I can’t believe I’m having to write this code in a fucking web server. What a mockery of the web, human rights, and the GDPR.

Fuck you, Google!


So, ball’s in your court, web server developers.

Are you going to add a one-line header, by default, to your server responses to protect people from being tracked by Google or not?

Adding it to Site.js took 5 minutes or work:


Do you care?

More: plausible.io/blog/google-floc

@aral I bet this is going to end the same way it ended with the DNT header. Anyone remember this argument?
"Since it's the default browser / webserver setting, we do not actually know the users choice, so we chose to believe that the user actually wants to have personalized ads and the pescy devs are preventing them from having it. So we choose to ignore the opt-out setting and track you anyways 🤷 "

@aral Thanks for these links and for the tips 👍

This single line in my Nginx server did the trick:

add_header Permissions-Policy "interest-cohort=()";

@aral I'll look into this! I've recently stripped all js off my website, but I'm happy to add this bit in if it'll stop tracking.

@aral I don't suppose you'd know if adding these header policies to HTML meta tags would work? I have a few websites that use GitHub and GitLab (.com) Pages, and I don't think I can alter the headers coming from the server.

I've at least updated all my other websites with this! Thanks again for the heads-up!

@Alamantus AFAIK, no. (For one thing, Google isn’t trying to make it easier for you, they’re just trying to cover their asses with regulators – “oh, it’s opt out so people have a CHOICE… so it’s ok”

@Alamantus But you can lobby GitHub and GitLab to add them by default to every request.

@aral ~~nitpick but shouldn't you index all that stuff based on some variable and subtraction instead of having to change all of them each time~~

@monarrk I’m ok with not over-engineering the tests at the moment. It’s very rare to change the middleware stack at this stage as Site.js is rather mature. If it becomes a pain at some point, I’ll refactor it, sure.

@aral I really dont think this is the right way to go. Google cant add a privacy violating feature and point at another party (server admins in this case) to fix their violation. That is all on Google, and they cant escape their responsibility by adding a complicated off switch which isnt compliant with the spec for that header. If you want the tracking active in your site, then simply make sure that you dont load any advertising.


@felix I agree but I also don’t see the link between not loading advertising and Google not profiling people on your site. If anything it’s ambiguous as they state in their original proposal that visits to every site are included in a person’s profile. And, knowing their business model, that’s the direction this will go even if it’s not there now (slowly boiling frogs). Agree it’s entirely ridiculous and should be illegal but who’s going to regulate them? The institutionally-corrupt regulators?

@aral Noob question: Isn't adding this just sort of a request to google not to do shady stuff? Aren't they free to ignore such requests?

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!