[3.9][Privacy] Block usage of FLoC by default

administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql

@@ -0,0 +1,3 @@
+INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description_key`, `language_extension`, `language_client_id`, `type`, `version_introduced`, `enabled`)
+VALUES
+(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1);

administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql

@@ -0,0 +1,3 @@
+INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description_key", "language_extension", "language_client_id", "type", "version_introduced", "enabled")
+VALUES
+(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1);

administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql

@@ -0,0 +1,3 @@
+INSERT INTO [#__postinstall_messages] ([extension_id], [title_key], [description_key], [language_extension], [language_client_id], [type], [version_introduced], [enabled])
+VALUES
+(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1);

administrator/components/com_config/model/form/application.xml

@@ -1208,6 +1208,19 @@
 
 		</field>
 
+		<field
+			name="block_floc"
+			type="radio"
+			label="COM_CONFIG_FIELD_FLOC_BLOCKER_LABEL"
+			description="COM_CONFIG_FIELD_FLOC_BLOCKER_DESC"
+			class="btn-group btn-group-yesno"
+			default="1"
+			filter="integer"
+			>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+
 	</fieldset>
 
 	<fieldset

administrator/language/en-GB/en-GB.com_admin.ini

@@ -139,6 +139,8 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version"
 COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting"
 COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="<p>For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26</p><p>This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).</p><p><strong>Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.</strong></p>"
 COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\""
+COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts (FLoC). You can read more about it <a href="https://github.com/WICG/floc">here</a>. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their <a href="https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea">assessment</a> and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration. To additionally enable this feature for all other requests to your server, enable it in your .htaccess. In that case you have to disable the block in the Global Configuration."
+COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)"
 COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="<p>Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.</p><p>The old code:</p><pre>&lt;IfModule autoindex&gt;\n  IndexIgnore *\n&lt;/IfModule&gt;</pre><p>The new code:</p><pre>&lt;IfModule mod_autoindex.c&gt;\n  IndexIgnore *\n&lt;/IfModule&gt;</pre>"
 COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings"
 COM_ADMIN_REGISTER_GLOBALS="Register Globals"

administrator/language/en-GB/en-GB.com_config.ini

@@ -93,6 +93,8 @@ COM_CONFIG_FIELD_FILTERS_CUSTOM_BLACK_LIST="Custom Blacklist"
 COM_CONFIG_FIELD_FILTERS_NO_HTML="No HTML"
 COM_CONFIG_FIELD_FILTERS_NO_FILTER="No Filtering"
 COM_CONFIG_FIELD_FILTERS_WHITE_LIST="Whitelist"
+COM_CONFIG_FIELD_FLOC_BLOCKER_DESC="Send a header to not support the tracking through the FLoC method proposed by Google."
+COM_CONFIG_FIELD_FLOC_BLOCKER_LABEL="Block Google FLoC"
 COM_CONFIG_FRONTEDITING_DESC="Select if you want inline editing for modules and menu items (support may depend on your template)."
 COM_CONFIG_FRONTEDITING_LABEL="Inline Editing"
 COM_CONFIG_FRONTEDITING_MENUSANDMODULES="Modules & Menus"

htaccess.txt

@@ -24,6 +24,14 @@
 ## Suppress mime type detection in browsers for unknown types
 <IfModule mod_headers.c>
 Header always set X-Content-Type-Options "nosniff"
+##
+# Joomla considers the feature of Federated Learning of Cohorts (FLoC) to be against the
+# interest of users and site owners. Joomla blocks this feature by default through its
+# code. To block it for all requrests, uncomment the below directive and then disable the
+# code in the global configuration of Joomla. Read more about this in the Post-Installation
+# message in the backend.
+##
+# Header always set Permissions-Policy "interest-cohort=()"
 </IfModule>
 
 ## Can be commented out if causes errors, see notes above.

installation/sql/mysql/joomla.sql

@@ -1675,7 +1675,8 @@ INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description
 (700, 'TPL_HATHOR_MESSAGE_POSTINSTALL_TITLE', 'TPL_HATHOR_MESSAGE_POSTINSTALL_BODY', 'TPL_HATHOR_MESSAGE_POSTINSTALL_ACTION', 'tpl_hathor', 1, 'action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_condition', '3.7.0', 1),
 (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1),
 (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1),
-(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1);
+(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1),
+(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1);
 
 -- --------------------------------------------------------
 

installation/sql/postgresql/joomla.sql

@@ -1657,7 +1657,8 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description
 (700, 'TPL_HATHOR_MESSAGE_POSTINSTALL_TITLE', 'TPL_HATHOR_MESSAGE_POSTINSTALL_BODY', 'TPL_HATHOR_MESSAGE_POSTINSTALL_ACTION', 'tpl_hathor', 1, 'action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_condition', '3.7.0', 1),
 (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1),
 (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1),
-(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1);
+(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1),
+(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1);
 
 --
 -- Table structure for table `#__privacy_requests`

installation/sql/sqlazure/joomla.sql

@@ -2372,7 +2372,8 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description
 (700, 'TPL_HATHOR_MESSAGE_POSTINSTALL_TITLE', 'TPL_HATHOR_MESSAGE_POSTINSTALL_BODY', 'TPL_HATHOR_MESSAGE_POSTINSTALL_ACTION', 'tpl_hathor', 1, 'action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_condition', '3.7.0', 1),
 (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1),
 (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1),
-(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1);
+(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1),
+(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1);
 
 --
 -- Table structure for table `#__privacy_requests`

libraries/src/Application/CMSApplication.php

@@ -209,6 +209,34 @@ public function execute()
 			$this->render();
 		}
 
+		if ($this->get('block_floc', 1))
+		{
+			$headers = $this->getHeaders();
+
+			$notPresent = true;
+
+			foreach($headers as $header)
+			{
+				if ($header['name'] === 'Permissions-Policy')
+				{
+					// Append interest-cohort if the Permissions-Policy is not set
+					if (strpos($header['value'], 'interest-cohort') === false)
+					{
+						$this->setHeader('Permissions-Policy', $header['value'] . ', interest-cohort=()', true);
+					}
+
+					$notPresent = false;
+
+					break;
+				}
+			}
+
+			if ($notPresent)
+			{
+				$this->setHeader('Permissions-Policy', 'interest-cohort=()');
+			}
+		}
+
 		// If gzip compression is enabled in configuration and the server is compliant, compress the output.
 		if ($this->get('gzip') && !ini_get('zlib.output_compression') && ini_get('output_handler') !== 'ob_gzhandler')
 		{