintainer chooses to do attribution tracking.
A site maintainer who is expecting attribution tracking and sees it not happening is more likely to figure out what's going on and fix it than a site maintainer who has not heard of this proposal.
(edited to make it clear that the second category of sites includes non-commercial)