tor-browser

additional-bids.https.window.js (28804B)

---

// META: script=/resources/testdriver.js
// META: script=/resources/testdriver-vendor.js
// META: script=/common/utils.js
// META: script=resources/fledge-util.sub.js
// META: script=/common/subset-tests.js
// META: timeout=long
// META: variant=?1-last

"use strict";

// This file contains tests for additional bids and negative targeting.
//
// TODO:
// - test that an additional bid with some correct signatures can be negative
//       targeted for those negative interest groups whose signatures match.
// - test that additional bids can be fetched using an iframe navigation.
// - test that additional bids are not fetched using an iframe navigation for
//      which the `adAuctionHeaders=true` attribute is not specified.
// - test that additional bids are not fetched using a Fetch request for which
//      `adAuctionHeaders: true` is not specified.
// - test that an additional bid with an incorrect seller and / or top-level
//       seller is not included in an auction.
// - lots of tests for different types of malformed additional bids, e.g.
//       missing fields, malformed signature, invalid currency code,
//       missing joining origin for multiple negative interest groups, etc.
// - test that correctly formatted additional bids are included in an auction
//       when fetched alongside malformed additional bid headers by a Fetch
//       request (both invalid headers and invalid additional bids)
// - test that an additional bid is rejected if its from a buyer who is not
//       allowed to participate in the auction.
// - test that an additional bid is rejected if its currency doesn't match the
//       buyer's associated per-buyer currency from the auction config.
// - test that correctly formatted additional bids are included in an auction
//       when fetched alongside malformed additional bid headers by an iframe
//       navigation (both invalid headers and invalid additional bids).
// - test that reportWin is not used for reporting an additional bid win.
// - test that additional bids can *not* be fetched from iframe subresource
//       requests.
// - test that an auction nonce can only be used once, and a second auction
//       trying to reuse an auction immediately fails.
// - test that an auction nonce must be created in the same window/tab as the
//       call to runAdAuction.
// - test reportAdditionalBidWin with each of no metadata, null metadata, and
//       an object metadata.
// - test that an auction running in one tab can't see an additional bid loaded
//       in a new tab.
// - test that two auctions running with different nonces only get the
//       additional bids fetched with their auction nonce.
// - test that two auctions running with different nonces only get the
//       additional bids fetched with their auction nonce, when both additional
//       bids are retrieved with one fetch.
// - test that a multiseller auction with two component auctions can direct
//       additional bids to the correct component auctions.
// - test that two auctions running with different nonces only get the
//       additional bids fetched with their auction nonce.
// - test that two auctions running with different nonces only get the
//       additional bids fetched with their auction nonce, when both additional
//       bids are retrieved with one fetch.
// - test that an additional bid can compete against an interest group bid and
//       lose.
// - test that an additional bid can compete against an interest group bid and
//       win.
// - test (in join-leave-ad-interest-group.https.window.js) that an IG that
//       provides `additionalBidKey` fails if the key fails to decode, or if
//       that IG also provides `ads`, or if it provides `updateURL`.
// - test that an IG update cannot cause a regular interest group (one that
//       does not provide `additionalBidKey`) to become a negative interest
//       group (one that does provide `additionalBidKey`).
// - test (in auction-config-passed-to-worklets.https.window.js) that a
//       multi-seller auction fails if the top-level auction provides
//       a value for `additionalBids`.
// - test (in auction-config-passed-to-worklets.https.window.js) that an auction
//       fails if it provides `additionalBids` but not `auctionNonce`, or if it
//       provides `additionalBids` but not `interestGroupBuyers`.

// The auction is run with the seller being the same as the document origin.
// The request to fetch additional bids must be issued to the seller's origin
// for ad auction headers interception to associate it with this auction.
const SINGLE_SELLER_AUCTION_SELLER = window.location.origin;

const ADDITIONAL_BID_SECRET_KEY = 'nWGxne/9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A=';
const ADDITIONAL_BID_PUBLIC_KEY = '11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo=';

// Single-seller auction with a single buyer who places a single additional
// bid. As the only bid, this wins.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 additionalBid.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);

 await runAdditionalBidTest(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]),
     /*highestScoringOtherBid=*/0,
     /*winningAdditionalBidId=*/'horses');
}, 'single valid additional bid');

// Single-seller auction with a two buyers competing with additional bids.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);

 await runAdditionalBidTest(
     test, uuid, [buyer1, buyer2], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(
         seller, [additionalBid1, additionalBid2]),
     /*highestScoringOtherBid=*/1.99,
     /*winningAdditionalBidId=*/'planes');
}, 'two valid additional bids');

