Last week WordPress contributors began a heated discussion regarding blocking FLoC (Federated Learning of Cohorts). Google’s experimental alternative to third-party cookies has become a highly contentious topic that made its way into last week’s Core developers meeting.
Representatives from the Chrome team also attended the meeting to clear up any confusion and answer questions about how FLoC currently works. They related that during the FLoC Origin Trial (the process by which Chrome introduces new proposed API’s for feedback from developers), a page will only be included in the browser’s FLoC computation for one of two reasons:
“In the final end state, we expect the way FLoC will work is that the only pages that will be relevant to calculating your cohort are the pages that call the FLoC API,” Chrome representative Michael Kleber said. “So pages will ‘opt in’ by using some new JS function call.”
Since FLoC is still in the the beginning stages, the Chrome team cannot confirm the final behavior for what pages will be included in FLoC calculations. At this point, it seems like it will primarily affect publishers and ad-supported websites in the future.
Although the authors and proponents of the proposal prescribed immediate action, WordPress’ leadership has determined that an implementation discussion is premature at this time.
“I am now amending my posted request for a reworking of the proposal – I do not want to see another proposal for action in WordPress right now,” WordPress lead developer Helen Hou-Sandí said during the meeting. “What we need is a Trac ticket where we track the status of the FLoC trial/implementation and discuss periodically to see if action is needed. I have an opinion, but it’s not really relevant at this time, and I think more of us should be comfortable with that idea.”
The Chrome team did not expect that many people would be considering FLoC at this point, as Origin Trials generally only attract a handful of people who are curious about the technical details. FLoC gained more widespread attention after the critical article from EFF. The original proposal on make.wordpress.org also attracted media attention due to its confusing approach, premature assumptions, and lack of critical peer review.
Peter Wilson commented on behalf of WordPress’ security team after meeting to discuss the issue, stating that it is unequivocally not a security concern:
Treating this as WordPress currently treats any other security issue would require releasing 21 versions of WordPress. As identified in other comments on this thread, it would also break the implicit contract of security releases by including an enhancement in the release.
As a result of these consideration, the security team have concluded that treating this as a security issue is inappropriate.
Whether this is suitable to be included in WordPress and subsequently released as part of the next 5.7.x maintenance release are discussions for the Core team. The security team do not have a consensus view on these questions.
Hou-Sandí opened a ticket where discussion continues on the implications of FLoC. As more information becomes available from Chrome’s Origin Trial, WordPress contributors will be better prepared to discuss how it may affect publishers and whether a core block, privacy setting, or other action is necessary.