I propose two things:
- By default, we add the Permissions-Policy header to every app. This is similar to other security related headers Rails already has.
- The default Permissions-Policy setting for FLoC is set to disabled. This means that your site’s visitors are not included in FLoC. Other settings are set to no default.
FLoC is a new technology that targets ads based on aggregated interests instead of identity full explanation. It promises to protect your identity, by telling advertisers your interests instead of your identity. It’s not ‘the best’ way to protect your privacy, but it’s better than third party tracking cookies.
There is also critique on FLoC. I.e. the EFF has critized FLoC in this article. Some browsers said they won’t support the FLoC feature in their browser, i.e. Mozilla and Brave.
Other frameworks said they will disable FLoC by default. I.e. Drupal (https://www.drupal.org/project/drupal/issues/3209628) already implemented this. A core contributer from WordPress even wrote an essay on why it should be treated as a ‘security concern’ and not as a ‘feature’. WordPress will disable FLoC by default in version 5.8.
The Permissions-Policy header is a W3C standard for enabling or disabling access to certain browser features you might need on a webpage. It is the renamed version of Feature-Policy.
In it’s functionality, it is similar to Content Security Policies, but exclusively deal with browser features. It provides protection in the same way CSP does: by setting a policy, no injected content can use features that you don’t want them to use.
Features that can be enabled/disabled are, amongst others, microphone, camera and geolocation.
PR 41994 adds the Permissions-Policy header to Rails. There is currently no default setting set for FLoC. Permission-Policy headers are starting to be supported by more and more browsers (caniuse).