// Same as the test above, except that this uses two Fetch requests instead of
// one to retrieve the additional bids.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);

 await runAdditionalBidTest(
   test, uuid, [buyer1, buyer2], auctionNonce,
   Promise.all([
       additionalBidHelper.fetchAdditionalBids(seller, [additionalBid1]),
       additionalBidHelper.fetchAdditionalBids(seller, [additionalBid2])
   ]),
   /*highestScoringOtherBid=*/1.99,
   /*winningAdditionalBidId=*/'planes');
}, 'two valid additional bids from two distinct Fetch requests');

// Single-seller auction with a single buyer who places a single additional
// bid with the wrong `auctionNonce` in the bid, causing the bid to fail.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonceInHeader = await navigator.createAuctionNonce();
 const auctionNonceInBid = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 additionalBid.additionalBid = auctionNonceInBid;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonceInHeader);

 await runAdditionalBidTestNoWinner(
     test, uuid, [buyer], auctionNonceInHeader,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]));
}, 'single valid additional bid with wrong auctionNonce in bid');

// Single-seller auction with a single buyer who places a single additional
// bid with no `auctionNonce` in the bid, causing the bid to fail.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 // Notably missing: `additionalBid.auctionNonce`
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);

 await runAdditionalBidTestNoWinner(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]));
}, 'single valid additional bid with no auctionNonce in bid');

// Single-seller auction with a single buyer who places a single additional
// bid that elides `auctionNonce` in favor of a `bidNonce`, which is correctly
// computed from the combination of `auctionNonce` and `sellerNonce`. However,
// this test fails to include the `sellerNonce` in the header,
// causing the bid to fail. `bidNonce` in an additional bid is only valid with
// a `sellerNonce` on the response header.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const sellerNonce = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 additionalBid.bidNonce =
     await additionalBidHelper.computeBidNonce(auctionNonce, sellerNonce);
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);
 // Notably missing: `additionalBidHelper.setSellerNonceInHeader`

 await runAdditionalBidTestNoWinner(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]));
}, 'single valid additional bid with bidNonce in bid but no sellerNonce in header');

// Single-seller auction with a single buyer who places a single additional
// bid that uses `sellerNonce` / `bidNonce`. As the only bid, this wins.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const sellerNonce = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 additionalBid.bidNonce =
     await additionalBidHelper.computeBidNonce(auctionNonce, sellerNonce);
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);
 additionalBidHelper.setSellerNonceInHeader(additionalBid, sellerNonce);

 await runAdditionalBidTest(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]),
     /*highestScoringOtherBid=*/0,
     /*winningAdditionalBidId=*/'horses');
}, 'single valid additional bid with bidNonce and sellerNonce');

// Single-seller auction with a single buyer who places a single additional bid
// that uses `sellerNonce`, but with an `auctionNonce` on the bid instead of a
// `bidNonce`. Since `sellerNonce` is only compatible with `bidNonce`, there is
// no winner.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const sellerNonce = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 additionalBid.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);
 additionalBidHelper.setSellerNonceInHeader(additionalBid, sellerNonce);

 await runAdditionalBidTestNoWinner(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]));
}, 'single additional bid with sellerNonce in the header but auctionNonce in the bid');

// Single-seller auction with a single buyer who places a single additional bid
// that uses `sellerNonce`, but no `bidNonce` or `auctionNonce`. Since the
// `bidNonce` is missing, there is no winner. Related to 'single valid
// additional bid with no auctionNonce in bid', except with `sellerNonce`.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const sellerNonce = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 // Notably missing: `additionalBid.bidNonce`.
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);
 additionalBidHelper.setSellerNonceInHeader(additionalBid, sellerNonce);

 await runAdditionalBidTestNoWinner(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]));
}, 'single additional bid with sellerNonce in the header but no bidNonce or ' +
  'auctionNonce in the bid');

// Single-seller auction with a single buyer who places a single additional
// bid that uses `sellerNonce` / `bidNonce`, but also `auctionNonce` in the bid.
// As exactly one of `bidNonce` / `auctionNonce` is allowed in the bid, this
// fails.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const sellerNonce = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 additionalBid.auctionNonce = auctionNonce;
 additionalBid.bidNonce =
     await additionalBidHelper.computeBidNonce(auctionNonce, sellerNonce);
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);
 additionalBidHelper.setSellerNonceInHeader(additionalBid, sellerNonce);

 await runAdditionalBidTestNoWinner(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]));
}, 'single additional bid with sellerNonce in the header but with both ' +
  ' bidNonce and auctionNonce in the bid');

