Problem/Motivation

Google is introducing what it calls Federated Learning of Cohorts, which is a way to gather user data without cookies, regardless of whether a website is loading any Google-related trackers. This is enabled starting in Chrome 89, and only in select countries on a trial basis.

Although other major browser vendors are likely against this technology and will presumably not be implementing it, given Chrome’s market share this will become a concerning issue, because it largely remove users’ ability to easily opt out of being tracked—particularly true in the case of less-savvy users.

See a very informative post by Plausible.

Steps to reproduce

Proposed resolution

Add this header to the HTTP response of all drupal.org sites:

Permissions-Policy: interest-cohort=()

Remaining tasks

User interface changes

API changes

Data model changes

Comments

longwave created an issue. See original summary.

rachel_norfolk’s picture

rachel_norfolk
Primary language English
Location UK
CreditAttribution: rachel_norfolk commented

(speaking as a Drupal maintainer rather than a DA staff member in this case)
The Drupal Community has a very high number of members who place a great importance on privacy. If this is a simple change we can make that helps to ensure that privacy, at least until we have their explicit consent to do otherwise, we should implement a block on FLoC.

rootwork’s picture

rootwork
he/him
Primary language English
Location 🇺🇸 US-Pacific 🌎 Chinook (Multnomah, Clackamas) & Cowlitz lands 🌹 Portland, OR
CreditAttribution: rootwork commented

I won't duplicate my or others' arguments in favor of this happening over on 3209628 (putting this in to Drupal core) except to say I support this move.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Acro Commerce, Thunder commented

Symfony are also looking at this - https://github.com/symfony/symfony/issues/40835 - linking here to link things together.

rachel_norfolk’s picture

rachel_norfolk
Primary language English
Location UK
CreditAttribution: rachel_norfolk commented

Now rolled out on php.net - see https://twitter.com/drubb/status/1384542081771786240

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented
Assigned: Unassigned » drumm

Yes, this looks like a good header to add.

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented
Status: Active » Fixed

This is now added to our CDN configuration.

xmacinfo’s picture

xmacinfo
he/him
Primary language French
Location Canada
CreditAttribution: xmacinfo at xMac info commented

Will Dries or the association emit a tweet or write a blog post about this new header?

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented

We could tweet from https://twitter.com/drupal_infra. We usually don’t mention header changes, although this is a bit less-routine than other changes. I’ll see if this should be in the next post on https://www.drupal.org/drupalorg/blog. Dries is of course welcome to mention this, he wasn't involved in this change.

What Drupal.org does is of course much lower-impact than Drupal core, #3209628: Add Permissions-Policy header to block Google FLoC

xmacinfo’s picture

xmacinfo
he/him
Primary language French
Location Canada
CreditAttribution: xmacinfo at xMac info commented

Tweeting or mentioning this new header on Drupal.org would be in solidarity with all other organizations implementing the new header. 🙂

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.