[whoopdedo]

Does that really do anything? The entire Permissions-Policy header confuses me. Isn't that telling the browser to lock the FLoC API for that domain. So no resources loaded from github.com won't be able to call the interest_cohort() function. But GitHub doesn't serve ads, so why would their scripts be using the function? And what's the point of declaring that scripts from your domain are not allowed to use the FLoC API (Or geolocation which is the only other policy I'm aware of.) versus just not putting the code in your scripts in the first place?

[tyingq]

The EFF summarizes it this way:

"If you are a website owner, your site will automatically be included in FLoC calculations if it accesses the FLoC API or if Chrome detects that it serves ads."

Personally, I don't trust Google that much. Chrome knows which websites I've been to, so it could easily (accidentally, or on purpose) just include any site. Google also has a history of starting conservatively, then rolling out stuff a little at a time. "Boiling Frogs".

Rolling out the header everywhere seems like a good way to keep Google honest about it. Chrome can obviously still do whatever it wants, but it would be harder to explain for them if they shared info on an explicitly opted-out site visit.

It's also just a sort of ceremonial way of expressing dissent with the idea in general. In a way that people could collect statistics on and track.

[Seirdy]

> Does that really do anything?

It does very little; effort is better spent getting people off FLoCed browsers like Chrome.

More info: https://seirdy.one/2021/04/16/permissions-policy-floc-misinf...

This is what's really bad about FLoC; it's so hard to fight back on behalf of oblivious Chrome users who didn't opt out. For the uninformed, there's no winning move.

[tyingq]

That post is helpful, but adding a global header across a site is typically very little effort. And there's nothing in there that says it's harmful.

And I'm unconvinced on this part:

"If your website does not include JS that calls document.interestCohort(), it will not leverage Google’s FLoC. Explicitly opting out will not change this."

I try to know everything running on my site. But especially with things like a deep npm dependency chain, I know not everyone knows everything that's running on their site. Or maybe chrome will interpret an image that happens to be an IAB size as an ad. I recall a certain storage related company recently running Google Analytics on an admin page, something the tech team didn't intend to happen. But shit happens.

I think it's worth putting up, both for whatever limited help it provides, as well as a visible vote against FloC.

[Seirdy]

If your stack is so deep that you're worried about serving malware to users for them to execute, you might want to put a warning on your site so users understand the risk before executing scripts.

The fact that the above sentence sounds unrealistic nowadays is extremely depressing. If malware distribution through web browsers wasn't already the norm, it'd look like common sense.

[tyingq]

Aside from the stack, I also mentioned a marketing department doing something the tech department wasn't aware of. It happens.

[Seirdy]

If the tech department needs to protect users from the marketing department and can't approve or advise changes the marketing department does, then this is a good short-term solution. Fixing the organizational issues would be a good long-term solution.

I do admit that "a visible vote against FLoC" is a good reason to put this header; I've updated the article.

Diff: https://git.sr.ht/~seirdy/seirdy.one/commit/155d4f7b915f9f04...

I don't think these votes will sway Google but I do think they'll spread awareness. I still think that a better use of our time is getting users off Chrome.