Содержание
- Что такое когорты Google (FLoC), безопасна ли эта технология и чем отличается от Cookies
- Error with Permissions-Policy header: Parse of permissions policy failed
- Joomla! Issue Tracker — CMS
- [#33212] — [3.9][Privacy] Block usage of FLoC by default
- Pending
- Issue
- Summary of Changes
- Testing Instructions
- Documentation Changes Required
- Handling of this in the future
Что такое когорты Google (FLoC), безопасна ли эта технология и чем отличается от Cookies
Когорты Google – это всего лишь группы, которые формируются по определенным предпочтениям. В отличии от ориентации под одного пользователя, подбирать контент под группу пользователей гораздо проще. Это может использоваться в рекламных целях, что и было сделано компанией Google – была представлена технология FLoC (Federated Learning of Cohorts).
Данная технология внедряется в современные версии браузеров от Google (Chrome), пока это носит характер тестирования. Как работает FLoC? Пользователь при посещении какой-либо страницы сайта оставляет в браузере историю, на основе которой браузер относит данного пользователя к какой-либо группе такой же тематики. Такие группы имеют свои идентификаторы (Groupe ID) – данные хранятся на стороне клиента, а также отсылаются на сервера обработки.
Однако у такой технологии есть свои недостатки в плане безопасности и приватности личных предпочтений. Как раз об этом заявили прочие разработчики браузеров, таких как Firefox, Opera и т.д. Ведь существует потенциальная возможность вычислить пользователя, узнать его предпочтения, к каким он группам принадлежит. Всё это делает его личные предпочтения мишенью для злоумышленников, так как можно вычислить интересы пользователя и уже исходя из них совершать атаки.
Отличия технологии FLoC от Cookie совершенно очевидны, Cookie хранятся лишь в браузере и при правильном использовании отвечают базовым нормам безопасности пользователя. В то время как зачисление пользователя в когорту (группу) и последующая отправка такой информации партнерам и различным компаниям очевидно не самый безопасный способ персонализации контента и функционала сайта.
Могут возникать ошибки при работе с FLoC, например, ошибка:
Error with Permissions-Policy header: Unrecognized feature: ‘interest-cohort’ (Ошибка с заголовком политики разрешений: неизвестный объект: когорта интересов).
Это значит, что необходимо пересмотреть настройки сайта, добавить правильные условия отправки заголовков и т.д. Также не стоит забывать о совместимости FLoC с разными браузерами, так как технология новая.
Источник
I am getting console log warnings after activating the plugin:
and then the following error which I believe is related:
Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser.
WordPress Version 6.0
WPEngine hosting
Headers Security Advanced & HSTS WP Version 4.8.88
Present on both Firefox & Chrome/Webkit
Any insight is greatly appreciated! Thanks!
Hi @dankfresh, Thank you for installing Headers Security Advanced & HSTS WP.
I am Andrea and I will help you solve the issue you encountered as best as possible.
I will start internal audits and as soon as I finish I will contact you to update you with the solution.
Please help me with this
Every plugin is updated.
Checked with multiple theme same error displaying is Console.
Error with Feature-Policy header: Unrecognized feature: ‘geolocation=(self’.
Error with Feature-Policy header: Unrecognized feature: ‘microphone=()’.
Error with Feature-Policy header: Unrecognized feature: ‘accelerometer=()’.
Error with Feature-Policy header: Unrecognized feature: ‘gyroscope=()’.
Error with Feature-Policy header: Unrecognized origin: ‘(self’.
Error with Feature-Policy header: Unrecognized feature: ‘push=()’.
Error with Feature-Policy header: Unrecognized feature: ‘vibrate=()’.
Error with Feature-Policy header: Unrecognized feature: ‘magnetometer=()’.
Error with Feature-Policy header: Unrecognized feature: ‘interest-cohort=()’.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘interest-cohort’.
- This reply was modified 7 months, 3 weeks ago by prash009 .
Hi @prash009 and @dankfresh, Thank you for installing the Headers Security advanced & HSTS WP plugin.
After your report I did some verification and testing, we have just released a new plugin update (version 4.8.89) this will fix the issue found in the console log.
Also if you need further assistance I will be at your disposal as soon as possible.
That update did the trick! With how often policies and security header compliance changes, I imagine it is difficult keeping up. I appreciate the effort in developing this plugin and the quick turnaround. Thanks!
Hi @dankfresh, thank you for the feedback 🙂 thanks for using Headers Security Advanced & HSTS WP.
We are trying to offer the best assistance in a short time and I hope you enjoyed it, but most importantly it was helpful.
We always try to optimize the plugin and release patches with new headers or improvement for the plugin in short time.
Thank you for your feedback and should you need support be here.
You can leave us a review to rate the support and the plugin.
Источник
Joomla! Issue Tracker — CMS
[#33212] — [3.9][Privacy] Block usage of FLoC by default
Pending
User tests: Successful: Unsuccessful:
Issue
As a replacement for third party cookies, Google has introduced the Federated Learning of Cohorts into the Chrome browser lately. This feature is supposed to allow better tracking of users while also keeping data privacy. Details can be read here. The Joomla! project disagrees that this feature is in the interests of the owners of Joomla!-powered websites as well as their visitors. We share the assessment of the EFF as well as many other organisations (Mozilla, Microsoft, Opera, WordPress).
We consider this a security issue and thus will roll out countermeasures with the next bugfix release of the Joomla 3.9 series.
