@aral Having to opt out this way feels a bit insidious:
Permissions-Policy was used to be named
Feature-Policy and had a different syntax. So maybe also adding
Feature-Policy: interest-cohort 'none'
would also be a good idea (although hopefully no browser that supports
Feature-Policy but not
Permissions-Policy does any FLoC). Also,
Permissions-Policy is used to opt out of a lot of other browser features, such as geolocation and payments. Opting out of these if you aren’t using the is probably a good idea, for the very least, to limit the impact of any potential XSS vulnerability. So an application that opts out of, say, camera access on every page except a videochat feature now must remember to opt out of FLoC everywhere, even on pages with a lenient
This is a (cynically, I’d say deliberate) mixing of responsibilities: while other permissions are about what code from the website can do,
interest-cohort is about what advertisers can do.