Metadata-Version: 2.1
Name: django-feature-policy
Version: 2.0.0
Summary: Set the draft security HTTP header Feature-Policy on your Django app.
Home-page: https://github.com/adamchainz/django-feature-policy
Author: Adam Johnson
Author-email: me@adamj.eu
License: ISC
Keywords: Django
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Framework :: Django :: 2.0
Classifier: Framework :: Django :: 2.1
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: ISC License (ISCL)
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Requires-Python: >=3.4
Requires-Dist: Django

django-feature-policy
=====================

.. image:: https://img.shields.io/travis/adamchainz/django-feature-policy/master.svg
        :target: https://travis-ci.org/adamchainz/django-feature-policy

.. image:: https://img.shields.io/pypi/v/django-feature-policy.svg
        :target: https://pypi.python.org/pypi/django-feature-policy

Set the draft security HTTP header ``Feature-Policy`` on your Django app.

Requirements
------------

Tested with all combinations of:

* Python: 3.6
* Django: 2.0, 2.1

Python 3.4+ supported.

Installation
------------

Install with **pip**:

.. code-block:: sh

    pip install django-feature-policy

Then add the middleware, best after Django's ``SecurityMiddleware`` as it does
similar addition of security headers that you'll want on every response:

.. code-block:: python

    MIDDLEWARE = [
      ...
      'django.middleware.security.SecurityMiddleware',
      'django_feature_policy.FeaturePolicyMiddleware',
      ...
    ]

By default no header will be set, configure the setting as below.

Setting
-------

Change the ``FEATURE_POLICY`` setting to configure what ``Feature-Policy``
header gets set.

This should be a dictionary laid out with:

* Keys as the names of browser features - a full list is available on the
  `W3 Spec repository`_. The `MDN article`_ is also worth reading.
* Values as lists of strings, where each string is either an origin, e.g.
  ``'https://example.com'``, or of the special values ``'self'``, ``'none'``,
  or ``'*'``. If there is just one value, no containing list is necessary. Note
  that in the header, special values like ``'none'`` include single quotes
  around them - do not include these quotes in your Python string, they will be
  added by the middleware.

.. _W3 Spec repository: https://github.com/w3c/webappsec-feature-policy/blob/master/features.md
.. _MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility

If the keys or values are invalid, ``ImproperlyConfigured`` will be raised at
instantiation time, or when processing a response. The current feature list is
pulled from the JavaScript API with
``document.featurePolicy.allowedFeatures()`` on Chrome.

Examples
~~~~~~~~

Disable geolocation from running in the current page and any iframe:

.. code-block:: python

    FEATURE_POLICY = {
        'geolocation': 'none',
    }

Allow autoplay from the current origin and iframes from
``https://archive.org``:

.. code-block:: python

    FEATURE_POLICY = {
        'autoplay': ['self', 'https://archive.org'],
    }


History
=======

Pending release
---------------

.. Insert new release notes below this line

2.0.0 (2019-03-29)
------------------

* Updated to the latest set of features from Chrome.
  'animations', 'image-compression', and 'max-downscaling-image' have been
  removed, whilst 'document-domain', 'font-display-late-swap',
  'layout-animations', 'oversized-images', 'unoptimized-images', and
  'wake-lock' have been added.
  See more at https://github.com/w3c/webappsec-feature-policy/blob/master/features.md .

1.0.1 (2019-01-02)
------------------

* Support for new 'lazyload' feature, per https://www.chromestatus.com/feature/5641405942726656.

1.0.0 (2018-10-24)
------------------

* First release, supporting adding the header with a middleware.