Summary of Changes
This PR introduces a header to disable Federated Learning of Cohorts, which is sent with every request that is handled by the Joomla framework. The header specifically looks like this:
Permissions-Policy: interest-cohort=()
and is the equivalent of opting out of this feature. Please be aware that this only adds this header to requests which go through the Joomla! application. Assets like CSS files, images or javascript are handled by your webserver directly and we would advise to modify the webserver to add this header to every request directly.
If you really want to disable the blocking of this feature, we added a switch in the global configuration to remove this header.
A postinstall message has been added to the database to inform administrators of this decision.
Testing Instructions
Apply this patch and load a random page of your testing site. The answer to your request should contain the above noted header.
Documentation Changes Required
Handling of this in the future
This PR fixes this issue for the 3.9 and 3.10 releases. We will decide on how to implement this countermeasure in 4.0 in the time before the final release.
| Category | ⇒ | SQL Administration com_admin com_config Language & Strings Libraries |
We will decide on how to implement this countermeasure in 4.0 in the time before the final release.
Assets like CSS files, images or javascript are handled by your webserver directly and we would advise to modify the webserver to add this header to every request directly.
Should we also be putting this in htaccess.txt like the other headers like no-sniff? This would then apply the header globally and not only on PHP requests through the app.
«Google is introducing a replacement. «
Should the language be written time independently, so that in a decade it is still true? Maybe something like «In 2021, Google introduced. «
We will decide on how to implement this countermeasure in 4.0 in the time before the final release.
Agreed, we are just still discussing about that. We definitely don’t want the above special case to live on in J4.
Assets like CSS files, images or javascript are handled by your webserver directly and we would advise to modify the webserver to add this header to every request directly.
Should we also be putting this in htaccess.txt like the other headers like no-sniff? This would then apply the header globally and not only on PHP requests through the app.
Maybe, however since most people don’t update their htaccess on a Joomla update, we can’t rely on this alone. Be my guest to add this header to the htaccess.
«Google is introducing a replacement. «
Should the language be written time independently, so that in a decade it is still true? Maybe something like «In 2021, Google introduced. «
I’m happy to accept a changed text PR to this branch.
Agreed, but the htaccess is still the right place for this also to be, over and above this PR. Just thought you might like to add it here for completeness.
I’m happy to accept a changed text PR to this branch.
haha that’s @brianteeman domain 🙂 I only speak crap.
Maybe, however since most people don’t update their htaccess on a Joomla update, we can’t rely on this alone. Be my guest to add this header to the htaccess.
Also need to check if .htaccess has this header, and Joomla outputs this header, do they resolve to a single header, or to two separate duplicated headers in the response — need to test that first.
Such a shame that the project doesn’t take the use of cookies as seriously
Maybe, however since most people don’t update their htaccess on a Joomla update, we can’t rely on this alone. Be my guest to add this header to the htaccess.
Also need to check if .htaccess has this header, and Joomla outputs this header, do they resolve to a single header, or to two separate duplicated headers in the response — need to test that first.
Header has been set in htaccess.txt as well. Testing on my system only showed one header to be sent.
Update SQL scripts for PostgreSQL and for MS SQL Server/SQL Azure are missing.
| Category | SQL Administration com_admin com_config Language & Strings Libraries | ⇒ | SQL Administration com_admin Postgresql MS SQL com_config Language & Strings Libraries |
Have been added. Sorry, it was late yesterday.
Such a shame that the project doesn’t take the use of cookies as seriously
Since J4 has already the system_httpheader and @zero-24 already did the backport for J3 https://github.com/zero-24/plg_system_httpheader why don’t you merge that to J3 (assuming that @zero-24 has no objections)?
Was consideration given to implement this as a standalone Plugin instead of «yet another» configuration option?
Was consideration given to the Post Installation message, to have «condition» for showing only if not enabled in global config and «a one click action» to implement the change like the 2FA and the Load Balancer change recently?
Since J4 has already the system_httpheader and @zero-24 already did the backport for J3 zero-24/plg_system_httpheader why don’t you merge that to J3 (assuming that @zero-24 has no objections)?
Was consideration given to implement this as a standalone Plugin instead of «yet another» configuration option?
It was decided to keep the implementation minimal and to not use a separate plugin.
Was consideration given to the Post Installation message, to have «condition» for showing only if not enabled in global config and «a one click action» to implement the change like the 2FA and the Load Balancer change recently?
This feature is enabled by default, so people would need to disable it actively. In that case they can also click away the post install message.
We consider this a security issue and thus will roll out countermeasures
This has nothing to do with security, add it in J4 (default off), but don’t force this in J3 in the name of security. At best this is a privacy concern (in the browser).
I see that Joomla is trying to not fall behind WP but please note that WP is NOT including this feature in its code, despite what the tech press misguidedly reported.
Moreover, this is not a definite security or privacy issue. Please do read https://twitter.com/Log3overLog2/status/1384337637763387394 for the whole story. In short, FLoC is only a concern if you include JavaScript which explicitly requests the FLoC cohort. Moreover, FLoC is currently an experiment, not a final implementation. In the few Chrome browsers this experiment is enabled — notably none in the EU, where the author of this PR lives — this is currently an opt-out feature just because it’s the only way to run an experiment of a technology nobody has heard about before. Google seems to indicate that the final implementation is very likely to be opt-in, not opt-out, or at the very least provide a user warning the same way that asking for location data does. It is, in fact, extremely likely to be so because of GDRP and that’s probably why the opt-out format experiment does not run in browsers of EU residents.
