Set feature policy; disable FLoC tracking.

2021-07-06 07:22:34 -05:00 · 2021-07-06 07:22:34 -05:00 · add05efbbf
parent b1c6de0bc4
commit add05efbbf
2 changed files with 12 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -28,6 +28,9 @@ release channel, you can take advantage of these new features and fixes.
  running user inside the Docker containers, to match the one you use in your host operating system.
  Set `AZURACAST_PUID` and `AZURACAST_PGID` in `.env` accordingly; both default to 1000.

+- All up-to-date AzuraCast installations will opt users out of Google's new advertisement tracking system, FLoC. Learn
+  more about this and why we disabled it [here](https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea).
+
 ## Bug Fixes

 - Fixed a bug where files that included certain special non-ASCII characters would never be read or processed.
--- a/src/Middleware/EnforceSecurity.php
+++ b/src/Middleware/EnforceSecurity.php
@ -51,6 +51,15 @@ class EnforceSecurity implements MiddlewareInterface
            $response = $response->withHeader('Strict-Transport-Security', 'max-age=3600');
        }

+        // Opt out of FLoC
+        $permissionsPolicies = [
+            'autoplay=*', // Explicitly allow autoplay
+            'fullscreen=*', // Explicitly allow fullscreen
+            'interest-cohort=()', // Disable FLoC tracking
+        ];
+
+        $response = $response->withHeader('Permissions-Policy', implode(', ', $permissionsPolicies));
+
        // Deny crawling on any pages that don't explicitly allow it.
        $robotsHeader = $response->getHeaderLine('X-Robots-Tag');
        if ('' === $robotsHeader) {