blog/opting-your-website-out-of-googles-floc-network

[utterances-bot]

Opting your Website out of Google's FLoC Network - Paramdeo Singh

You can remove your website from Google's FLoC rollout by altering HTTP response headers.

https://paramdeo.com//blog/opting-your-website-out-of-googles-floc-network

[dmarti]

The meta tag method does not work. See pull request and discussion at: https://github.com/WICG/floc/pull/47

[paramdeo]

Thank you very much for pointing this out. I've since amended the post to remove the <meta> tag suggestion, and have also linked the W3C issues that discuss the rationale behind it.

I do have agree with their reasoning; since using a web or proxy server should be the only de facto ways to set HTTP headers.

[Luehrsen]

We also have developed a WordPress Plug-in for those without the technical knowledge to edit files.

https://wordpress.org/plugins/wpm-floc/

[brycewray]

Since you mention Netlify and Cloudflare Workers, you may also want to add how it’s done if your site is hosted on Vercel. If you don’t already have a vercel.json file, create one at the project’s root level and add the following:

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Permissions-Policy",
          "value": "interest-cohort=()"
        }
      ]
    }
  ]
}

Documentation for adding headers to a Vercel site: https://vercel.com/docs/configuration#project/headers

[daniel-corbett]

In HAProxy you can do the following:

http-response set-header Permissions-Policy interest-cohort=()

[jeherve]

Thanks for the post!

May I suggest a small update to the WordPress snippet, to ensure compatibility with any other Permissions-Policy headers that may already be set on the site?

/**
 * Opting your Website out of Google's FLoC Network.
 * Place this snippet in your theme's functions.php, or in a functionality plugin.
 *
 * @param string[] $headers Associative array of headers to be sent.
 */
add_filter(
    'wp_headers',
    function ( $headers ) {
        if ( empty( $headers['Permissions-Policy'] ) ) {
            $headers['Permissions-Policy'] = 'interest-cohort=()';
        } elseif (
            ! empty( $headers['Permissions-Policy'] )
            && false === strpos( $headers['Permissions-Policy'], 'interest-cohort' )
        ) {
            $headers['Permissions-Policy'] .= ', interest-cohort=()';
        }

        return $headers;
    }
);

[paramdeo]

@jeherve @daniel-corbett and @brycewray I've added the various code snippets that you provided to the blog post, and added your names to the Acknowledgements section.

Thanks for helping to expand and improve the post!

[wilrnh]

i refuse to use this comment section, which requires me to login via Github.

also, if i have cloudflare infront of my netlify site, is adding the header to netlify enough?

namaste

[paramdeo]

@wilrnh Thanks for using the comment section :)

To answer your question, setting the headers in Netlify is enough (I use the same setup). Cloudflare's edge proxy will pass along all headers set by Netlify's origin.

[foosel]

FWIW, GitHub Pages should now set the opt out header automatically:

https://github.blog/changelog/2021-04-27-github-pages-permissions-policy-interest-cohort-header-added-to-all-pages-sites/

[paramdeo]

@foosel Thanks for letting me know about this! I updated the post with that bit of info, and added your name to the Acknowledgements section.

[mikedinicola]

Since this site is built on Jekyll, do you have any advise? My first thought was to add the Permissions-Policy as an http-equiv meta element, but this isn't supported and caused my linter to yell at me. It might work anyway in which case I can change my linting rules or maybe you recommend running a separate script to add the header to all files? Thanks!

[mikedinicola]

Should have mentioned I'm using GH Pages on a custom domain. I see you've added "However, there is no way to add custom HTTP headers when using GitHub Pages with a custom domain" but I refuse to believe that could be true!

[paramdeo]

My first thought was to add the Permissions-Policy as an http-equiv meta element, but this isn't supported and caused my linter to yell at me. It might work anyway in which case I can change my linting rules or maybe you recommend running a separate script to add the header to all files? Thanks!

@mikedinicola The <meta> element option unfortunately isn't supported, for both technical and usability reasons as only a small subset of headers can be set using http-equiv — of which Permissions-Policy isn't one of them (as well as any security headers for that matter). Also, HTTP headers should ideally be set by the web server in order to work as expected.

Since this site is built on Jekyll, do you have any advise?

My advice to anyone using Jekyll is to use Netlify :smile: since they're the best.

Should have mentioned I'm using GH Pages on a custom domain. I see you've added "However, there is no way to add custom HTTP headers when using GitHub Pages with a custom domain" but I refuse to believe that could be true!

GitHub pages has a number of feature requests in their Community Support Site as it relates to setting custom HTTP response headers in GitHub pages, but so far that feature hasn't been confirmed.

[vayurobins]

Restarting the server is not possible for many hosting companies, specially shared hosting. Will it work without a restart? How about using the plugin https://wordpress.org/plugins/wpm-floc/ or inserting the code via WP hook, that will not restart the server, so will it work?

[paramdeo]

@vayurobins For web servers that support a graceful restart you can definitely use something like service nginx reload or apachectl -k graceful for example.

Since the type of folks executing these commands would have sysadmin experience — and would make up their mind about any perceived downtime based on their individual needs — I kept the commands as standardized as possible.

In terms of WordPress, it's indeed possible to use a plugin that inserts the Permissions-Policy header without needing to restart the server; which is perfect for shared hosting.

The only plugin I've tested and can recommend is Disable FLoC by Roy Tanck as it takes into consideration the existence of other headers, and is written by a WP Core Contributor.

[ping-localhost]

If someone is unable to change their web/proxy server and uses Symfony, they could use loophp/go-unfloc-yourself-bundle. If it detects an existing Permissions-Policy-header, the bundle will not change the value.

[reidbiztech]

The problem here is that we do not trust google. So why would we trust them to heed this header?

We shouldn't.

Blocking this will require something at the transport/protocol level, a deep packet inspection firewall and filter might be able to do it.

[dmarti]

It appears that there are now two more Permissions-Policy permissions related to in-browser ad placements:

• join-ad-interest-group (default to on in the top-level page)

• run-ad-auction

source: https://github.com/WICG/turtledove/commit/ebd96b8ce13b26e58dd715251201fbdabffd3af7

The existing interest-cohort permission does not appear to affect these settings.