Opting out of FLoC in CloudFront

Filed under aws on April 17, 2021

The current quiet tech battle being fought is against Google’s Federated Learning of Cohorts, or FLoC, which Google is pushing as its alternative to third party cookies. The Verge explains it better than I could, so I’ll link it and call it day on that part.

I don’t use tracking or invasive analytics on my site and never will, so let’s make sure it’s difficult for Google as well.

How do we stop it, if it’s browser based?

There’s a new HTTP header we can use, Permissions-Policy. We can set this on our Cloudfront origin easily enough to disable (we hope) FLoC in the browser on our site. W3C has a full spec available with examples if you’re interested in reading more

Adding the header

Configuring the Lambda

We need a lambda to do this for us, I’m going to use a JS one

exports.handler = (event, context, callback) => {
  const response = event.Records[0].cf.response;
  response.headers['permissions-policy'] = [{
    key: 'Permissions-Policy',
    value: 'interest-cohort=()',
  }];

  callback(null, response);
};

It’s important to note that the key for the response.headers dictionary needs to match the key value in the object

Create and publish this lambda in us-east-1, as well as creating a version. You will also need to update the IAM role to be assumable by both lambda.amazonaws.com and edgelambda.amazonaws.com so that CloudFront can use it. Your Trust relationship should look similar to this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "edgelambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Hooking the Lambda into CloudFront

Next we need to get CloudFront to call the Lambda on a viewer response. Navigate to the distribution panel and click on the distribution you’re adding the header to

Distribution panel

From here, click onto the behaviors tab, and enter the behavior edit screen

Behavior panel

Scroll to the bottom, where the Lambda Function Associations section is.

Lambda functions

You’ll need to add a Viewer Response event handler, and, in the ARN box, enter your Lambda ARN with a version. It should look a little like this when you take the version on the end.

arn:aws:lambda:us-east-1:123456789101:function:block-floc:2

Test the site

Finally, hit the “Yes, Edit” button and see if you can curl the headers down

curl output

I hope more people opt out of this crap, it’ll take a sharp and decisive “No” to get Google to back off. Until then, you can use Am I FLoCed to see if your Chrome install has been opted in to the beta