Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#73 2021-04-16 10:47:46

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,288
Website GitHub

Re: Fook Google and its fookin' sheet

gaekwad wrote #329875:

That’s the plan, anyway.

Nice.

Wasn’t implying you should do it now! Just had a quick peek at the files out of curiosity and the reduce, reuse, recycle part of my head kicked in and wanted to make sure we weren’t missing a trick given the limitations of Nginx’s header implementation. All good.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#74 2021-04-16 10:51:09

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,531
GitHub

Re: Fook Google and its fookin' sheet

Bloke wrote #329876:

Just had a quick peek at the files out of curiosity and the reduce, reuse, recycle part of my head kicked in and wanted to make sure we weren’t missing a trick given the limitations of Nginx’s header implementation.

Trust me, way ahead of you there! I tried generic includes for various sites, but they start becoming more of a faff to maintain…couldn’t think of a per-policy naming scheme that would allow one config snippet across multiple domains, especially with new directives being added, and per-site quirks, all of that.

Computers are hard sometimes, man.

Offline

#75 2021-04-17 04:02:36

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,616
Website GitHub Twitter

Re: Fook Google and its fookin' sheet

Some good news via the Verge

Major browsers, including Firefox, Edge, Brave, and Vivaldi decline to join Google’s proposed FLoC to replace third-party cookies.


Yiannis
——————————
neme.org | hblack.net | State Machines | NeMe @ github
I do my best editing after I click on the submit button.

Offline

#76 2021-04-17 23:56:53

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,359
Website

Re: Fook Google and its fookin' sheet

gaekwad wrote #329858:

Effective from 2000UTC today (about 25 minutes from the time of this post), all self-hosted Textpattern network sites will have interest-cohort() headers set across all pages

On a related note, would it be beneficial to mention this on the Textpattern privacy page ? There is already an item on third-party behavioural tracking — which I understand as being about trackers that the site-owner has added.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#77 2021-04-18 14:39:31

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,616
Website GitHub Twitter

Re: Fook Google and its fookin' sheet

phiw13 wrote #329887:

On a related note, would it be beneficial to mention this on the Textpattern privacy page ? There is already an item on third-party behavioural tracking — which I understand as being about trackers that the site-owner has added.

I’m actually looking at it and I believe that it should change from

h3. Does our site allow third-party behavioural tracking?

It’s also important to note that we do not allow third-party behavioural tracking.

to

h3. Behavioural tracking

The site does not have installed or make use of any third-party behavioural tracking scripts or utilities.


Yiannis
——————————
neme.org | hblack.net | State Machines | NeMe @ github
I do my best editing after I click on the submit button.

Offline

#78 2021-04-19 08:19:09

element
Member
Registered: 2009-11-18
Posts: 94

Re: Fook Google and its fookin' sheet

WordPress is treating it as a security concern.

Will Textpattern do something similar?

Last edited by element (2021-04-19 08:31:41)

Offline

#79 2021-04-19 08:48:52

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,288
Website GitHub

Re: Fook Google and its fookin' sheet

element wrote #329894:

WordPress is treating it as a security concern. Will Textpattern do something similar?

Interesting, thanks for the link. The polarised nature of the comments in that thread (so far) show that Pete is right: we should raise awareness of this FLoC issue – in documentation and/or as a blog post – and provide information for people on how to opt in or out. But we should not make assumptions on whether an admin would want to disable it by default.

There are a few things we’ve noticed recently that would be of benefit to mention in the installation/upgrade readme files to do with tightening security wholesale after uploading the files from a Textpattern release bundle. I think we should take this opportunity to direct people from those files to a well-known document on one of our public channels that outlines our stance on security and the steps people can take to relax or tighten as their situation dictates.

We have some post-installation steps somewhere that are in the process of being rewritten (or maybe they’re already done – I’ve lost track a bit). These would be an ideal place to branch to discussions of security best practices, recommendations, and the options that admins can employ to suit their site requirements.

How’s that?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#80 2021-04-19 08:56:10

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,359
Website

Re: Fook Google and its fookin' sheet

Bloke wrote #329895:

How’s that?

I would tend to agree with that, at the current stage: a blog post followed by some extensive documentation on steps to take to further secure an installation. The current Floc implementation is relatively easy to block from the site-admin’s side (Apache htaccess, etc).


Where is that emoji for a solar powered submarine when you need it ?

Offline

#81 2021-04-19 10:04:38

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,514
Website GitHub Twitter

Re: Fook Google and its fookin' sheet

I’ve been on holiday for a week and just seeing this thread. Seems a lot of worry about FLoC – but you know it’s only a legitimate issue if you serve third party ads from your domain, right?

Us adding interest-cohort to our Permissions Policy makes zero difference (as I stripped third party ad scripts out of our official site(s) years ago) apart from the forum where maybe allowing YouTube videos and Twitter tweets to be embedded via an iframe by users could trigger FLoC (I’ve yet to find any info to support that theory though).

Heck, interest-cohort isn’t even a part of the W3C spec for Permissions Policy, it’s just something Google came up with themselves, which I’m loath to include as it legitimises this whole shady practice in the first place.

TLDR; if you are worried about FLoC then maybe you shouldn’t be serving third party ads from your sites in the first place.

Offline

#82 2021-04-19 10:16:21

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,288
Website GitHub

Re: Fook Google and its fookin' sheet

Good points, well made.

The information I’ve read to date (not much) seems to be up in arms about this being technology to track everything you do in your browser and send it to advertisers when you land on a site that does have ads. But maybe that’s wrong. Maybe it only sends aggregated FLoC data from sites that have ads to the advertising network and ignores data from any sites you visited that didn’t have them?

I’m not sure how valuable that information would be to advertisers. If I visited 50 sites about trainers that didn’t collect any info (no ads on them) and then landed on one site about trainers that did have an ad, would the previous 50 clicks from my history be sent on as part of the group of people interested in footwear? Or would they only see this one latest click, which might not be a strong enough signal to include in the cohort, until I click on a bunch more sneaker sites that contain ads?

If the latter, then yep: no issue. Just don’t serve ads. If the former, well that’s potentially invasive so maybe there’s cause for concern and a use case for including the header on your site whether you serve ads or not so your visitors don’t end up in a bucket somewhere if they use Chrome. I’ll have to read up on it.

EDIT: Ugh, latter/former mixup. Wake up, Stef.

EDIT 2: And I haven’t used Chrome since it borked after updating to Mojave. Uninstalled, haven’t looked back.

Last edited by Bloke (2021-04-19 10:22:05)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#83 2021-04-19 10:21:06

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,514
Website GitHub Twitter

Re: Fook Google and its fookin' sheet

Also, don’t use Chrome as your browser if you don’t want Google tracking you. I don’t personally use it (apart from in the dev process) – it’s pretty simple.

Offline

#84 2021-04-19 10:51:56

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,531
GitHub

Re: Fook Google and its fookin' sheet

element wrote #329894:

WordPress is treating it as a security concern.

Sort of. make.wordpress.org is more of an issue tracker / discussion board than official policy.

Offline

Board footer

Powered by FluxBB