Further to that, this has NOTHING AT ALL to do with security. Your site can’t be hacked with FLoC. Maybe — MAYBE — it will have to do with privacy IF AND ONLY IF the final implementation of FLoC is opt-out instead of opt-in. Marking it as a security concern dilutes the importance of fixing real security issues and projects the wrong message to users. If we label speculative, non-security issues as «SECURITY» the users are trained to ignore any security fix as superficial and unimportant, undermining their safety in the long term.
On top of that, sending a Permissions-Policy to disable FLoC doesn’t mean that the user will magically no longer be tracked. In fact, it’s possible that instead of being assigned into a cohort of at least 1000 users he will be otherwise tracked and placed in a finer grained cohort using a different set of tracking technologies including but not limited to ISP detection, IP geolocation, per-user subdomain pinging and so on. FLoC was actually designed to strengthen the privacy by making cohorts large enough so as not to allow individual tracking and deanonymisation. Whether we trust Google to do that is a largely philosophical question, not a technical one. From a technical perspective using the Permissions-Policy might actually prove counter-productive to the stated goal of protecting the user’s privacy.
It is also worth noting that FLoC is only ever enabled if you include JavaScript in your page which uses FLoC (either directly on the page or via an IFRAME). This means that unless you are using analytics, ads or similar technology which uses FLoC-enabled JavaScript there is no placement in a cohort. Pretending that merely using Chrome on any site is magically destroying your privacy is misguided at best.
Based on this, there is no real benefit in including this in Joomla, let alone as a feature enabled by default. We are not protecting anyone from anything, especially the site owner i.e. it’s not a «security» feature. What this feature does is probably disable FLoC if you are using third party ads, analytics etc on your site. Whether it will succeed depends entirely on the implementation. If a third party ad is included in your site via an IFRAME it’s easy for it to add the allow=»interest-cohort» in the attribute, nullifying this «protection». It would only work if the FLoC-enabled third-party JS only ever runs in the main page context on your site. Even then, whether it would be something that actually protects your users instead of enabling more tracking for them is something to be determined. Not to mention that we still do not know if Chrome will make it opt-in or display a warning before interest cohorts are used, especially in jurisdictions with strict personally identifiable information legislation.
In short, this PR jumps the shark by a freaking mile.
Finally, the implementation as it stands right now is completely wrong and breaks sites. It replaces the Permissions-Policy header instead of amending it. People who use plugins to set the Permissions-Policy for legal compliance, privacy or security reasons will be very surprised to see that their Permissions-Policy is overwritten and replaced with a BS non-fix of a speculative issue. So, while nothing (or at the very least nothing of importance) is fixed something of actual importance is broken for them! A better way to do it is more like along these lines (from a PR in Admin Tools Professional I have not merged yet for the reasons stated above):
While this won’t overwrite a permissions policy set by a plugin — including Joomla 4’s core feature — it’s still mostly window dressing because it can and will be overwritten by .htaccess or equivalent server-level code if it sets the Permissions-Policy header and can and will be overwritten by IFRAME attributes. As we say in Greece, this is very much like drilling holes in the water.
It’s important to get all the facts straight before jumping the gun and implementing something under a false security banner, even more so when the implementation is plain bad code that breaks another core feature.
Источник
|
1 / 1 / 1 Регистрация: 08.09.2018 Сообщений: 107 |
|
|
27.07.2022, 10:18 [ТС] |
3 |
|
index.html находится в корне build версии react приложения (ветка gh-pages), он и открывается, стили загружаются, но вот само приложение не отображается…
0 |
|
8893 / 5668 / 1351 Регистрация: 25.05.2015 Сообщений: 17,216 Записей в блоге: 14 |
|
|
27.07.2022, 11:05 |
4 |
|
Там скрипты ищутся в /searchapp, а это не понятно где.
1 |
|
8893 / 5668 / 1351 Регистрация: 25.05.2015 Сообщений: 17,216 Записей в блоге: 14 |
|
|
27.07.2022, 11:21 |
6 |
|
Да, в браузере посмотрел, грузится.
1 |
|
1 / 1 / 1 Регистрация: 08.09.2018 Сообщений: 107 |
|
|
27.07.2022, 11:33 [ТС] |
7 |
|
(favicon.png:1 GET https://qmorozov.github.io/searchApp/favicon.png 404) У меня там только одна ошибка, и одно предупреждение, и то ошибка только из-за favicon…
0 |
|
8893 / 5668 / 1351 Регистрация: 25.05.2015 Сообщений: 17,216 Записей в блоге: 14 |
|
|
27.07.2022, 11:36 |
8 |
|
Там какой-то индикатор ошибок в консоли и в нём по штук 10 в секунду прибавляется. unchecked runtime.lastError: The message port closed before a response was received. Но это может из-за моей сети.
1 |
|
Mukzer 1 / 1 / 1 Регистрация: 08.09.2018 Сообщений: 107 |
||||
|
27.07.2022, 12:00 [ТС] |
9 |
|||
|
РешениеСтранно что в этом приложении всё нормально работает, при том что делал deploy одинаково… https://qmorozov.github.io/WeatherApp/ Добавлено через 20 минут Нужно заменить «BrowserRouter» на «HashRouter».
Спасибо всемм за попытки помочь!
0 |
Сообщение было отмечено Rius как решение
Joomla! Issue Tracker — CMS
[#33212] — [3.9][Privacy] Block usage of FLoC by default
Pending
User tests: Successful: Unsuccessful:
Issue
As a replacement for third party cookies, Google has introduced the Federated Learning of Cohorts into the Chrome browser lately. This feature is supposed to allow better tracking of users while also keeping data privacy. Details can be read here. The Joomla! project disagrees that this feature is in the interests of the owners of Joomla!-powered websites as well as their visitors. We share the assessment of the EFF as well as many other organisations (Mozilla, Microsoft, Opera, WordPress).
