[robin_reala]

We blocked FLoC at my company because we couldn’t see the benefit in allowing it. If, in the future, an obvious value shows itself, then we’ll re-evaluate. But at the moment there’s only a business and reputational cost to allowing Google to harvest our users’ data.

[yabones]

We blocked it as well. Since we deal with health data, it seemed unethical to allow Google to add people to the "possibly sick" bucket and use that as part of their marketing.

[t0mas88]

That's an interesting one, in all GDPR countries medical data has an even higher requirement as it's a case of special personal information. So Google scooping that up without clear user opt-in could result in large penalties.

[deskamess]

How do you block it?

[c0nfused]

Blocking FLoC is as easy as adding this header to the HTTP response:

Permissions-Policy: interest-cohort=()

Source: https://www.drupal.org/project/drupal/issues/3209628

[1over137]

>Blocking FLoC is as easy as adding this header to the HTTP response:

That's "easy"?! How does my mom do that for her WordPress site?

[soperj]

Wordpress is doing it as a minor release, and backporting it. So it'll be opt-in to floc for all wordpress sites.

[lioeters]

I hope they do decide to add the HTTP header to disable FLoC by default, unless site admins specifically opt in. From the discussion I've seen, it hasn't been decided for sure yet.

Proposal: Treat FLoC like a security concern - https://make.wordpress.org/core/2021/04/18/proposal-treat-fl...

Consider implications of FLoC and any actions to be taken on the provider (WordPress) front - https://core.trac.wordpress.org/ticket/53069

[paxys]

WordPress should do it directly.

[alphabet9000]

I'm just curious -- are there any other commonly used HTTP headers that include the characters "()" at the end?

[TheRealDunkirk]

So, wait. We add this into the headers, and just expect Chrome to respect it?

[gpm]

The website is really a third party here, the browser is choosing to track users browser history and report a summary statistic on it to anyone who asks, there's nothing the website can do about that.

Chrome has promised to listen if websites say they don't want to be included in the browser history they calculate that statistic on, but it's all client side, there is nothing the website can actually do but request that they aren't included.

[SquareWheel]

> the browser is choosing to track users browser history and report a summary statistic on it to anyone who asks

It doesn't work that way at all.

[gpm]

Really? Because that is how googles documentation says it works: https://web.dev/floc/#how-does-floc-work

[anchpop]

that’s my understanding of how it works too. could you explain?

[MiddleEndian]

Reminds me of when people naively expected "Do Not Track" to be respected lol

[renewiltord]

We actually respected DNT at an ad tech company I worked at and people still gave us grief for "tracking" them. We literally just 200'd the request immediately for all DNT requests. No processing, no tracking, nothing.

Hilariously, I even opposed removing the code later because I wanted us to be a good citizen but it was practically dead code because people were still calling us evil. They could literally set their UA to play along (or use one that set it by default).

I think we always kept the code in but it only incurred cost and we got blamed anyway. I think, looking back, I should have just removed that piece of middleware since no user ever really cared. It wasn't worth it for the org to pay for code so I could have a clean conscience.

[8note]

Isn't there a response code for no change?

Saying you did something doesn't help the user know that DNT was followed

[iaml]

I've seen people say dnt could be ignored because it's off by default in some configurations(safari), and user did not make a choice. Would be interesting to see what kind of mental gymnastics these people would apply here to ignore user's opinion.

[ratww]

Yep. Microsoft enabling it by default in IE10 was the default excuse for most of the advertisement industry to never start respecting it.

[bserge]

Hey, it worked with robots.txt all this time :D

[sodality2]

It's that or stop using Chrome

[Mizza]

What else goes in this field? Can we all collude to flood Google's spybox with garbage data?

[gentleman11]

You might enjoy this project. Its a browser plug-in that submits random search queries over time to ruin the accuracy of companies tracking https://trackmenot.io/

[yesbabyyes]

It's specified here: https://www.w3.org/TR/permissions-policy-1/#policy-controlle...

There is a non-exhaustive list of features/APIs here: https://github.com/w3c/webappsec-feature-policy/blob/master/...

Each feature takes an allowlist, specifying which, if any, origins can use the feature.

[stock_toaster]

there is apparently no way to define a default disable either, so to turn off all the random features, the header becomes huge.

https://github.com/w3c/webappsec-permissions-policy/issues/1...

What is happening in w3c?!

[robin_reala]

A cynical view would be that Google paid large sums to advertise Chrome on prime time TV while sideloading it with Flash and Java installs, which lead to an outsize user base, which lead to outsize influence at W3C on specifications.

[soperj]

I don't see any of the sites mentioned actually doing that in their head. Can someone point me to how they're actually blocked?

edit: ahhh i see it's in the http headers, not the head of the html. nvm.

[Brendinooo]

Was also curious, found this on a search:

https://paramdeo.com/blog/opting-your-website-out-of-googles...

[roody15]

curious as well? How to block Floc?

[Exuma]

Add this as HTTP Response header:

Permissions-Policy: interest-cohort=()

[dylan604]

We should make a darkUI along the lines of prohibitive cookie policy modals that detect Chrome, and forces the FLoC in user's faces. It'll get ignored and be as useful as the cookie policy windows, but it'll be funny. Maybe add to the window "Don't like this message? Try Firefox instead!"

[robin_reala]

“Cookie policy modals” is bad naming: they‘re specifically there to get consent to track, regardless of the method you use to track in the first place.

[gentleman11]

What is the easy way to implement this? Just looking at user agent isn’t ideal. Does your server just look for floc data being sent to you?

[rantwasp]

the right answer, for now, is don’t use chrome