// Single-seller auction with a single buyer who places a single additional
// bid that uses `sellerNonce` / `bidNonce`. Since the `bidNonce` is invalid
// there is no winner.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const sellerNonce = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 // Computes a `bidNonce` using a randomly generated `sellerNonce`, not the
 // one used in the header.
 additionalBid.bidNonce = await additionalBidHelper.computeBidNonce(
     auctionNonce, crypto.randomUUID());
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);
 additionalBidHelper.setSellerNonceInHeader(additionalBid, sellerNonce);

 await runAdditionalBidTestNoWinner(
     test, uuid, [buyer], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(seller, [additionalBid]));
}, 'single additional bid with invalid bidNonce');

// Single-seller auction with a two buyers competing with additional bids, each
// using a distinct `sellerNonce` / `bidNonce`.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const sellerNonce1 = crypto.randomUUID();
 const sellerNonce2 = crypto.randomUUID();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.bidNonce =
     await additionalBidHelper.computeBidNonce(auctionNonce, sellerNonce1);
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);
 additionalBidHelper.setSellerNonceInHeader(additionalBid1, sellerNonce1);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.bidNonce =
     await additionalBidHelper.computeBidNonce(auctionNonce, sellerNonce2);
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);
 additionalBidHelper.setSellerNonceInHeader(additionalBid2, sellerNonce2);

 await runAdditionalBidTest(
     test, uuid, [buyer1, buyer2], auctionNonce,
     additionalBidHelper.fetchAdditionalBids(
         seller, [additionalBid1, additionalBid2]),
     /*highestScoringOtherBid=*/1.99,
     /*winningAdditionalBidId=*/'planes');
}, 'two valid additional bids using distinct bidNonces and sellerNonces');

// Single-seller auction with a single additional bid. Because this additional
// bid is filtered by negative targeting, this auction has no winner.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const negativeInterestGroupName = 'already-owns-a-plane';

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'planes', 2.99);
 additionalBid.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);
 additionalBidHelper.addNegativeInterestGroup(
     additionalBid, negativeInterestGroupName);
 additionalBidHelper.signWithSecretKeys(
     additionalBid, [ADDITIONAL_BID_SECRET_KEY]);

 await joinNegativeInterestGroup(
     test, buyer, negativeInterestGroupName, ADDITIONAL_BID_PUBLIC_KEY);

 await runBasicFledgeTestExpectingNoWinner(
     test, uuid,
     { interestGroupBuyers: [buyer],
       auctionNonce: auctionNonce,
       additionalBids: additionalBidHelper.fetchAdditionalBids(
           seller, [additionalBid])});
}, 'one additional bid filtered by negative targeting, so auction has no ' +
  'winner');

// Single-seller auction with a two buyers competing with additional bids.
// The higher of these has a negative interest group specified, and that
// negative interest group has been joined, so the lower bid wins.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const negativeInterestGroupName = 'already-owns-a-plane';

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);
 additionalBidHelper.addNegativeInterestGroup(
     additionalBid2, negativeInterestGroupName);
 additionalBidHelper.signWithSecretKeys(
     additionalBid2, [ADDITIONAL_BID_SECRET_KEY]);

 await joinNegativeInterestGroup(
     test, buyer2, negativeInterestGroupName, ADDITIONAL_BID_PUBLIC_KEY);

 await runAdditionalBidTest(
   test, uuid, [buyer1, buyer2], auctionNonce,
   additionalBidHelper.fetchAdditionalBids(
       seller, [additionalBid1, additionalBid2]),
   /*highestScoringOtherBid=*/0,
   /*winningAdditionalBidId=*/'horses');
}, 'higher additional bid is filtered by negative targeting, so ' +
  'lower additional bid wins');

// Same as above, except that the bid is missing a signature, so that the
// negative targeting interest group is ignored, and the higher bid, which
// would have otherwise been filtered by negative targeting, wins.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const negativeInterestGroupName = 'already-owns-a-plane';

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);
 additionalBidHelper.addNegativeInterestGroup(
     additionalBid2, negativeInterestGroupName);

 await joinNegativeInterestGroup(
     test, buyer2, negativeInterestGroupName, ADDITIONAL_BID_PUBLIC_KEY);

 await runAdditionalBidTest(
   test, uuid, [buyer1, buyer2], auctionNonce,
   additionalBidHelper.fetchAdditionalBids(
       seller, [additionalBid1, additionalBid2]),
   /*highestScoringOtherBid=*/1.99,
   /*winningAdditionalBidId=*/'planes');
}, 'higher additional bid is filtered by negative targeting, but it is ' +
  'missing a signature, so it still wins');

// Same as above, except that the bid is signed incorrectly, so that the
// negative targeting interest group is ignored, and the higher bid, which
// would have otherwise been filtered by negative targeting, wins.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const negativeInterestGroupName = 'already-owns-a-plane';