We consider this a security issue and thus will roll out countermeasures with the next bugfix release of the Joomla 3.9 series.
Summary of Changes
This PR introduces a header to disable Federated Learning of Cohorts, which is sent with every request that is handled by the Joomla framework. The header specifically looks like this:
Permissions-Policy: interest-cohort=()
and is the equivalent of opting out of this feature. Please be aware that this only adds this header to requests which go through the Joomla! application. Assets like CSS files, images or javascript are handled by your webserver directly and we would advise to modify the webserver to add this header to every request directly.
If you really want to disable the blocking of this feature, we added a switch in the global configuration to remove this header.
A postinstall message has been added to the database to inform administrators of this decision.
Testing Instructions
Apply this patch and load a random page of your testing site. The answer to your request should contain the above noted header.
Documentation Changes Required
Handling of this in the future
This PR fixes this issue for the 3.9 and 3.10 releases. We will decide on how to implement this countermeasure in 4.0 in the time before the final release.
| Category | ⇒ | SQL Administration com_admin com_config Language & Strings Libraries |
We will decide on how to implement this countermeasure in 4.0 in the time before the final release.
Assets like CSS files, images or javascript are handled by your webserver directly and we would advise to modify the webserver to add this header to every request directly.
Should we also be putting this in htaccess.txt like the other headers like no-sniff? This would then apply the header globally and not only on PHP requests through the app.
«Google is introducing a replacement. «
Should the language be written time independently, so that in a decade it is still true? Maybe something like «In 2021, Google introduced. «
We will decide on how to implement this countermeasure in 4.0 in the time before the final release.
Agreed, we are just still discussing about that. We definitely don’t want the above special case to live on in J4.
Assets like CSS files, images or javascript are handled by your webserver directly and we would advise to modify the webserver to add this header to every request directly.
Should we also be putting this in htaccess.txt like the other headers like no-sniff? This would then apply the header globally and not only on PHP requests through the app.
Maybe, however since most people don’t update their htaccess on a Joomla update, we can’t rely on this alone. Be my guest to add this header to the htaccess.
«Google is introducing a replacement. «
Should the language be written time independently, so that in a decade it is still true? Maybe something like «In 2021, Google introduced. «
I’m happy to accept a changed text PR to this branch.
Agreed, but the htaccess is still the right place for this also to be, over and above this PR. Just thought you might like to add it here for completeness.
I’m happy to accept a changed text PR to this branch.
haha that’s @brianteeman domain 🙂 I only speak crap.
Maybe, however since most people don’t update their htaccess on a Joomla update, we can’t rely on this alone. Be my guest to add this header to the htaccess.
Also need to check if .htaccess has this header, and Joomla outputs this header, do they resolve to a single header, or to two separate duplicated headers in the response — need to test that first.
Such a shame that the project doesn’t take the use of cookies as seriously
Maybe, however since most people don’t update their htaccess on a Joomla update, we can’t rely on this alone. Be my guest to add this header to the htaccess.
Also need to check if .htaccess has this header, and Joomla outputs this header, do they resolve to a single header, or to two separate duplicated headers in the response — need to test that first.
Header has been set in htaccess.txt as well. Testing on my system only showed one header to be sent.
Update SQL scripts for PostgreSQL and for MS SQL Server/SQL Azure are missing.
| Category | SQL Administration com_admin com_config Language & Strings Libraries | ⇒ | SQL Administration com_admin Postgresql MS SQL com_config Language & Strings Libraries |
Have been added. Sorry, it was late yesterday.
Such a shame that the project doesn’t take the use of cookies as seriously
Since J4 has already the system_httpheader and @zero-24 already did the backport for J3 https://github.com/zero-24/plg_system_httpheader why don’t you merge that to J3 (assuming that @zero-24 has no objections)?
Was consideration given to implement this as a standalone Plugin instead of «yet another» configuration option?
Was consideration given to the Post Installation message, to have «condition» for showing only if not enabled in global config and «a one click action» to implement the change like the 2FA and the Load Balancer change recently?
Since J4 has already the system_httpheader and @zero-24 already did the backport for J3 zero-24/plg_system_httpheader why don’t you merge that to J3 (assuming that @zero-24 has no objections)?
Was consideration given to implement this as a standalone Plugin instead of «yet another» configuration option?
It was decided to keep the implementation minimal and to not use a separate plugin.
Was consideration given to the Post Installation message, to have «condition» for showing only if not enabled in global config and «a one click action» to implement the change like the 2FA and the Load Balancer change recently?
This feature is enabled by default, so people would need to disable it actively. In that case they can also click away the post install message.
We consider this a security issue and thus will roll out countermeasures
This has nothing to do with security, add it in J4 (default off), but don’t force this in J3 in the name of security. At best this is a privacy concern (in the browser).
I see that Joomla is trying to not fall behind WP but please note that WP is NOT including this feature in its code, despite what the tech press misguidedly reported.
Moreover, this is not a definite security or privacy issue. Please do read https://twitter.com/Log3overLog2/status/1384337637763387394 for the whole story. In short, FLoC is only a concern if you include JavaScript which explicitly requests the FLoC cohort. Moreover, FLoC is currently an experiment, not a final implementation. In the few Chrome browsers this experiment is enabled — notably none in the EU, where the author of this PR lives — this is currently an opt-out feature just because it’s the only way to run an experiment of a technology nobody has heard about before. Google seems to indicate that the final implementation is very likely to be opt-in, not opt-out, or at the very least provide a user warning the same way that asking for location data does. It is, in fact, extremely likely to be so because of GDRP and that’s probably why the opt-out format experiment does not run in browsers of EU residents.
