1. 19
  1. 10

    In other words, [the Permissions-Policy header] provides a global override for any page contents requesting too many permissions. It’s ideal for situations in which authors aren’t in control of what content is being loaded.

    The webmaster (or “author”) should always be in control on which permissions are requested, and the user should be in control of which permissions are granted. The fact that we don’t think so anymore suggests that FLoC is one of many steps in a process to kill off online privacy.

    1. 3

      Content hosting is probably the biggest example I can think of where one entity controls the headers, but another entity can control JS. Tumblr allows arbitrary JS and HTML in themes, for example.

      1. 2

        That doesn’t negate the user’s responsibility to choose what permissions they grant to code on their systems

    2. 3

      You don’t need to add this permission policy to every request, just as you don’t need to wear a helmet for every form of physical activity.

      I disagree. If a helmet were as light as air, I would wear a helmet all the time, and tell others to do so.

      1. 9

        Perhaps a “broken helmet” would be a better analogy, since adding this header won’t necessarily help. I don’t think we should legitimize the need to add a half-baked work-around whenever Google does exactly what we expect it to do; it shifts burden and blame away from Google and towards webmasters.

        1. 3

          There are kinds of physical activity where a helmet makes the wearer less safe, especially when the risk of getting snagged and choking is higher than the risk of traumatic head impact. This is why every children’s playground has large “no helmets” signs.

          1. 4

            Metaphor is metaphor. Your point is granted but seems irrelevant to Permission-Policy header.

            1. 2

              This is why every children’s playground has large “no helmets” signs.

              Wait, what? Is this an American thing? I can’t imagine an Australian parent even considering putting their kids in helmets for a playground. Hell, our seven and nine year old boys play unsupervised in the playground over the road.

              1. 4

                I’ve always assumed the fear was kid arriving by bicycle (helmets required by law) and running to play without removing helmets.

                1. 1

                  Ah okay, that makes sense.

                  I’ve always wondered about compulsory safety equipment laws. As a motorcyclist, I subscribe to the “all the gear, all the time” mentality - albeit with different kit for road and track use.

                  But if someone wants to ride without a helmet, well, … as Scott Adams said, “I say it’s a free country and you should be able to kill yourself at any rate you choose, as long as your cold dead body is not blocking my driveway in the morning.”

                  I guess you could make a utilitarian argument for it in the case of a socialist medical system, because of the cost of caring for the injured. But then I wonder which would be cheaper, an elaborately injured motorcyclist, or one who’s dead because they didn’t wear a helmet.

                  1. 2

                    Fully agree. Laws should proctect people from each other, not themselves.

                    We’ve managed to lobby to avoid cycling helmet laws for adults so far in my area, but they’ve been required for minors for decades. Which seems extra dumb, because the kid can just take their helmet off and what, you’re going to ticket them? A 9-year-old? No, the law is just unenforced mostly.

          2. 1

            I’m not sure I understand. There’s basically two issues here - making sure that your origin (and scripts loaded by it) is unable to call FLoC APIs, and opting your website out of being used as input to browser cohort calculations. This article seems to be mainly about the former, and how there are better solutions than setting a header - although it does not really make it clear which part is about which - but the posts I’ve seen giving this advice so far (and IIUC, the original linked blog post falls into this category) have been mostly about the latter. The idea being that by opting your website out, you’re helping to make FLoC’s cohort calculations less effective and therefore less useful. What exactly is the misinformation being combatted here and/or what am I missing?

            It’s very late here so there’s definitely a strong chance that I’m just overlooking something obvious.

            1. 1

              This article seems to be mainly about the former,

              Sorry, the initial version of the article kinda glossed over that. I’ve updated it a few times since with more information. The “What explicitly opting out actually entails” section covers the latter concern. The “This has happened before” section might also be relevant.

              Thanks for the feedback.