Replace interest-cohort with browsing-topics

[colleirose]

interest-cohort is no longer recognized by any browsers, and has been superseded by browsing-topics. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics and https://www.theverge.com/2022/1/25/22900567/google-floc-abandon-topics-api-cookies-tracking

[thestinger]

The interest-cohort feature is still listed by Chromium as one of the supported ones. We're turning off as many features as we can with Permissions Policy to reduce attack surface although all the JavaScript is enforced as coming from our signed APK so it's not super important. It would be good to check the list of what's actually shown as enabled right now. This is the list in their web tests:

accelerometer
ambient-light-sensor
attribution-reporting
autoplay
browsing-topics
camera
captured-surface-control
ch-device-memory
ch-downlink
ch-dpr
ch-ect
ch-prefers-color-scheme
ch-prefers-reduced-motion
ch-prefers-reduced-transparency
ch-rtt
ch-save-data
ch-ua
ch-ua-arch
ch-ua-bitness
ch-ua-form-factors
ch-ua-full-version
ch-ua-full-version-list
ch-ua-mobile
ch-ua-model
ch-ua-platform
ch-ua-platform-version
ch-ua-wow64
ch-viewport-height
ch-viewport-width
ch-width
clipboard-read
clipboard-write
compute-pressure
cross-origin-isolated
deferred-fetch
digital-credentials-get
display-capture
encrypted-media
execution-while-not-rendered
execution-while-out-of-viewport
focus-without-user-activation
fullscreen
gamepad
geolocation
gyroscope
hid
identity-credentials-get
idle-detection
interest-cohort
join-ad-interest-group
keyboard-map
local-fonts
magnetometer
media-playback-while-not-visible
microphone
midi
otp-credentials
payment
picture-in-picture
popins
private-aggregation
private-state-token-issuance
private-state-token-redemption
publickey-credentials-create
publickey-credentials-get
run-ad-auction
screen-wake-lock
serial
shared-autofill
shared-storage
shared-storage-select-url
speaker-selection
storage-access
sync-xhr
unload
usb
vertical-scroll
web-app-installation
window-management
xr-spatial-tracking

[thestinger]

This should also be kept in sync to the extent it makes sense with our website configurations.

[colleirose]

I see - I will try to create a permissions policy that matches these features.

[thestinger]

We probably don't want to add all of them and some are for enabling rather than disabling features. For now, just want to focus on whether we should actually remove interest-cohort. It only matters whether it's actually deprecated in Chromium not what others say about it with no say in that.

[colleirose]

We probably don't want to add all of them and some are for enabling rather than disabling features. For now, just want to focus on whether we should actually remove interest-cohort. It only matters whether it's actually deprecated in Chromium not what others say about it with no say in that.

My bad, I see. Could you send a link to where I can find the list of what permissions are supported in Chromium?

[thestinger]

Unsure other than figuring out what it does from the source code. interest-cohort is still accepted and doesn't show a deprecation warning, but it's possible they did that because so many sites and even whole frameworks disabled it and they didn't want it spammed everywhere.

[colleirose]

According to the articles I've read about this, they silently disabled FLoC without an announcement in 2021, then announced the Topics API as a successor in 2022. So it's possible the permission still exists but is just not being used. I will check the Chromium source code and see if I can find anything, though I might need to head to sleep in a few hours.