Further to that, this has NOTHING AT ALL to do with security. Your site can’t be hacked with FLoC. Maybe — MAYBE — it will have to do with privacy IF AND ONLY IF the final implementation of FLoC is opt-out instead of opt-in. Marking it as a security concern dilutes the importance of fixing real security issues and projects the wrong message to users. If we label speculative, non-security issues as «SECURITY» the users are trained to ignore any security fix as superficial and unimportant, undermining their safety in the long term.
On top of that, sending a Permissions-Policy to disable FLoC doesn’t mean that the user will magically no longer be tracked. In fact, it’s possible that instead of being assigned into a cohort of at least 1000 users he will be otherwise tracked and placed in a finer grained cohort using a different set of tracking technologies including but not limited to ISP detection, IP geolocation, per-user subdomain pinging and so on. FLoC was actually designed to strengthen the privacy by making cohorts large enough so as not to allow individual tracking and deanonymisation. Whether we trust Google to do that is a largely philosophical question, not a technical one. From a technical perspective using the Permissions-Policy might actually prove counter-productive to the stated goal of protecting the user’s privacy.
It is also worth noting that FLoC is only ever enabled if you include JavaScript in your page which uses FLoC (either directly on the page or via an IFRAME). This means that unless you are using analytics, ads or similar technology which uses FLoC-enabled JavaScript there is no placement in a cohort. Pretending that merely using Chrome on any site is magically destroying your privacy is misguided at best.
Based on this, there is no real benefit in including this in Joomla, let alone as a feature enabled by default. We are not protecting anyone from anything, especially the site owner i.e. it’s not a «security» feature. What this feature does is probably disable FLoC if you are using third party ads, analytics etc on your site. Whether it will succeed depends entirely on the implementation. If a third party ad is included in your site via an IFRAME it’s easy for it to add the allow=»interest-cohort» in the attribute, nullifying this «protection». It would only work if the FLoC-enabled third-party JS only ever runs in the main page context on your site. Even then, whether it would be something that actually protects your users instead of enabling more tracking for them is something to be determined. Not to mention that we still do not know if Chrome will make it opt-in or display a warning before interest cohorts are used, especially in jurisdictions with strict personally identifiable information legislation.
In short, this PR jumps the shark by a freaking mile.
Finally, the implementation as it stands right now is completely wrong and breaks sites. It replaces the Permissions-Policy header instead of amending it. People who use plugins to set the Permissions-Policy for legal compliance, privacy or security reasons will be very surprised to see that their Permissions-Policy is overwritten and replaced with a BS non-fix of a speculative issue. So, while nothing (or at the very least nothing of importance) is fixed something of actual importance is broken for them! A better way to do it is more like along these lines (from a PR in Admin Tools Professional I have not merged yet for the reasons stated above):
While this won’t overwrite a permissions policy set by a plugin — including Joomla 4’s core feature — it’s still mostly window dressing because it can and will be overwritten by .htaccess or equivalent server-level code if it sets the Permissions-Policy header and can and will be overwritten by IFRAME attributes. As we say in Greece, this is very much like drilling holes in the water.
It’s important to get all the facts straight before jumping the gun and implementing something under a false security banner, even more so when the implementation is plain bad code that breaks another core feature.
Источник
Что такое когорты Google (FLoC), безопасна ли эта технология и чем отличается от Cookies
Когорты Google – это всего лишь группы, которые формируются по определенным предпочтениям. В отличии от ориентации под одного пользователя, подбирать контент под группу пользователей гораздо проще. Это может использоваться в рекламных целях, что и было сделано компанией Google – была представлена технология FLoC (Federated Learning of Cohorts).
Данная технология внедряется в современные версии браузеров от Google (Chrome), пока это носит характер тестирования. Как работает FLoC? Пользователь при посещении какой-либо страницы сайта оставляет в браузере историю, на основе которой браузер относит данного пользователя к какой-либо группе такой же тематики. Такие группы имеют свои идентификаторы (Groupe ID) – данные хранятся на стороне клиента, а также отсылаются на сервера обработки.
Однако у такой технологии есть свои недостатки в плане безопасности и приватности личных предпочтений. Как раз об этом заявили прочие разработчики браузеров, таких как Firefox, Opera и т.д. Ведь существует потенциальная возможность вычислить пользователя, узнать его предпочтения, к каким он группам принадлежит. Всё это делает его личные предпочтения мишенью для злоумышленников, так как можно вычислить интересы пользователя и уже исходя из них совершать атаки.
Отличия технологии FLoC от Cookie совершенно очевидны, Cookie хранятся лишь в браузере и при правильном использовании отвечают базовым нормам безопасности пользователя. В то время как зачисление пользователя в когорту (группу) и последующая отправка такой информации партнерам и различным компаниям очевидно не самый безопасный способ персонализации контента и функционала сайта.
Могут возникать ошибки при работе с FLoC, например, ошибка:
Error with Permissions-Policy header: Unrecognized feature: ‘interest-cohort’ (Ошибка с заголовком политики разрешений: неизвестный объект: когорта интересов).
Это значит, что необходимо пересмотреть настройки сайта, добавить правильные условия отправки заголовков и т.д. Также не стоит забывать о совместимости FLoC с разными браузерами, так как технология новая.
