Add `browsing-topics` to `Permissions-Policy` header

[dmarti]

Google is currently testing "Topics API," a new proposal for transferring user interests among sites, currently up to about 5% of Google Chrome users ( https://groups.google.com/a/chromium.org/g/blink-dev/c/Vi-Rj37aZLs/m/wzeBWfxxEgAJ )

This may be appropriate for some ad-supported sites, or sites that run landing pages for ads, but can present risks to users in other contexts. Probably safest to set this header to opt out and then let the site administrator change it if they want to use "Topics API" and understand the compliance and security consequences.

There is an existing opt-out for WordPress that does both this and the earlier FLoC system: https://roytanck.com/2021/04/15/opt-out-of-floc-on-your-wordpress-website/

[LeoColomb]

Thanks for opening this PR @dmarti. That being said, the fact that Topics API are still an experiment and might not come to production (and follow FLoC lifecycle). The proper documentation and a complete stabilization of its usage is still to be done.

For these reasons, I believe your proposal is too early, thus I'm closing. As it definitely brings value, we might reopen this PR later on, when it'll become more relevant for production systems.

[dmarti]

@LeoColomb Thank you, just wanted to share a quick update: "Topics API" is now scheduled to be pushed out to all Google Chrome users in mid-2023. See https://github.com/h5bp/server-configs-apache/issues/340

[quantumpacket]

I believe it would be more beneficial to keep this pull request and future ones open rather than closing them. While it may be considered premature to merge an experimental feature, keeping a PR open and visible to the community allows for more input and contributions from those who may not be aware of a new feature. Additionally, closed PRs may not receive as much attention from potential contributors or those interested in providing input.

[dmarti]

@LeoColomb Another update on the status of "Topics API".

As a growing percentage of Google Chrome installs are supporting this, third-party scripts are starting to call this API -- including new versions of existing scripts. So it is possible that a site maintainer with no knowledge of this API is already having their users' data collected by a script they installed in order to do something else.

Unfortunately, this header will be needed to protect a site's Google Chrome users from having their info collected -- if the site uses any third-party scripts or iframes. (It's not necessary for a site with only first-party content, or with audited third-party content and SRI)

Info on rollout of Topics API: https://developer.chrome.com/docs/privacy-sandbox/topics/latest/

[LeoColomb]

Looks good @dmarti. Is the content still up-to-date?

[dmarti]

@LeoColomb Yes, the content is up to date, thank you.

[dmarti]

@LeoColomb thank you, and thank you for handling https://github.com/h5bp/server-configs-apache/issues/340 as well