Remove FLoC handling

[furudean]

FLoC was canned by WICG in favor of the Topics API. I couldn't find any information online if it was removed from chrome yet (the only browser where it was ever implemented) but it definitely looks like its on its way out.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: dd4efb8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[mrkishi]

FLoC never made it past origin trials and it's indeed not active in any browsers anymore.

Having said that, origin trials for its successor have already begun and the FLoC opt-out header is still accepted in the current Topics API draft.

We should probably add a Topics API opt-out option when removing FLoC's, but since it's still in flux and the deprecated option is still valid, I wouldn't oppose postponing any action until the spec moves forward.

[furudean]

I see, maybe we should change this to Permissions-Policy: browsing-topics=() instead to stay up to date? Or we can wait and see if topics also get scrapped... lol.

Though at this point we are definitely asking a different question--are topics as bad as FLoC, and should Svelte Kit do something about it by default? I suppose time will tell.

[mrkishi]

are topics as bad as FLoC

Getting your hands wet might not be as bad as drowning in water, but I wouldn't want it 24/7 either. I expect most on the team to share the uneasiness towards the new iteration as well.

If you want to update the implementation and docs to get it in sync with Topics API instead of FLoC, I believe you'll find no objections. But I don't speak for everyone so you might want to wait for other opinions.

[Rich-Harris]

We should probably add a Topics API opt-out option when removing FLoC's, but since it's still in flux and the deprecated option is still valid, I wouldn't oppose postponing any action until the spec moves forward.

We had a brief discussion about this when FLoC was replaced with Topics, and thought it prudent to wait to see what privacy experts at organisations like the EFF had to say about whether it was harmful. To my knowledge, they haven't weighed in yet. Brave had a scathing write-up of Topics, but they're not exactly a disinterested third party.

[mrkishi]

We should probably add a Topics API opt-out option when removing FLoC's

I believe this would still be valuable even if privacy experts ultimately decide the Topics API isn't that harmful—it's just that if it turns out it is, then it should be enabled by default.

[Rich-Harris]

If we don't want to disable it by default then the opt-out would just be this in hooks.js, no?

export async function handle({ event, resolve }) {
  const response = await resolve(event);
  response.headers.set('Permissions-Policy', 'browsing-topics=()');
  return response;
}

I'd argue we only want config for it if it's something we want to enable by default, which probably does depend on how harmful it is.

[Rich-Harris]

thank you!