Источник
Когорты Google – это всего лишь группы, которые формируются по определенным предпочтениям. В отличии от ориентации под одного пользователя, подбирать контент под группу пользователей гораздо проще. Это может использоваться в рекламных целях, что и было сделано компанией Google – была представлена технология FLoC (Federated Learning of Cohorts).
Данная технология внедряется в современные версии браузеров от Google (Chrome), пока это носит характер тестирования. Как работает FLoC? Пользователь при посещении какой-либо страницы сайта оставляет в браузере историю, на основе которой браузер относит данного пользователя к какой-либо группе такой же тематики. Такие группы имеют свои идентификаторы (Groupe ID) – данные хранятся на стороне клиента, а также отсылаются на сервера обработки.
Однако у такой технологии есть свои недостатки в плане безопасности и приватности личных предпочтений. Как раз об этом заявили прочие разработчики браузеров, таких как Firefox, Opera и т.д. Ведь существует потенциальная возможность вычислить пользователя, узнать его предпочтения, к каким он группам принадлежит. Всё это делает его личные предпочтения мишенью для злоумышленников, так как можно вычислить интересы пользователя и уже исходя из них совершать атаки.
Отличия технологии FLoC от Cookie совершенно очевидны, Cookie хранятся лишь в браузере и при правильном использовании отвечают базовым нормам безопасности пользователя. В то время как зачисление пользователя в когорту (группу) и последующая отправка такой информации партнерам и различным компаниям очевидно не самый безопасный способ персонализации контента и функционала сайта.
Могут возникать ошибки при работе с FLoC, например, ошибка:
Error with Permissions-Policy header: Unrecognized feature: ‘interest-cohort’ (Ошибка с заголовком политики разрешений: неизвестный объект: когорта интересов).
Это значит, что необходимо пересмотреть настройки сайта, добавить правильные условия отправки заголовков и т.д. Также не стоит забывать о совместимости FLoC с разными браузерами, так как технология новая.
Время прочтения
4 мин
Просмотры 12K
Google недавно объявил о развертывании технологии Federated Learning of Cohorts (FLoC) в рамках инициативы Privacy Sandbox, направленной на замену сторонних файлов cookie новым методом профилирования пользователей, который собирает данные, генерируемые непосредственно браузером.
Организация Electronic Frontier Foundation (EFF) выпустила обзор FLoC и связанных с ним угроз, а также разработала полезный инструмент для проверки, используется ли браузер пользователя для сбора данных и снятия цифрового отпечатка устройства.
Примечания: EFF отмечают, что вместо устранение проблемы, Google создает новые. Если любой сайт сможет получить данные о когортах, возникнут условия для предварительной жесткой фильтрации целых групп пользователей, исходя из обобщенных предпочтений. Среди новых рисков также выделяют появление фактора для более интенсивного использования методов косвенной идентификации пользователя(browser fingerprinting), использующих специфичные настройки и особенности оборудования.
Plausible Analytics также присоединился к статье, в которой объясняется, какое отношение FLoC имеет к пользователям и разработчикам. — что послужило источником вдохновения для этого краткого руководства.
Заголовок FLoC
Основной способ, с помощью которого конечный пользователь может избежать FLoC, — это просто не использовать Chrome, а вместо этого выбрать браузер, уважающий конфиденциальность, например Mozilla Firefox.
Но владельцы веб-сайтов также могут гарантировать, что их веб-серверы не участвуют в этой огромной сети, отказавшись от FLoC.
Для этого необходимо добавить следующий кастомный заголовок HTTP-ответа:
Permissions-Policy: interest-cohort=()В этом руководстве вы найдете инструкции о том, как добавить кастомные заголовки HTTP-ответов в конфигурации веб-серверов и прокси-серверов.
NGINX
Добавьте в файл конфигурации NGINX следующее:
# /etc/nginx/sites-available/default.conf
server {
location / {
add_header Permissions-Policy interest-cohort=();
...Перезапустите NGINX с помощью команды service nginx restart
Apache
Добавьте следующую директиву в свой файл конфигурации Apache:
# /www/htdocs/example.com/.htaccess
<IfModule mod_headers.c>
Header always set Permissions-Policy: interest-cohort=()
</IfModule>Перезапустите Apache с помощью команды service apache2 restart
Caddy
Добавьте следующее в свой Caddyfile:
# Caddyfile
example.com {
header Permissions-Policy "interest-cohort=()"
...Перезапустите Caddy с помощью команды caddy reload
Lighttpd
Добавьте в файл конфигурации Lighttpd следующее:
# /etc/lighttpd/lighttpd.conf
server.modules += ( "mod_setenv" )
setenv.add-response-header = ( "Permissions-Policy" => "interest-cohort=()" )Перезапустите Lighttpd с помощью команды service lighttpd restart
Netlify
Добавьте в файл конфигурации Netlify следующее:
# netlify.toml
[[headers]]
for = "/*"
[headers.values]
Permissions-Policy = "interest-cohort=()"Если вы предпочитаете использовать _headers файл вместо файла конфигурации TOML, добавьте в этот файл вместо указанных выше строчек следующее:
# _headers
/*
Permissions-Policy: interest-cohort=()При следующей сборке или развертывании Netlify добавит и обслужит заголовки.
GitHub Pages
В настоящее время не существует возможности добавлять кастомные заголовки HTTP при использовании GitHub Pages. Однако есть обходной путь — добавление метатегов на сами страницы.
