From 2ae6abbd82e4a79f764e1aa22d516c842c31b220 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Sat, 17 Apr 2021 11:25:57 -0700 Subject: [PATCH] Make the post a bit less finger-pointy - Mention another time that it's in response to online discussions/comments, not the authors of certain blog posts - Clarify that there's nothing wrong with adding this header to your site if you manage your expectations and DON'T accuse others of complicity or change upstream software --- content/posts/permissions-policy-floc-misinfo.gmi | 6 ++++-- content/posts/permissions-policy-floc-misinfo.md | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/content/posts/permissions-policy-floc-misinfo.gmi b/content/posts/permissions-policy-floc-misinfo.gmi index 0f5122b..e8db623 100644 --- a/content/posts/permissions-policy-floc-misinfo.gmi +++ b/content/posts/permissions-policy-floc-misinfo.gmi @@ -1,4 +1,4 @@ -This post was written in a hurry in response to some misinformation about Google's newest Web antifeature, Federated Learning of Cohorts (FLoC). Google's FLoC is an attempt to track users even when their browsers (rightly) block third-party cookies. +This post was written in a hurry in response to some misinformation about Google's newest Web antifeature, Federated Learning of Cohorts (FLoC). Google's FLoC is an attempt to track users even when their browsers (rightly) block third-party cookies. The initial blog posts about this issue were quite benign, but online discussions quickly devolved into panic and support for building flawed work-arounds into upstream software. I had to write this before things got out of hand. A lot of misleading online discussion stems from one not-very-misleading blog post¹ that's been making rounds: @@ -81,7 +81,9 @@ If you're concerned about Google breaking the spec and opting you in even after ## Take a breath -Please, don't spam maintainers of web server/backend software to tell them to include this header by default when it may or may not actually reduce user fingerprints. Don't tell webmasters that they have a *moral obligation* to add a Permissions Policy header either.² You don't need to add this permission policy to every request, just as you don't need to wear a helmet for every form of physical activity. +If you want to be extra safe, you're free to add this header to your site. Just manage your expectations. However: + +Please, don't spam maintainers of web server/backend software to tell them to include this header by default when it may or may not actually reduce user fingerprints. Don't tell webmasters that they have a *moral obligation* to add a Permissions Policy header either.² You don't need to add this permission policy to every request, just as you don't need to wear a helmet for every form of physical activity. Knee-jerk reactions like patching upstream software only galvanize Google to start ignoring this non-standard usage of the Permissions Policy header. ¹ This isn't the only post making rounds, but it did hit the front page of a certain orange-colored website. I'm not blaming the author; if I hadn't encountered the Permissions Policy spec earlier, I probably would have also taken the advice the author read at face-value. diff --git a/content/posts/permissions-policy-floc-misinfo.md b/content/posts/permissions-policy-floc-misinfo.md index 3f877a7..81b4056 100644 --- a/content/posts/permissions-policy-floc-misinfo.md +++ b/content/posts/permissions-policy-floc-misinfo.md @@ -9,7 +9,7 @@ outputs: footnote_heading: Notes title: "Misinformation about Permissions Policy and FLoC" --- -This post was [written in a hurry](https://www.goodreads.com/quotes/219878-a-lie-can-run-round-the-world-before-the-truth) in response to some misinformation about Google's newest Web antifeature, Federated Learning of Cohorts (FLoC). Google's FLoC is an attempt to track users even when their browsers (rightly) block third-party cookies. +This post was [written in a hurry](https://www.goodreads.com/quotes/219878-a-lie-can-run-round-the-world-before-the-truth) in response to some misinformation about Google's newest Web antifeature, Federated Learning of Cohorts (FLoC). Google's FLoC is an attempt to track users even when their browsers (rightly) block third-party cookies. The initial blog posts about this issue were quite benign, but online discussions quickly devolved into panic and support for building flawed work-arounds into upstream software. I had to write this before things got out of hand. A lot of misleading online discussion stems from one not-very-misleading [blog post](https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network)[^1] that's been making rounds, instructing webmasters everywhere to add the following HTTP response headers to all their pages: @@ -75,7 +75,9 @@ If you're concerned about Google breaking the spec and opting you in even after Take a breath ------------- -Please, don't spam maintainers of web server/backend software to tell them to include this header by default when it may or may not actually reduce user fingerprints. Don't tell webmasters that they have a _moral obligation_ to add a Permissions Policy header either.[^2] You don't need to add this permission policy to every request, just as you don't need to wear a helmet for every form of physical activity. +If you want to be extra safe, you're free to add this header to your site. Just manage your expectations. However: + +Please, don't spam maintainers of web server/backend software to tell them to include this header by default when it may or may not actually reduce user fingerprints. Don't tell webmasters that they have a _moral obligation_ to add a Permissions Policy header either.[^2] You don't need to add this permission policy to every request, just as you don't need to wear a helmet for every form of physical activity. Knee-jerk reactions like patching upstream software only galvanize Google to start ignoring this non-standard usage of the Permissions Policy header. [^1]: This isn't the only post making rounds, but it did hit the front page of a certain orange-colored website. I'm not blaming the author; if I hadn't encountered the Permissions Policy spec earlier, I probably would have also taken the advice the author read at face-value.