Opt out of Federated Learning of Cohorts (FLoC) #426

Closed
opened 2 months ago by meisam · 4 comments
meisam commented 2 months ago

As the Google has started testing the FLoC, we can preemptively set the “Permissions-Policy” HTTP response header on the codeberg.org website to disable being included in the user's list of sites for cohort calculation.

Permissions-Policy: interest-cohort=()

An alternative to this approach would be using the Content Security Policy (CSP) to blocks all the third-party content which can activate the cohort calculation from being loaded. But this method may introduce breaking changes to the user content.

As the Google has [started testing the FLoC](https://www.eff.org/deeplinks/2021/03/google-testing-its-controversial-new-ad-targeting-tech-millions-browsers-heres), we can preemptively set the “[Permissions-Policy](https://github.com/WICG/floc/blob/dcd4c042fa6a81b048e04a78b184ea4203a75219/README.md#opting-out-of-computation)” HTTP response header on the codeberg.org website to disable being included in the user's list of sites for cohort calculation. `Permissions-Policy: interest-cohort=()` An alternative to this approach would be using the Content Security Policy (CSP) to blocks all the third-party content which can activate the cohort calculation from being loaded. But this method may introduce breaking changes to the user content.
fnetX added the
infrastructure
label 2 months ago
Collaborator

From the EFF article:

FLoC calculates a label based on your browsing history. For the trial, Google will default to using every website that serves ads—which is the majority of sites on the web.

I understand that this header is not necessary for Codeberg and other ad-free websites? But I don't find any clarification on how websites are identified as using ads so it's probably better to send the header?

From the EFF article: > FLoC calculates a label based on your browsing history. For the trial, Google will default to using every website that serves ads—which is the majority of sites on the web. I understand that this header is not necessary for Codeberg and other ad-free websites? But I don't find any clarification on how websites are identified as using ads so it's probably better to send the header?
Poster
Here's some links for discussions of this issue on other projects: * [How to fight back against Google FLoC (Plausible)](https://plausible.io/blog/google-floc) * [Add Permissions-Policy header to block Google FLoC (Drupal)](https://www.drupal.org/project/drupal/issues/3209628) * [Proposal: Treat FLoC like a security concern (WordPress)](https://make.wordpress.org/core/2021/04/18/proposal-treat-floc-as-a-security-concern/)
n commented 2 months ago
Collaborator
GitHub also added a header to block FLoC for GitHub Pages. https://github.blog/changelog/2021-04-27-github-pages-permissions-policy-interest-cohort-header-added-to-all-pages-sites/
hw commented 2 months ago
Owner

Fwiw this is not blocking anything, just "asking nicely" not to get tracked...

We are setting the header globally now.

Fwiw this is not blocking anything, just "asking nicely" not to get tracked... We are setting the header globally now.
hw closed this issue 2 months ago
Sign in to join this conversation.
No Milestone
No Assignees
4 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.