floc icon indicating copy to clipboard operation
floc copied to clipboard

Published 20 hours ago verified publisher icon WICG

Add an example opt-out meta tag

Open dmarti opened this issue 3 years ago • 11 comments

Provide a simple, cut and pasteable example of a FLoC opt out.

dmarti avatar Feb 26 '21 19:02 dmarti

@xyaoinum PTAL? I see in this test exactly how to opt out with an HTTP response header, but @dmarti is right that we should document the meta-tag version, if there is such.

michaelkleber avatar Feb 26 '21 21:02 michaelkleber

I don't think permissions-policy is supported in http-equiv, so you may only use the Feature-Policy: interest-cohort 'none' response header.

xyaoinum avatar Feb 26 '21 22:02 xyaoinum

How would you opt out if your site is on a shared hosting service where you can't set the headers in HTTP? Is the correct HTML going to be:

<meta http-equiv="Feature-Policy" content="interest-cohort 'none'">

dmarti avatar Feb 26 '21 22:02 dmarti

Looks like the way to opt out is in HTTP headers, not in the HTML body. (The meta http-equiv thing doesn't work for headers in general, only for a few specified headers.)

michaelkleber avatar Feb 27 '21 00:02 michaelkleber

How do you opt out if you are on a shared hosting plan where you can't set HTTP headers? (related issue: #13 )

dmarti avatar Feb 27 '21 01:02 dmarti

There isn't a way right now, and I agree that we should add one.

@jkarlin Turns out this is a feature request, not a documentation request! What's the right way to get a FLoC opt-out in HTML? Not everyone can set HTTP response headers, and <meta http-equiv=...> doesn't support Feature-Policy.

michaelkleber avatar Feb 27 '21 14:02 michaelkleber

The notion of adding meta support to permissions policy has come up over the years, but hasn't been adopted. I haven't been involved but my read is that there are real complexities to changing a policy during page processing. Some discussions on the topic are available here and here.

jkarlin avatar Mar 01 '21 16:03 jkarlin

@jkarlin Thank you for the links.

"you can't have a policy header occurring after something which it is supposed to control" -- this seems like it would be important for scripts that might occur in the head before the meta element. But since FLoC is built into the browser, it could postpone the train/no-train decision until after the entire head element has been processed, whether or not a script has already run.

Another possibility would be to extend the approach in Special tags that Google understands and have a separate meta tag with name and value, similar to <meta name="google" content="notranslate" />. This could be done without changing the entire permissions policy just to accomodate one case.

Could be something like <meta name="interest-group" content="notrain" />

dmarti avatar Mar 01 '21 17:03 dmarti

Is the HTTP header only applicable to HTML pages, or does it need to be sent for any other resource types (like JS or CSS) which themselves can request other content?

getify avatar Apr 17 '21 14:04 getify

@dmarti - Out of interest - what does "shared hosting" have anything to do with settings headers?

Is it that your host only supports HTML? Is that maybe the question... Setting FLoC headers via HTML rather than response headers?

OwenMelbz avatar Aug 02 '21 15:08 OwenMelbz

@OwenMelbz Yes, some basic web hosts do allow you to upload HTML but don't let you set HTTP response headers. There are also services like web retail and blog hosts that let you edit your site's HTML template but not run server-side code that could set a header.

dmarti avatar Aug 02 '21 15:08 dmarti