Published at 2021-04-16
Google has recently announced it will start tracking the visitors of your website even if you’re not using Google Analytics or Adsense. Plausible sums it up pretty good, in short:
They put all chrome users in so called “cohorts” which each represent some group of interest. Basically, they stop following individuals through the internet but instead just let the chrome browser do the profiling and targeting for them based on the sites they’ve viewed in the past. The browser then sends a “cohort” identifier to the websites it visits, telling the website (or rather, the ad network used on it) what group that user is part of to show them more relevant ads.
While Google uses this move as a privacy friendly manner by banning third-party cookies (which in itself is a good move) they’re essentially abusing their monopoly power as the company building the biggest browser and the biggest ad network. I’ll leave it to the eff to explain in detail why this is such a bad idea.
FloC is opt-out which means as a website owner, you will need to do something to avoid having your website and its visitors contribute to cohorts rather than opt-in where you would need to include a google script or something like that.
You can do so by sending a
Traefik has a middleware to add custom headers which I’ll use to send the
Permissions-Policy header to the visitors of my site.
To do that, we’ll have to create a middleware with the header first.
Pretty straight forward with traefik, simply create a new config file with this content:
http: middlewares: nofloc: headers: customResponseHeaders: Permissions-Policy: "interest-cohort=()"
(this is using yaml, but it will ofc work with toml just fine)
I like adding these kind of general things to config files so I can use them globally and won’t have to recreate them for each container configuration I use.
Now we can add the
nofloc@file middleware to any traefik router.
If you’re using traefik to expose docker containers to the internet, it would look something like this in a docker-compose file:
whoami: image: traefik/whoami labels: - "traefik.http.routers.whoami.middlewares=nofloc@file"
If you’re like me, you’re probably hosting quite a few services.
While you could just add the middleware by hand to all of these it is a lot easier (and faster) to just add it globally.
Traefik lets you add middlewares to http entrypoints which will basically add them to all services on that entrypoint.
The configuration for our
nofloc middleware is pretty straighforward:
entryPoints: https: address: :443 http: middlewares: - nofloc@file
While changes to files in middlewares are automatically picked up by traefik and don’t require you to restart it you will need to restart traefik every time you change the configuration of the entrypoints.
After doing that, all services using the
https entrypoint will send the
Permissions-Policy header (this blog being one of them).
You can verify this with curl:
$ curl -I https://blog.kolaente.de/2021/04/opting-out-of-googles-federated-learning-of-cohorts-floc-with-traefik-2/ HTTP/2 200 accept-ranges: bytes cache-control: no-cache content-type: text/html; charset=utf-8 date: Fri, 16 Apr 2021 09:55:58 GMT etag: "60795dff-26bb" expires: Thu, 01 Jan 1970 00:00:01 GMT last-modified: Fri, 16 Apr 2021 09:50:55 GMT permissions-policy: interest-cohort=() server: nginx/1.19.10 vary: Accept-Encoding content-length: 9915
A service like this one will also work just fine.
While Killing third-party cookies is great (and browsers like Safari on MacOS have already started doing this) Google abusing its monopoly power to force FloC onto every website user and owner is not. As someone who does not use any Google services, not on my websites nor in my every day usage of the internet, I am not a fan of having to take action on my sites to opt out.
Any questions or suggestions? Hit me up on twitter.
Paramdeo Singh has done a good way to explain how to opt out of FloC when you’re using other setups like nginx, apache, netliy etc. over on his blog.