Добавьте в раздел <head> HTML-кода следующее:
<meta http-equiv="Permissions-Policy" content="interest-cohort=()"/>GitLab Pages
Как и в случае с GitHub, при использовании GitLab Pages нет возможности добавлять кастомные заголовки HTTP. Таким образом, придется воспользоваться тем же методом, что и выше, и устанавливать директивы в самом HTML.
Однако, если вы пользуетесь GitLab Community Edition, можно установить заголовки, добавив в свой gitlab.rb файл следующее:
# gitlab.rb
gitlab_pages['headers'] = [ "Permissions-Policy: interest-cohort=()" ]Вы также можете указать заголовки при запуске GitLab Pages binary:
./gitlab-pages -header "Permissions-Policy: interest-cohort=()"CloudflareWorkers
Вы можете создать следующий Worker Script, чтобы установить заголовки ответа:
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
let response = await fetch(request)
let newHeaders = new Headers(response.headers)
newHeaders.set("Permissions-Policy", "interest-cohort=()")
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: newHeaders
})
}Добавьте этот Worker Script в домен, установив этот домен в качестве Worker Route.
WordPress
WordPress позволяет устанавливать заголовки из своей кодовой базы с помощью хуков. Добавьте следующий код в конец functions.php файла активной темы:
function disable_floc($headers) {
$headers['Permissions-Policy'] = 'interest-cohort=()';
return $headers;
}
add_filter('wp_headers', 'disable_floc');Сохраните файл в админ-панели WordPress. Все новые запросы будут содержать необходимый заголовок.
Если вы используете какие-либо механизмы кэширования и плагины (например, FastCGI Cache от NGINX, W3 Total Cache и т. Д.), необходимо очистить кэш, чтобы он был повторно заполнен с указанными выше дополнениями.
Дата-центр ITSOFT — размещение и аренда серверов и стоек в двух дата-центрах в Москве. За последние годы UPTIME 100%. Размещение GPU-ферм и ASIC-майнеров, аренда GPU-серверов, лицензии связи, SSL-сертификаты, администрирование серверов и поддержка сайтов.
Kevin Tanuwijaya
Guest
-
#1
Kevin Tanuwijaya Asks: Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘interest-cohort’
Im trying to host my project on github pages, project is working good in localhost but on gh pages I got blank page and an error like this on console:
Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘interest-cohort’.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your response here to help other visitors like you. Thank you, solveforum.
- Tut
- 28 minutes ago
- Social
- Replies: 0
Tut Asks: UK visa requirement abolished for Colombian citizens, but what needs to be shown at border for 3 month stay?
In October 2022 the UK abolished the requirement that a Colombian citizen entering the country for up to 6 months for tourist purposes or to stay with friends or family should apply in advance for a visa.
But what does a Colombian citizen need to show at the British border if a British friend has invited them to stay with him for 3 months?
In this particular case the Colombian citizen will be coming with their child (also a Colombian citizen) and both of them will be supported by the British friend for the whole of their time in Britain. There won’t be any hotel stays because they will be staying in his house.
I have read the official UK info here:
«You may also be asked to prove that:
- you’re visiting for tourism
- you’re able to support yourself and your dependents during your trip (or have funding from someone else to support you)
- you’ve arranged accommodation for your stay
- you’re able to pay for your return or onward journey (or have funding from someone else)
- you’ll leave the UK at the end of your visit
- «
Leaving aside the first point because they will be in Britain to enjoy spending time with their friend rather than for tourism in the usual sense, how do they prove these things?
Will a return ticket and a signed letter from their British friend (stating the address at which they will be staying, that he has enough room to put them up, that he makes an irrevocable promise to support them, and that he has put £X aside and here is a bank statement) suffice?
If I’m thinking along the right lines here, is there any official guidance on how much X should be, given that no hotels or renting will be involved?
There is a need to avoid a situation where an immigration officer says at the border that because of a lack of proof on a certain point he will only stamp their passport for a week or for some other time that is shorter than their intended stay of 3 months. If there were still a requirement that a visa be applied for in advance then there would probably be a period of several weeks during which whatever missing documentation were needed could be obtained, but standing at the border with their luggage, and with passports but no visas, would be a different matter. If proof of employment, for example, or something like that were required, that’s not necessarily something you can do within a few hours in a foreign country without prior notice.
Therefore they need to be sure everything is in order before departure, because by the time they have flown across the ocean and landed at the British airport they won’t actually have made an application for anything yet. If I understand the position correctly, the first time they will show their passports to the British authorities will be when they’re standing at the border.
Thanks for any help with this.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
- FreeMan
- 28 minutes ago
- Social
- Replies: 0
FreeMan Asks: Can I install a «retrofit» hot water recirc pump with a dedicated return?
I’m looking to install a hot water recirculation pump in a new construction bathroom addition with all the walls currently open to the crawl space.(1) In doing so, I plan to add a «tepid» water return line instead of using the «cold water supply» returns that all the retrofit recirc pumps come with.(2)
Many of the retrofit kits I’ve looked at come with a 4-way connector valve like this:
Image from HomeDepot.com with my annotations
My thought is to modify the installation to have the «Cold Supply In» connected to the «tepid return» and cap off the «Cold Supply to Faucet», like this:
As I see it, this would push the water down the «tepid water return» instead of the «cold supply», using the dedicated return line, leaving the cold supply side cold. The cold supply would be attached directly to the cold water tap, of course, as though there was no recirc pump installed.
Will this work as I expect it to, or will this (potentially) cause some sort of issue that I’m not seeing? Of course, there is more potential for leaky screw on connections as there will be a couple of extra, but those are easy to sort out when the water is first turned on.
