Add Permissions Policy directive browsing-topics

[bershanskiy]

This PR adds Permissions Policy directive browsing-topics which controls access to The Topics API. This API is Chromium-only and is still in Origin Trial (in Chrome 101 to 104 until August 29) and it might land in Chrome 105 which is scheduled to be released on August 30.

Fixes #22.
Related to #20 and #21.

[tunetheweb]

it might land in Chrome 105 which is scheduled to be released on August 30.

There's nothing on the Chrome Roadmap for this for 105 and typically there's a release or two (often more) while the results of the origin trail are analysed.

So I'm still a -1 on this change for now while it is still experimental.

But, full disclosure, I've joined the Chrome team since we last discussed this so will leave the decision to someone else. Though I'm working on web performance not privacy so know no more than you on this particular feature 😁

[bershanskiy]

There's nothing on the Chrome Roadmap for this for 105

Yes, I meant to say that there is no urgency in merging this PR since browsing-topics is not expected to appear in an official release any time soon (at least no earlier than August).

So I'm still a -1 on this change for now while it is still experimental.

This makes sense, there is no rush at all. Also, as of now, accidental use of Browsing Topics API is very unlikely: site administrator needs to explicitly register for an origin trial, copy the token and configure site to serve it for every context where Topics API would be used.

[bershanskiy]

This PR just got less relevant, might become relevant by year 2023 2024.

Based on this Chromium blog post, looks like launch of Privacy Sandbox (including Topics API) is postponed a bit further. Starting with Chrome 104, OT will include stable users, but most likely sites will still need to explicitly opt in to be included in Topics calculation.

[dmarti]

They're planning to push "Topics API" out to "all Chrome users" in the 2nd half of 2023: https://developer.chrome.com/en/blog/expanding-privacy-sandbox-testing-2023/

[Jonakemon]

In Chrome 115 this became a thing again: https://developer.chrome.com/blog/privacy-sandbox-launch/. I'm keen on disabling browsing-topics by default to enhance privacy. @tunetheweb, what do you think?

[tunetheweb]

As I work on the Chrome team now I'll bow out of commenting whether this is a good change or not, but no objections from me as it's no longer behind a flag.

[Jonakemon]

@bershanskiy, what do you think? Would you be willing to rebase your PR? If not, I'll create a new one this weekend to merge your change.

[bershanskiy]

@Jonakemon Yes, sure I'll rebase and test it (within the next day).

[bershanskiy]

@Jonakemon I rebased the PR, and just to make sure everything is OK ran unit tests on CI (ran manually in my repo and then they were automatically here), and tested manually locally and am happy with the way this works now. Please merge whenever it is convenient.

Also, is there a plan to make a release any time soon? Thanks!

[Jonakemon]

@bershanskiy I really appreciate the rebase, thanks! After the other PR is merged, I'll propose a deploy.

[Jonakemon]

@bershanskiy a new release was just published on Pypi https://pypi.org/project/flask-talisman/1.1.0/. Thanks for all the help :)