From 7ba5afcec48683945704f15ba651e7b4f9794d07 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Fri, 16 Apr 2021 12:40:23 +0300
Subject: [PATCH] roles/nginx: Opt out of Google FLoC

Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
---
 roles/nginx/files/extra-security.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/nginx/files/extra-security.conf b/roles/nginx/files/extra-security.conf
index 5265138..39686c0 100644
--- a/roles/nginx/files/extra-security.conf
+++ b/roles/nginx/files/extra-security.conf
@@ -15,3 +15,6 @@ add_header X-XSS-Protection "1; mode=block" always;
 # CSP can be quite difficult to configure, and cause real issues if you get it wrong
 # There is website that helps you generate a policy here http://cspisawesome.com/
 # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
+
+# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
+add_header Permissions-Policy interest-cohort=() always;