search

opensafely-core / job-server

A server for mediating jobs that can be run in an OpenSAFELY secure environment. q.v. job-runner
https://jobs.opensafely.org
Other
5 stars 10 forks source link

Update the Permissions-Policy header to disable Topics #4390

Open iaindillingham opened 6 days ago

iaindillingham commented 6 days ago

495 added django-permissions-policy to disable Google's Federated Learning of Cohorts (FLoC). FLoC was replaced by Topics in May 2023, so we should update the Permissions-Policy header to disable Topics. To do so, we should add the browsing-topics permissions policy to settings.py:

PERMISSIONS_POLICY = {
    "interest-cohort": [],
    "browsing-topics": [],
}

Whilst agreeing and documenting a Permissions-Policy for our sites is out of scope, using django-permissions-policy consistently across our Django apps isn't. Consequently, we should:

If you've followed the link to MDN, then you'll see:

Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

However, I think that's fine: not working for every user is an advantage when not working for any user is our goal.

Chrome users can disable Topics with Settings > Privacy and security > Ads privacy. "How To Turn Off Google’s "Privacy Sandbox" Ad Tracking—and Why You Should" from the EFF has more information.

iaindillingham commented 2 days ago

Iain to create a master issue to track progress on our other Django/non-Django sites. We agreed in Thursday's tech team meeting to disable Topics.