Problem/Motivation

Google is introducing what it calls Federated Learning of Cohorts, which is a way to gather user data without cookies, regardless of whether a website is loading any Google-related trackers. This is enabled starting in Chrome 89, and only in select countries on a trial basis.

Although other major browser vendors are likely against this technology and will presumably not be implementing it, given Chrome’s market share this will become a concerning issue, because it largely remove users’ ability to easily opt out of being tracked—particularly true in the case of less-savvy users.

See a very informative post by Plausible.

Since no one can reasonably expect users to just stop using Chrome, it will be up to responsible developers to block FLoC at the source.

Steps to reproduce

Proposed resolution

Blocking FLoC is as easy as adding this header to the HTTP response:

Permissions-Policy: interest-cohort=()

Remaining tasks

User interface changes

None.

API changes

None.

Data model changes

None.

Release notes snippet

Introduce Permissions-Policy header to block Google’s Federated Learning of Cohorts.

CommentFileSizeAuthor
#5 3209976-5.patch5.41 KBmcdruid
#5 interdiff-3209976-4-5.txt3.29 KBmcdruid
#4 3209976-4.patch1.92 KBmcdruid

Comments

DamienMcKenna created an issue. See original summary.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Active » Postponed

Let's postpone this on the discussion at #3209628: Add Permissions-Policy header to block Google FLoC so we don't end up having it in two places.

chaseontheweb’s picture

chaseontheweb
Location USA
commented
Status: Postponed » Active

#3209628: Add Permissions-Policy header to block Google FLoC has been committed, back to active

mcdruid’s picture

mcdruid commented
Status: Active » Needs review
Issue tags: +Needs tests
StatusFileSize
new 3209976-4.patch1.92 KB

Initial implementation very similar the one committed to D9.

No tests yet.

mcdruid’s picture

mcdruid commented
Issue tags: -Needs tests
StatusFileSize
new interdiff-3209976-4-5.txt3.29 KB
new 3209976-5.patch5.41 KB

Pretty much same tests that were added to D9.

mcdruid’s picture

mcdruid commented
Issue tags: +Pending Drupal 7 commit

Don't want to RTBC my own patch :)

This should make it into the release next week, subject to Framework Manager review.

mcdruid’s picture

mcdruid commented
Issue tags: +Needs change record

This'd need a CR as we're adding a new http response header by default.

fabianx’s picture

fabianx commented
Status: Needs review » Reviewed & tested by the community

RTBC + 1, as long as it's committed in D9, this is good to go.

mcdruid credited Maeglin.

mcdruid credited antiorario.

mcdruid credited effulgentsia.

mcdruid credited gapple.

mcdruid credited larowlan.

mcdruid credited longwave.

mcdruid credited neclimdul.

mcdruid credited phenaproxima.

mcdruid credited rachel_norfolk.

mcdruid credited rootwork.

mcdruid’s picture

mcdruid commented

Adding credit from parent.

  • mcdruid committed eb66609 on 7.x 
    Issue #3209976 by mcdruid, DamienMcKenna, Maeglin, antiorario,...
mcdruid’s picture

mcdruid commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -Needs framework manager review, -Needs security review, -Pending Drupal 7 commit, -Needs change record

CR published.

Thanks everyone!

klonos’s picture

klonos
he/him
Primary language English
Location 90% Melbourne, Australia - 10% Larissa, Greece
commented
Status: Fixed » Needs work

Thanks for starting this @mcdruid 🙏...I'm cross-porting it for Backdrop, and thought I'd mention that you need to change this line: https://git.drupalcode.org/project/drupal/-/blob/7.x/includes/common.inc...

From this:

drupal_add_http_header('Permissions-Policy', ', interest-cohort=()', TRUE);

...to this instead (remove the ", " from the added string):

drupal_add_http_header('Permissions-Policy', 'interest-cohort=()', TRUE);

...otherwise you could end up with something like this in your headers (notice the double comma):

whatever-pre-existing-policy,, interest-cohort=()

You see, when using $append = TRUE in drupal_add_http_header(), it already adds the comma. See: https://git.drupalcode.org/project/drupal/-/blob/7.x/includes/bootstrap....

  • mcdruid committed e91c093 on 7.x 
    Issue #3209976 by klonos: hotfix FLoC block
mcdruid’s picture

mcdruid commented
Status: Needs work » Fixed

@klonos++ nice catch, thank you!

I've tweaked the test so that it specifically looks for the two header values separated by the comma.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.