Recently, people have been telling webmasters to add a Permissions-Policy header to their sites to opt out of FLoC; these people don't seem to understand how the Permissions-Policy header works.

Lots of people have been spreading the often-unnecessary advice to add a Permissions-Policy response header to their sites to opt-out of Google’s FLoC, and some have been going so far as to ask FLOSS maintainers to patch their software to make this the default. When discussions got heated to the point of accusing webmasters who don’t implement these headers of being “complicit” in Google’s surveillance, I felt I had to write this.

Everybody: please calm down, take a deep breath, and read the spec before you make such prescriptive advice about it.

FLoC is terrible, but telling everyone to add a magic “opt-out header” in every situation conveys a misunderstanding of everything you need to know about the opt-in/out process.

  • @ufrafecy
    13 years ago

    deleted by creator

    • SeirdyOP
      13 years ago

      I updated the article to explicitly address this; check the “What explicitly opting out actually entails” section.

      • @ufrafecy
        23 years ago

        deleted by creator

        • SeirdyOP
          23 years ago

          Server side categorization for sites with ads is where this Permissions action is aimed at. What this is saying is that if an ad tries to get a cohort id from an opted-out site, it will receive a meaningless default value. This knowledge is for the benefit of advertisers, not webmasters.

          The solution is not to include trackers on your page in the first place, such as third-party ads. Permissions-Policy applies to the page requested and its contents.

          As for cohort calculation, things are messy. If one site is opted out and another consequently has a greater weight, the implications wrt. fingerprinting are vague. Opting out doesn’t necessarily reduce a user’s fingerprint. FLOSS is one aspect of a user’s interests, but there are countless others. There is/was no legal or technical obligation to obey either the DNT header or this permissions-policy header (strictly for the purposes of cohort calculation), since the latter isn’t standard usage of the permissions-policy header and the former isn’t even a standard header in the first place.

          A coordinated effort is better spent getting users off Chrome than getting upstream software and webmasters to add this band-aid to their sites.

          • @ufrafecy
            13 years ago

            deleted by creator

      • @ufrafecy
        13 years ago

        deleted by creator

  • @j0ta
    03 years ago

    Devs should use it period