The Unclear Impact

@aral Looks like this would be

add_header Permissions-Policy "interest-cohort=()"

for Nginx, or to possibly override any Permissions-Policy already present with the headers-more module

more_set_headers "Permissions-Policy: interest-cohort=()"

the latter which I added to my own Nginx config.


@aral Having to opt out this way feels a bit insidious: Permissions-Policy was used to be named Feature-Policy and had a different syntax. So maybe also adding

Feature-Policy: interest-cohort 'none'

would also be a good idea (although hopefully no browser that supports Feature-Policy but not Permissions-Policy does any FLoC). Also, Permissions-Policy is used to opt out of a lot of other browser features, such as geolocation and payments. Opting out of these if you aren’t using the is probably a good idea, for the very least, to limit the impact of any potential XSS vulnerability. So an application that opts out of, say, camera access on every page except a videochat feature now must remember to opt out of FLoC everywhere, even on pages with a lenient Permissions-Policy.

This is a (cynically, I’d say deliberate) mixing of responsibilities: while other permissions are about what code from the website can do, interest-cohort is about what advertisers can do.

@hankg @aral Afaik add_header takes two arguments, the name of the header and its value. I wasn’t sure how Nginx parses interest-cohort=(), so I put the second argument into quotes, but apparently they aren’t needed then.

@aral Very good and informative Blog! I wasn't aware of it and maybe that's the biggest issue.

@aral Noob question: Isn't adding this just sort of a request to google not to do shady stuff? Aren't they free to ignore such requests?