In short

I propose two things:

• By default, we add the Permissions-Policy header to every app. This is similar to other security related headers Rails already has.
• The default Permissions-Policy setting for FLoC is set to disabled. This means that your site’s visitors are not included in FLoC. Other settings are set to no default.

What is FLoC

FLoC is a new technology that targets ads based on aggregated interests instead of identity full explanation. It promises to protect your identity, by telling advertisers your interests instead of your identity. It’s not ‘the best’ way to protect your privacy, but it’s better than third party tracking cookies.

There is also critique on FLoC. I.e. the EFF has critized FLoC in this article. Some browsers said they won’t support the FLoC feature in their browser, i.e. Mozilla and Brave.

Other frameworks said they will disable FLoC by default. I.e. Drupal (https://www.drupal.org/project/drupal/issues/3209628) already implemented this. A core contributer from WordPress even wrote an essay on why it should be treated as a ‘security concern’ and not as a ‘feature’. WordPress will disable FLoC by default in version 5.8.

What is the Permissions-Policy header?

The Permissions-Policy header is a W3C standard for enabling or disabling access to certain browser features you might need on a webpage. It is the renamed version of Feature-Policy.

In it’s functionality, it is similar to Content Security Policies, but exclusively deal with browser features. It provides protection in the same way CSP does: by setting a policy, no injected content can use features that you don’t want them to use.

Features that can be enabled/disabled are, amongst others, microphone, camera and geolocation.

PR 41994 adds the Permissions-Policy header to Rails. There is currently no default setting set for FLoC. Permission-Policy headers are starting to be supported by more and more browsers (caniuse).

Other relevant links:

• FLoC according to Google: Building a privacy-first future for web advertising
• EFF critizes FLoC: Google’s FLoC Is a Terrible Idea | Electronic Frontier Foundation
• Mozilla won’t support FLoC: Browser makers, including Mozilla's Firefox, are already ditching FLoC)
• Full list of Permission-Policy features: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features)

I was reading about this the other day. Personally, I don’t know how I feel about it because I do like the anonymity of it, but also don’t know how I much I actually trust Google to begin with.

I think having, in the environment configs or an initializer, the options there as a default will be a good thing and allow the individual apps to determine what is the proper route for them. Regardless, the default should be highly visible for the app and not hidden the config.load_defaults

Google's Changing Online Ads In A Big Way (FLOC) - YouTube was a pretty informative video on FLoC.

I 100% agree with adding this as a default.

It’s simple enough to override if a web site really wants to use FLOC.

If you haven’t already could you take a look at this PR?

https://github.com/rails/rails/pull/41994