This article is more than 1 year old

WordPress core contributor proposes treating Google FLoC as a security vulnerability

Let's opt every WordPress site out of FLoC. Nice idea, but security update? Really?

A proposal by a WordPress core contributor to treat Google's FLoC ad tech as a security vulnerability, and therefore backport an automatic opt-out to previous WordPress versions, shows the depth of community opposition to the technology.

FLoC (Federated Learning of Cohorts) is Google’s scheme to replace third-party cookies with an ad personalisation system based on groups of users. It has run into wide opposition from privacy advocates and browser makers, but Google has nonetheless pressed ahead with trials in the current version of Chrome.

Now a WordPress Core contributor has proposed treating “FLoC as a security concern.”

The proposal is significant because WordPress is the most popular content management system on the web, with around a 40 per cent market share according to builtwith. It relies on the fact that websites can opt out of FLoC via a new interest-cohort permission policy. This involves sending an HTTP response header:

Permissions-Policy: interest-cohort=()

If WordPress were to treat FLoC as a vulnerability and apply this header to all WordPress sites that automatically apply security patches, a substantial proportion of the web would be opted out.

Sites that specifically want to use FLoC, most likely because the site owners believe it will improve income from advertising, would be able to enable it. In effect, for WordPress sites the scheme would become opt-in rather than opt-out.

The author of the proposal, Carike, added that there is also a feature request to make the next version of WordPress, 5.8, opt-out of FLoC by default – but remarked that “5.8 is only scheduled for July 2021. FLoC will likely be rolling out this month.”

The WordPress proposal won immediate support and offers for help from other developers. “WordPress should be taking an Apple like stance on privacy with this,” said one.

Security... or privacy?

There are of course also naysayers, such as this one arguing that “those websites who want to block FLoC are likely to have the technical know-how to add in the header and disable it ... Where do we draw the line at what WordPress should be blocking in core for privacy? ... Calling it a “security concern” is just absolutely false and sets a dangerous precedent for what is security, and what is privacy.”


Google's FLoC flies into headwinds as internet ad industry braces for instability


This concern was echoed by another who said “while I agree with the overall sentiment here, I think it is a mistake to treat this as a security update and risks abusing user trust in automatic updates.”

Despite opposition from the development community, there are likely to be plenty of site owners who would rather have FLoC enabled than risk reduced advertising revenue. Much of what is called SEO (Search Engine Optimisation) is focused on how to optimise a site for Google and it is likely that supporting FLoC will simply be added to the list of steps web sites should take in order to perform at their best from a commercial perspective.

This unusual proposal does demonstrate the depth of opposition to FLoC. It also suggests that Google needs to secure W3C support in order to win support for the scheme beyond Chrome. That currently looks difficult, with WC3 bodies like the Technical Architecture Group (TAG) calling First Party Sets, another part of Google’s privacy sandbox, “harmful to the web in its current form”. Google has requested a TAG review of FLoC, but given the speed of its rollout, it is not clear how much weight the company attaches to the W3C’s views.

Last week, Google told us: "The Privacy Sandbox proposals are developed as part of a collaborative, open-source effort and we welcome feedback as we continue working with the W3C and broader web community to find solutions that improve privacy while maintaining a healthy ecosystem." ®

More about


Send us news

Other stories you might like