Block Federated Learning of Cohorts (FLoC) #27192
Conversation
A new technology is currently being rolled out to browsers to replace third party tracking cookies. This technology is named Federated Learning of Cohorts (FLoC) and you can read more about it here and here.
ChristophWurst
requested review from
skjnldsv,
julien-nc,
juliusknorr,
LukasReschke,
artonge and
ArtificialOwl
and removed request for
rullzer
|
If we merge this, we should maybe add some configuration for Nginx too. |
| @@ -35,6 +35,9 @@ | |||
| Header onsuccess unset X-XSS-Protection | |||
| Header always set X-XSS-Protection "1; mode=block" | |||
|
|
|||
| Header onsuccess unset Permissions-Policy | |||
| Header always set Permissions-Policy "interest-cohort=()" | |||
There was a problem hiding this comment.
Note that this header is set script-wise already. Currently the deprecated Feature-Policy but that is about to be changed: #23825
So this causes issues with doubled headers, or it is script-internally overridden. So this instead needs to be applied script-wise, similar to CSP. What instead would make sense, is to unset both, Permissions-Policy and CSP "onsuccess" and "always", so that it is assured that those are set only by Nextcloud (script-internally). The modHeadersAvailable variable only controls X-* headers and Referrer-Policy, so those can be set webserver-side.
There was a problem hiding this comment.
You're right, and there is an ongoing discussion about the interest of setting this up or not. Let's close the debate first before setting this up. #26539
A new technology is currently being rolled out to browsers to replace third party tracking cookies.
This technology is named Federated Learning of Cohorts (FLoC) and you can read more about it here and here.