Disable FLoC by default

[Rich-Harris]

Is your feature request related to a problem? Please describe.
FLoC is bad, and I think we should join the many organisations that treat it as a security/privacy threat and disable it by default.

Describe the solution you'd like
Add a new kit.floc config option that defaults to false, and which must be set to true to opt in to FLoC:

module.exports = {
  kit: {
    floc: true
  }
};

If false, the following header gets added to every response:

Permissions-Policy: interest-cohort=()

Describe alternatives you've considered

• Doing nothing and leaving it to app developers. This places a significant burden on them; while the userland implementation is straightforward, we can't reasonably expect most people to be aware of this issue
• Making it opt out rather than opt in. This reduces the implementation burden, but not the awareness burden

SvelteKit is, among other things, a statement about what kind of web we want to exist. I think it's entirely appropriate to treat this as being within the framework's purview, as much as providing tools to mitigate against things like CSRF attacks.

How important is this feature to you?
In practical terms, not very. In terms of principle, I think it's important for the reasons given above.

[Conduitry]

👍 Full support for this.

[ebeloded]

Is it expected to have this warning now?

[frederikhors]

Is it expected to have this warning now?

I am always of the opinion that a default browser warning is wrong.

[100lvlmaster]

Is it expected to have this warning now?

I am always of the opinion that a default browser warning is wrong.

This man came back to this issue, to make that joke. Commendable