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);
 additionalBidHelper.addNegativeInterestGroup(
     additionalBid2, negativeInterestGroupName);
 additionalBidHelper.incorrectlySignWithSecretKeys(
     additionalBid2, [ADDITIONAL_BID_SECRET_KEY]);

 await joinNegativeInterestGroup(
     test, buyer2, negativeInterestGroupName, ADDITIONAL_BID_PUBLIC_KEY);

 await runAdditionalBidTest(
   test, uuid, [buyer1, buyer2], auctionNonce,
   additionalBidHelper.fetchAdditionalBids(
       seller, [additionalBid1, additionalBid2]),
   /*highestScoringOtherBid=*/1.99,
   /*winningAdditionalBidId=*/'planes');
}, 'higher additional bid is filtered by negative targeting, but it has an ' +
  'invalid signature, so it still wins');

// A test of an additional bid with multiple negative interest groups.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const negativeInterestGroupName1 = 'already-owns-a-plane';
 const negativeInterestGroupName2 = 'another-negative-interest-group';

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);
 additionalBidHelper.addNegativeInterestGroups(
     additionalBid2, [negativeInterestGroupName1, negativeInterestGroupName2],
     /*joiningOrigin=*/window.location.origin);
 additionalBidHelper.signWithSecretKeys(
     additionalBid2, [ADDITIONAL_BID_SECRET_KEY]);

 await joinNegativeInterestGroup(
     test, buyer2, negativeInterestGroupName1, ADDITIONAL_BID_PUBLIC_KEY);

 await runAdditionalBidTest(
   test, uuid, [buyer1, buyer2], auctionNonce,
   additionalBidHelper.fetchAdditionalBids(
       seller, [additionalBid1, additionalBid2]),
   /*highestScoringOtherBid=*/0,
   /*winningAdditionalBidId=*/'horses');
}, 'higher additional bid is filtered by negative targeting by two negative ' +
  'interest groups, and since one is on the device, the lower bid wins');

// Same as above, but with a mismatched joining origin.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const negativeInterestGroupName1 = 'already-owns-a-plane';
 const negativeInterestGroupName2 = 'another-negative-interest-group';

 const buyer1 = OTHER_ORIGIN1;
 const additionalBid1 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer1, 'horses', 1.99);
 additionalBid1.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid1, auctionNonce);

 const buyer2 = OTHER_ORIGIN2;
 const additionalBid2 = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer2, 'planes', 2.99);
 additionalBid2.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid2, auctionNonce);
 additionalBidHelper.addNegativeInterestGroups(
     additionalBid2, [negativeInterestGroupName1, negativeInterestGroupName2],
     /*joiningOrigin=*/OTHER_ORIGIN1);
 additionalBidHelper.signWithSecretKeys(
     additionalBid2, [ADDITIONAL_BID_SECRET_KEY]);

 await joinNegativeInterestGroup(
     test, buyer2, negativeInterestGroupName1, ADDITIONAL_BID_PUBLIC_KEY);

 await runAdditionalBidTest(
   test, uuid, [buyer1, buyer2], auctionNonce,
   additionalBidHelper.fetchAdditionalBids(
       seller, [additionalBid1, additionalBid2]),
   /*highestScoringOtherBid=*/1.99,
   /*winningAdditionalBidId=*/'planes');
}, 'higher additional bid is filtered by negative targeting by two negative ' +
  'interest groups, but because of a joining origin mismatch, it still wins');

// Ensure that trusted seller signals are retrieved for additional bids.
subsetTest(promise_test, async test => {
 const uuid = generateUuid(test);
 const auctionNonce = await navigator.createAuctionNonce();
 const seller = SINGLE_SELLER_AUCTION_SELLER;

 const buyer = OTHER_ORIGIN1;
 const additionalBid = additionalBidHelper.createAdditionalBid(
     uuid, seller, buyer, 'horses', 1.99);
 additionalBid.auctionNonce = auctionNonce;
 additionalBidHelper.setAuctionNonceInHeader(additionalBid, auctionNonce);

 let renderURL = createRenderURL(uuid);
 await runBasicFledgeTestExpectingWinner(
     test, uuid,
     { interestGroupBuyers: [buyer],
       auctionNonce: auctionNonce,
       additionalBids: additionalBidHelper.fetchAdditionalBids(
           seller, [additionalBid]),
       decisionLogicURL: createDecisionScriptURL(
           uuid,
           { scoreAd:
               `if(!"${renderURL}" in trustedScoringSignals.renderURL) ` +
                 'throw "missing trusted signals";'}),
       trustedScoringSignalsURL: TRUSTED_SCORING_SIGNALS_URL});
}, 'trusted seller signals retrieved for additional bids');