Add an example opt-out meta tag

[dmarti]

Provide a simple, cut and pasteable example of a FLoC opt out.

[michaelkleber]

@xyaoinum PTAL? I see in this test exactly how to opt out with an HTTP response header, but @dmarti is right that we should document the meta-tag version, if there is such.

[xyaoinum]

I don't think permissions-policy is supported in http-equiv, so you may only use the Feature-Policy: interest-cohort 'none' response header.

[dmarti]

How would you opt out if your site is on a shared hosting service where you can't set the headers in HTTP? Is the correct HTML going to be:

<meta http-equiv="Feature-Policy" content="interest-cohort 'none'">

[michaelkleber]

Looks like the way to opt out is in HTTP headers, not in the HTML body. (The meta http-equiv thing doesn't work for headers in general, only for a few specified headers.)

[dmarti]

How do you opt out if you are on a shared hosting plan where you can't set HTTP headers? (related issue: #13 )

[michaelkleber]

There isn't a way right now, and I agree that we should add one.

@jkarlin Turns out this is a feature request, not a documentation request! What's the right way to get a FLoC opt-out in HTML? Not everyone can set HTTP response headers, and <meta http-equiv=...> doesn't support Feature-Policy.

[jkarlin]

The notion of adding meta support to permissions policy has come up over the years, but hasn't been adopted. I haven't been involved but my read is that there are real complexities to changing a policy during page processing. Some discussions on the topic are available here and here.

[dmarti]

@jkarlin Thank you for the links.

"you can't have a policy header occurring after something which it is supposed to control" -- this seems like it would be important for scripts that might occur in the head before the meta element. But since FLoC is built into the browser, it could postpone the train/no-train decision until after the entire head element has been processed, whether or not a script has already run.

Another possibility would be to extend the approach in Special tags that Google understands and have a separate meta tag with name and value, similar to <meta name="google" content="notranslate" />. This could be done without changing the entire permissions policy just to accomodate one case.

Could be something like <meta name="interest-group" content="notrain" />

[getify]

Is the HTTP header only applicable to HTML pages, or does it need to be sent for any other resource types (like JS or CSS) which themselves can request other content?

[OwenMelbz]

@dmarti - Out of interest - what does "shared hosting" have anything to do with settings headers?

Is it that your host only supports HTML? Is that maybe the question... Setting FLoC headers via HTML rather than response headers?

[dmarti]

@OwenMelbz Yes, some basic web hosts do allow you to upload HTML but don't let you set HTTP response headers. There are also services like web retail and blog hosts that let you edit your site's HTML template but not run server-side code that could set a header.