Metadata-Version: 1.2
Name: django-feature-policy
Version: 2.0.0
Summary: Set the draft security HTTP header Feature-Policy on your Django app.
Home-page: https://github.com/adamchainz/django-feature-policy
Author: Adam Johnson
Author-email: me@adamj.eu
License: ISC
Description: django-feature-policy
        =====================
        
        .. image:: https://img.shields.io/travis/adamchainz/django-feature-policy/master.svg
                :target: https://travis-ci.org/adamchainz/django-feature-policy
        
        .. image:: https://img.shields.io/pypi/v/django-feature-policy.svg
                :target: https://pypi.python.org/pypi/django-feature-policy
        
        Set the draft security HTTP header ``Feature-Policy`` on your Django app.
        
        Requirements
        ------------
        
        Tested with all combinations of:
        
        * Python: 3.6
        * Django: 2.0, 2.1
        
        Python 3.4+ supported.
        
        Installation
        ------------
        
        Install with **pip**:
        
        .. code-block:: sh
        
            pip install django-feature-policy
        
        Then add the middleware, best after Django's ``SecurityMiddleware`` as it does
        similar addition of security headers that you'll want on every response:
        
        .. code-block:: python
        
            MIDDLEWARE = [
              ...
              'django.middleware.security.SecurityMiddleware',
              'django_feature_policy.FeaturePolicyMiddleware',
              ...
            ]
        
        By default no header will be set, configure the setting as below.
        
        Setting
        -------
        
        Change the ``FEATURE_POLICY`` setting to configure what ``Feature-Policy``
        header gets set.
        
        This should be a dictionary laid out with:
        
        * Keys as the names of browser features - a full list is available on the
          `W3 Spec repository`_. The `MDN article`_ is also worth reading.
        * Values as lists of strings, where each string is either an origin, e.g.
          ``'https://example.com'``, or of the special values ``'self'``, ``'none'``,
          or ``'*'``. If there is just one value, no containing list is necessary. Note
          that in the header, special values like ``'none'`` include single quotes
          around them - do not include these quotes in your Python string, they will be
          added by the middleware.
        
        .. _W3 Spec repository: https://github.com/w3c/webappsec-feature-policy/blob/master/features.md
        .. _MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility
        
        If the keys or values are invalid, ``ImproperlyConfigured`` will be raised at
        instantiation time, or when processing a response. The current feature list is
        pulled from the JavaScript API with
        ``document.featurePolicy.allowedFeatures()`` on Chrome.
        
        Examples
        ~~~~~~~~
        
        Disable geolocation from running in the current page and any iframe:
        
        .. code-block:: python
        
            FEATURE_POLICY = {
                'geolocation': 'none',
            }
        
        Allow autoplay from the current origin and iframes from
        ``https://archive.org``:
        
        .. code-block:: python
        
            FEATURE_POLICY = {
                'autoplay': ['self', 'https://archive.org'],
            }
        
        
        History
        =======
        
        Pending release
        ---------------
        
        .. Insert new release notes below this line
        
        2.0.0 (2019-03-29)
        ------------------
        
        * Updated to the latest set of features from Chrome.
          'animations', 'image-compression', and 'max-downscaling-image' have been
          removed, whilst 'document-domain', 'font-display-late-swap',
          'layout-animations', 'oversized-images', 'unoptimized-images', and
          'wake-lock' have been added.
          See more at https://github.com/w3c/webappsec-feature-policy/blob/master/features.md .
        
        1.0.1 (2019-01-02)
        ------------------
        
        * Support for new 'lazyload' feature, per https://www.chromestatus.com/feature/5641405942726656.
        
        1.0.0 (2018-10-24)
        ------------------
        
        * First release, supporting adding the header with a middleware.
        
Keywords: Django
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Framework :: Django :: 2.0
Classifier: Framework :: Django :: 2.1
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: ISC License (ISCL)
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Requires-Python: >=3.4
