Hacker News new | past | comments | ask | show | jobs | submit login

Cloudflare, Akamai, Fastly and other CDNs should disable FLoC by default for all customers, and provide a toggle to those customers who explicitly wish to enable it.

But until they do[1]:


    Header always set Permissions-Policy: interest-cohort=()

    header Permissions-Policy "interest-cohort=()"
Cloudflare Workers (not free as there are limits):

    addEventListener('fetch', event=> {
    async function handleRequest(request) {
        let response=await fetch(request)
        let newHeaders=new Headers(response.headers)
        return new Response(response.body, {
            status: response.status,
            statusText: response.statusText,
            headers: newHeaders

    server.modules +=("mod_setenv")

    [[headers]] for="/*"
    [headers.values] Permissions-Policy="interest-cohort=()"

    add_header Permissions-Policy interest-cohort=();

[1] https://github.com/WICG/floc#opting-out-of-computation

This kind of post that provides no context will lead to cargo-cult, with people blindly copying and pasting these directives, and believing they have increased the privacy of their site...

If your web site does not include ads, FLoC is already disabled. Here, "ads" mean ads that EasyList can detect. This HTTP header will just make your config more complex and your responses slightly bigger, with no change of behaviour.

If you include external ads on your pages, then I doubt disabling FLoC will increase your visitors' privacy, but at least this header will have a real effect.

> If your web site does not include ads, FLoC is already disabled

Citation? Here's what the FLoC explainer says:

> All sites with publicly routable IP addresses that the user visits when not in incognito mode will be included in the POC cohort calculation.


This sounds to me like all sites, whether they contain ads are not, are used to cluster users into cohorts.

From https://web.dev/floc/ in section "Do websites have to participate and share information?"

> For pages that haven't been excluded, a page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page.

> During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page loads ads or ads-related resources.

Be sure to add `always` to the nginx header:

    add_header Permissions-Policy interest-cohort=() always;

For those wondering: this causes the header to be set on all responses. By default it will not be set on some error responses.

Excluding some portion of sites from a user’s cohort calculation doesn’t necessarily make a user less unique if a nontrivial number of sites doesn’t opt out.

I wrote more about this on my site: https://seirdy.one/2021/04/16/permissions-policy-floc-misinf...

Thank you, this was informative.

Unclear to me are what these headers do to the browser.

I mean... the docs say that they are a "site" header that you should apply to a "page". Does that mean that you must apply it to all pages to exclude a site? Is absence on one page taken as opting back in to FLoC?

If the scope is site, then it would be better as a DNS entry. I've a feeling the scope is truly page though and I've also a feeling that most people who choose to add this header will add it on all assets now - which is a bit of a waste of bytes (even with header compression in place) but would be the only way to guarantee that all pages have it.

Thanks, just disabled this on my tiny near zero traffic sites.

Hopefully if enough people disable it, it will become useless.

Yes, it will become useless. The header that is..

Google already has shown bad faith in opt-out headers like this when they immediately started ignoring Do-Not-Track as soon as non-Chrome browsers made it a default. The fact that the spec for this awful project uses an opt-out instead of an opt-in header seems a pretty clear signal to me that Google may not have any intention of following it in the long run.

> Cloudflare, Akamai, Fastly and other CDNs should disable FLoC by default for all customers

And this is when Google will release their own Cloudflare competitor product.

BTW do they something as popular as Cloudflare already? I'm very unfamiliar with Google's offerings.

GCP does have a CDN product: https://cloud.google.com/cdn/

But at this point in time I think it'd be unfair to call Cloudflare "just a CDN" so not really equivalent.

From what I've heard through the technical operations jungle. Google has been pushing their CDN product hard for a long time, which isn't a shock since they've been trying to push GCP hard for a long time. But it's a little like AWS's Cloudfront CDN. It's very very rare to see someone using an AWS Cloudfront or GCP CDN... that isn't on said cloud platform already.

NodeJS + express:

    app.use((req, res, next) => {
        res.setHeader("Permissions-Policy", "interest-cohort=()");
        return next();

If you are using HAProxy you can use the following:

    http-response set-header Permissions-Policy interest-cohort=()

Cloudflare, etc. should do what their customers want and not make these type of decisions for them. They are CDNs and not the owners of their customer's websites.

Cloudflare's mission is to "help build a better internet", and to that end have made a lot of opinionated decisions to increase security and performance. Where possible options are given to customers, but the opinionated way wins by default.

Examples: Turned on HTTPS for all customers, gave image compression and optimisation to all customers, moved customers to the latest TLS as soon as possible (help drive adoption), provide tools to obscure email addresses on web pages to minimise harvesting, privacy focused DNS, etc.

FLoC is something that an opinion can easily be formed on, and where Google have said to each site operator "you must opt-out", Cloudflare can hold an opinion that default opt-out is bad for the internet and that opt-in is better... and if they make an option that defaults to adding this header but granting customers a means to toggle it off... then all Cloudflare will have done is what Google should have done... made this opt-in by default.

GP is proposing that they give their customers the option — just that the default state should be "off".

Then their customers should have the option to opt in. Is that fine with you?

the opt-in is choosing CF who's known to make many decisions for you. its not a new pattern for CF clients

thanks for lighttpd

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact