Disable FLOC by introducing permissions policy header #8145
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Note, if you are a documentation author and for some reason you would like to have FLOC enabled on your documentation, please get in touch. I would like to hear from you and we would consider making this a configurable option on projects. |
ericholscher
approved these changes
Apr 29, 2021
| @@ -99,6 +99,12 @@ class CommunityBaseSettings(Settings): | |||
| "/admin/", | |||
| ) | |||
|
|
|||
| # Permissions Policy | |||
| # https://github.com/adamchainz/django-permissions-policy | |||
| PERMISSIONS_POLICY = { | |||
There was a problem hiding this comment.
Is this something we can easily test? Would be good to have at least an integration test to make sure the setting, etc. is correct.
There was a problem hiding this comment.
Are you thinking a validatehttp check? Or a pagerduty/CF check? I think those would be the best places for it.
There was a problem hiding this comment.
I think a regular Django test + validatehttp are 💯
humitos
approved these changes
May 3, 2021
| @@ -99,6 +99,12 @@ class CommunityBaseSettings(Settings): | |||
| "/admin/", | |||
| ) | |||
|
|
|||
| # Permissions Policy | |||
| # https://github.com/adamchainz/django-permissions-policy | |||
| PERMISSIONS_POLICY = { | |||
There was a problem hiding this comment.
I think a regular Django test + validatehttp are 💯
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces the Permissions-Policy header (MDN) which controls the features that a webpage is allowed to use. For example, Permissions-Policy could be used to disable access to the JS geolocation APIs or the accelerometer.
This PR, however, only uses Permissions-Policy to disable FLOC a new JS API in Chrome that can be used to categorize users together into cohorts with machine learning so they can be targeted with ads. FLOC will be disabled on the RTD dashboard as well as on documentation sites. There are a few reasons for this but the biggest is probably that FLOC has some privacy issues and can aid in fingerprinting users (see the EFF's coverage). While Read the Docs does display advertising on our documentation sites, we are quite explicit in the methods we use to target advertising -- basically just contextual targeting -- and FLOC definitely crosses into behavioral targeting and targeting ads based on past actions rather than content/context.