Note: I know that my shopping effort is, so far, incomplete. I haven’t yet asked around at some of the local plumbing supply places, so I’m certain there are options that I haven’t yet discovered. As of now, however, the majority of the pumps I’ve seen at the big-box stores seem to be retro-fit models and not new construction, therefore, they have some sort of crossover like this.
(1)The wiring is not yet complete either, so I can install an outlet for the recirc pump anywhere I need to. It will, of course, be GFCI protected.
(2)My intention in doing it this way is that it just seems to make more sense, as pushing some warmer water into the cold water supply side seems counter productive since I’ll have to wait for that to flush out of the cold water line if I just want cold water.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
- Richard Bamford
- 28 minutes ago
- Education
- Replies: 0
Richard Bamford Asks: Confused about inductive arguments
I am having trouble understanding inductive arguments, i’m just not sure about how particular observed occurances are supposed to combine into a single definition.
Example 1:
(1) My friend is a bachelor and is unmarried, adult, male, brown eyed, brown haired and European.
(2) My other friend is a bachelor and is unmarried, adult, male, blue eyed, black haired and European.
(3a) To be a bachelor is to be (unmarried, adult, male brown eyed, brown haired and European) OR (unmarried, adult, male, blue eyed, black haired and European)
(3b) To be a bachelor is to be unmarried, adult, male, and European.
But (3a) could just as easily be (3b) because we recognize that eye colour and hair colour differ, but then we have lost information during the process of induction, some of the observed particulars had characteristics that have been missed out. But additionally, on the other hand, to not lose any characteristics by OR-ing every particular’s properties together (like in 3a) does not seem like the correct method, because any silly definition would count for example «To be a tree is to be not a table and .etc.etc». So what actually determines which characteristics are in the final universal proposition?
Example 2:
(1) There is a Rose in the garden and it is white.
(2) There is a Rose in the garden and it is red.
(3a) All Roses (in the garden) are red or white.
(3b) All Roses (in the garden) are coloured.
For (3b) I generalized the characteristics in (1) and (2) but it is different to (3a). I am not sure whether (3a) or (3b) is the ‘real’ inductive argument and which one isn’t. Finally, what actually is the difference or similarity between just simply ‘generalizing characteristics’ and inductive arguments? Thanks for your time, really appreciate any help!
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
- Nico Konrad
- 28 minutes ago
- Education
- Replies: 0
Nico Konrad Asks: Question about implementation method for optimization problem
Apologies if this isn’t the best place to ask this question, and further apologies for such a basic question (I am a secondary school graduate and have not learned very much yet). Please direct me to a better place to ask this if this is not the best.
Suppose we wanted to solve the following optimization problem: $$inf_{x geq 0}sup_{y in [0, 1]; z > 0} f(x, y, z),$$ where $f(x, y, z)$ is some objective function with a closed form that can be specified in terms of parameters $x$, $y$, $z$. How would we implement this optimization, say using the Python programming language?
I am only vaguely familiar with implementing optimization in the Bayesian setting (eg using variational inference) or by a grid search. But I do not think Bayesian optimization works here as there are any priors here (I could be wrong though) and I’m not quite sure how to discretize these parameters in a reasonable way. Any guidance about these, or anything at all, will be quite helpful.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
- Eli Jong
- 28 minutes ago
- Education
- Replies: 0
Eli Jong Asks: count data and categorical data in one generalized linear model. Is this possible?
I have two variables measuring exposure.
- Count data (number of exposures)
- Categorical variable (exposed everyday, exposed a few times a week, exposed a few times a month, rarely exposed, and almost never exposed)
I want to perform a regression on these two in order to see how they associate.
My idea was to use a GLM with negative binomial distribution (the count data is a variable with an over-dispersed count outcome) with the count data as dependent variable and the categorical data as independent variable. After analysis the pearsons R will be used to evaluate any linear relation between the two.
Is this statistically sound or should reconsider my approach? thank you
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
- Todd
- 28 minutes ago
- Education
- Replies: 0
Todd Asks: Why Multivariate L1 Distance from Coarsened Exact Matching (CEM) is high compared to Univariate Imbalance for each matching covariate?
I was looking at a paper link here by Blackwell et al. (2010) on CEM in Stata.
In one example using an example data set, the authors ran CEM using the matching covariates such as age, education, black, nodegree, and re74. For the imbalance measure for each covariate (univariate imbalance), all the measures became below 0.1 (where 0 means fully balanced and 1 means not at all balanced). But why Multivariate L1 distance, which takes account for all the imbalance measures at a time, is relatively so high (nearly 0.51)?
I read the definition of how Multivariate L1 distance is caculated. Is the above reason due to the fact that Multivariate L1 distance is calculated based on absolute difference of frequencies over all the matching covairates between treatment and control group?
In other words, does Multivariate L1 distance can be high because the range of the values for each matching covariate can differ from each other (e.g. age ranges 17-55 whereas black and nodegree have binary values) so that calculating absolute difference for all naturally generates higher Multivariate L1 distance?
I am really interested in to understand this and I could not find a good explanation for this on the internet. If I am wrong, I am happy to hear someone’s comment on this.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
- tripleee
- 28 minutes ago
- Main forum
- Replies: 0
tripleee Asks: Images cannot be resized in Stack Overflow for Teams
When posting images on Stack Overflow and other sites in the network, we can choose between the original image and a number of different sizes by adding l or m or s before .png
However, on Stack Overflow for Teams, this does not seem to work.
Adding a resizing suffix of any kind creates a broken image link:
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.