Problem/Motivation
Google is introducing what it calls Federated Learning of Cohorts, which is a way to gather user data without cookies, regardless of whether a website is loading any Google-related trackers. This is enabled starting in Chrome 89, and only in select countries on a trial basis.
Although other major browser vendors are likely against this technology and will presumably not be implementing it, given Chrome’s market share this will become a concerning issue, because it largely remove users’ ability to easily opt out of being tracked—particularly true in the case of less-savvy users.
See a very informative post by Plausible.
Steps to reproduce
Proposed resolution
Add this header to the HTTP response of all drupal.org sites:
Permissions-Policy: interest-cohort=()
Comments
Comment #2
rachel_norfolk(speaking as a Drupal maintainer rather than a DA staff member in this case)
The Drupal Community has a very high number of members who place a great importance on privacy. If this is a simple change we can make that helps to ensure that privacy, at least until we have their explicit consent to do otherwise, we should implement a block on FLoC.
Comment #3
rootworkI won't duplicate my or others' arguments in favor of this happening over on 3209628 (putting this in to Drupal core) except to say I support this move.
Comment #4
alexpottSymfony are also looking at this - https://github.com/symfony/symfony/issues/40835 - linking here to link things together.
Comment #5
rachel_norfolkNow rolled out on php.net - see https://twitter.com/drubb/status/1384542081771786240
Comment #6
drummYes, this looks like a good header to add.
Comment #7
drummThis is now added to our CDN configuration.
Comment #8
xmacinfoWill Dries or the association emit a tweet or write a blog post about this new header?
Comment #9
drummWe could tweet from https://twitter.com/drupal_infra. We usually don’t mention header changes, although this is a bit less-routine than other changes. I’ll see if this should be in the next post on https://www.drupal.org/drupalorg/blog. Dries is of course welcome to mention this, he wasn't involved in this change.
What Drupal.org does is of course much lower-impact than Drupal core, #3209628: Add Permissions-Policy header to block Google FLoC
Comment #10
xmacinfoTweeting or mentioning this new header on Drupal.org would be in solidarity with all other organizations implementing the new header. 🙂