See https://lwn.net/SubscriberLink/882607/05400c6c8702f2a1/
We should add Permissions-Policy: browsing-topics=() or interest-cohort=() header to our website.
Metadata Update from @polcak: - Issue tagged with: website
I think this must be set at the server level, so I'll assign this to Michael
(Michael let me know if this is not right)
Metadata Update from @rlafuente: - Assignee reset
Metadata Update from @rlafuente: - Issue assigned to thomzane
I will look into adding a Permissions-policy and Content-security-policy.
I do not think this would affect Chromium users visiting our sites as we do not collect this data and we do not have any third-parties that could collect this data. Most of the practical examples seem to be about preventing third-party tracking domains from collecting data such as this. Conversely, it would show explicitly that we are not collecting this data which would be good if anyone checks these headers.
There are other Permissions-policy settings that we could implement in addition to this as well, but they might conflict with the test page (if/when we host it). There would not be a conflict at the moment since the test page is external.
Permissions-policy only affects Chromium-based browsers at this time according to https://caniuse.com/permissions-policy
Hello Michael,
"I do not think this would affect Chromium users visiting our sites as we do not collect this data and we do not have any third-parties that could collect this data."
Yes, we do not have trackers on our site. But see, for example, https://en.wikipedia.org/wiki/Federated_Learning_of_Cohorts#Rebranding_as_Topics_API. FLoC/Topics is not about trackers (in traditional sense).
The browser itself analyses the visited pages. I am not sure how exactly the browser should derive the topics but suppose it has an internal database of keywords. Relevant keywords for JShelter would be privacy, web extension, fingerprinting, javascript, and alike. Hence the browser (without any consent of JShelter project and without a valid consent in the GDPR standard of the user) could derive user interests in privacy, web technologies and alike. Other website can later use these information to target ads and for other purposes.
So the browser is the tracker, and the header opts-out our website from the tracking.
I understand Permissions-policy now. For us, it should simply be this:
Permissions-Policy: browsing-topics=(), interest-cohort=()
I will figure out how to configure that this morning.
There are other features we could opt-out from, but they all need to be individually set according to the spec so we should only set what we need to set in order to keep the load times low.
Additionally, we could add instructions on how Chromium-based users could opt-out from this type of fingerprinting in our FAQ or doc.
Done.
Metadata Update from @thomzane: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
FLoC has been renamed to Privacy Sandbox.
https://arstechnica.com/gadgets/2023/09/googles-widely-opposed-ad-platform-the-privacy-sandbox-launches-in-chrome/
Login to comment on this ticket.