Proposal: Treat FLoC like a security concern

Google is rolling out Federated Learning of Cohorts (FLoC) for the Chrome browser.

TL;DR: FLoC places people in groups based on their browsing habits to target advertising.

Why is this bad? As the Electronic Frontier Foundation explains in their post “Google’s FLoC is a terrible idea“, placing people in groups based on their browsing habits is likely to facilitate employment, housing and other types of discrimination, as well as predatory targeting of unsophisticated consumers.

This is in addition to the privacy concerns of tracking people and sharing their data, seemingly without informed consent – and making it more difficult for legislators and regulators to protect people.

So What Now?

WordPress powers approximately 41% of the web – and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with a few lines of codeLines of Code Lines of code. This is sometimes used as a poor metric for developer productivity, but can also have other uses.:

function disable_floc( array $headers ) : array {
	$permissions = [];
	if ( ! empty( $headers['Permissions-Policy'] ) ) {
		// Abort if cohorts has already been added.
		if ( strpos( $headers['Permissions-Policy'], 'interest-cohort' ) !== false ) {
			return $headers;
		$permissions = explode( ',', $headers['Permissions-Policy'] );

	$permissions[] = 'interest-cohort=()';
	$headers['Permissions-Policy'] = implode( ',', $permissions );
	return $headers;
add_filter( 'wp_headers', 'disable_floc' );

What About Admins Who Want FLoC?

Those websites who want to opt into FLoC are likely to have the technical know-how to simply override this proposed filterFilter Filters are one of the two types of Hooks They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress..

When balancing the stakeholder interests, the needs of website administrators who are not even aware that this is something that they need to mitigate – and the interests of the users and visitors to those sites, is simply more compelling.

Furthermore, for WordPress versions that support privacy settings, we can easily add an on-off toggle to enable websites to opt in. This would only require a few more lines of code and only a couple of new strings.

What Do You Mean By “Treat It Like A Security Concern”?

  1. Include the patchpatch A special text file that describes changes to code, by identifying the files and lines which are added, removed, and altered. It may also be referred to as a diff. A patch can be applied to a codebase for testing. the next minor releaseMinor Release A set of releases or versions having the same minor version number may be collectively referred to as .x , for example version 5.2.x to refer to versions 5.2, 5.2.1, 5.2.3, and all other versions in the 5.2 (five dot two) branch of that software. Minor Releases often make improvements to existing features and functionality., rather than waiting for the next major releasemajor release A release, identified by the first two numbers (3.6), which is the focus of a full release cycle and feature development. WordPress uses decimaling count for major release versions, so 2.8, 2.9, 3.0, and 3.1 are sequential and comparable in scope.;
  2. Back-port the patch to previous versions of WordPress.

Why Treat It That Way? Why Not Just Wait For The Next Major Release?

Well, keep your eyes peeled, because there is a ticketticket Created for both bug reports and feature development on the bug tracker. for future releases on its way!

While it is indeed unusual to treat a new “feature” this way, there is precedent in that something that was not strictly a security vulnerability in comments was back-ported to previous versions for the good of the community as a whole.

Currently, 5.8. is only scheduled for July 2021. FLoC will likely be rolling out this month.

Furthermore, a significant number of WordPress sites only update to minor versions. By back-porting, we can protect more sites and more visitors to those sites – and amplify the impact.

Request For Comment

Please join the discussion below!

Whether want to show support, disagree vehemently, or just want to make the implementation the best that it can possibly be, please have your voice be heard.

I’m aware that there is a lot of discussion on other platforms, including Twitter on this matter, but we won’t see all of it, so in addition to spreading the conversation there, please comment here too, so that it can be considered when this is discussed at development meetings and when the ticket is created (consensus building first – and that is done here 😉 )

YOU DO NOT HAVE TO BE A DEVELOPER TO PARTICIPATE. There will be a ticket on The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. where we will discuss all of the technical stuff. I’m tremendously grateful that there are so many developers, Core, MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. and others, around, but blogblog (versus network, site) posts on are the places that are accessible to techies and non-techies alike 🙂

Version Control:
1. Edited to add clarification that treatment like a security concern refers to the process / procedure (accelerated development and back-porting).
2. Code snippet updated based on suggestions below. Thank you to Tom for the snippet and to everyone who suggested conditionally appending, rather than replacing.
Added some more info to the Request for Comment.