The current quiet tech battle being fought is against Google’s Federated Learning of Cohorts, or FLoC, which Google is pushing as its alternative to third party cookies. The Verge explains it better than I could, so I’ll link it and call it day on that part.
I don’t use tracking or invasive analytics on my site and never will, so let’s make sure it’s difficult for Google as well.
How do we stop it, if it’s browser based?
There’s a new HTTP header we can use, Permissions-Policy. We can set this
on our Cloudfront origin easily enough to disable (we hope) FLoC in the browser
on our site. W3C has a full spec
available with examples if you’re interested in reading more
Adding the header
Configuring the Lambda
We need a lambda to do this for us, I’m going to use a JS one
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response;
response.headers['permissions-policy'] = [{
key: 'Permissions-Policy',
value: 'interest-cohort=()',
}];
callback(null, response);
};It’s important to note that the key for the response.headers dictionary needs to match
the key value in the object
Create and publish this lambda in us-east-1, as well as creating a version.
You will also need to update the IAM role to be assumable by both lambda.amazonaws.com
and edgelambda.amazonaws.com so that CloudFront can use it. Your Trust relationship
should look similar to this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "edgelambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Hooking the Lambda into CloudFront
Next we need to get CloudFront to call the Lambda on a viewer response. Navigate to the distribution panel and click on the distribution you’re adding the header to
From here, click onto the behaviors tab, and enter the behavior edit screen
Scroll to the bottom, where the Lambda Function Associations section is.
You’ll need to add a Viewer Response event handler, and, in the ARN box, enter your Lambda ARN with a version. It should look a little like this when you take the version on the end.
arn:aws:lambda:us-east-1:123456789101:function:block-floc:2
Test the site
Finally, hit the “Yes, Edit” button and see if you can curl the headers down
I hope more people opt out of this crap, it’ll take a sharp and decisive “No” to get Google to back off. Until then, you can use Am I FLoCed to see if your Chrome install has been opted in to the beta