User's browsing history is leaked in the Sec-CH-PIGIN header

[ehsan]

I may be misunderstanding something here, but doesn't Sec-CH-PIGIN leak the user's browsing history in the form of the hostname of the caller of joinPrivateInterestGroup()?

[michaelkleber]

It reveals one site that the user has probably visited or somehow interacted with recently. (See the "could be a cross-domain iframe" use case.)

The built-in mitigations are that it's only the "most valuable" site and it's only possible if a lot of people have visited it.