Our great sponsors
-
webappsec-feature-policy
Discontinued A mechanism to selectively enable and disable browser features and APIs [Moved to: https://github.com/w3c/webappsec-permissions-policy]
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
webappsec-permissions-policy
A mechanism to selectively enable and disable browser features and APIs
https://github.com/w3c/webappsec-feature-policy/blob/master/...
Each feature takes an allowlist, specifying which, if any, origins can use the feature.
No you won't. What BSSID you're connected to isn't sent by any browser. Browsers (as in all of them, including Firefox, see https://location.services.mozilla.com/ ) will use the visible BSSIDs if the website asks for your location & you approve it, but it's not just silently done automatically. It's part of all the existing location permission & request flows (indeed it's how those work on laptops at all in the first place).
It's pretty complicated and my understanding could be wrong and definitely not an expert. All the stupid CIA-style names that keep changing don't help. Turtledove, fledge, sparrow lol.
But from what I think I know that's kind of right technically, but kind of not in terms of actual real privacy.
Yes, the actual browsing data, e.g. for the basic floc cohorts only what amazon product page you visited, is no longer 'sent' to ad networks (that's a pretty big oversimplification of how ad networks track you but for brevity). That data is parsed in your browser to generate a cohort ID for you.
But this cohort ID is exposed to the world document.interestCohort() and is what's used for targeting and tracking.
To me it seems that the cohorts are so small "thousands of people" + IP or UA it's basically the same as a semi-long lasting uuid.
Here's an image from google's site.
https://web-dev.imgix.net/image/80mq7dk16vVEg8BBhsVe42n6zn82...
It also seems like Chrome/google might be still defaulting browser settings to give themselves even more data just like they currently do?
https://github.com/WICG/floc#qualifying-users-for-whom-a-coh...
BUT when you layer on the other proposals (Fledge/Turtledove/Dovekey or whatever) - which I don't understand that much maybe someone else can explain - it seems like it basically collect this page/product level data and makes it available to DSP etc for tracking/ad serving (again if not technically 1:1 basically in consequence given the sizes of these groups).
Like one of the proposals talks about a 'trusted' key/value server which doesn't seem that different from what already happens? The original proposal wanted to move the entire ad bid/target/serve process into the browser.
there is apparently no way to define a default disable either, so to turn off all the random features, the header becomes huge.
https://github.com/w3c/webappsec-permissions-policy/issues/1...
What is happening in w3c?!