Metadata-Version: 2.1
Name: django-feature-policy
Version: 3.3.0
Summary: Set the draft security HTTP header Feature-Policy on your Django app.
Home-page: https://github.com/adamchainz/django-feature-policy
Author: Adam Johnson
Author-email: me@adamj.eu
License: ISC
Project-URL: Changelog, https://github.com/adamchainz/django-feature-policy/blob/master/HISTORY.rst
Keywords: Django
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Framework :: Django :: 2.0
Classifier: Framework :: Django :: 2.1
Classifier: Framework :: Django :: 2.2
Classifier: Framework :: Django :: 3.0
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: ISC License (ISCL)
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Requires-Python: >=3.5
Description-Content-Type: text/x-rst
Requires-Dist: Django (>=2.0)

django-feature-policy
=====================

.. image:: https://github.com/adamchainz/django-feature-policy/workflows/CI/badge.svg?branch=master
   :target: https://github.com/adamchainz/django-feature-policy/actions?workflow=CI

.. image:: https://img.shields.io/pypi/v/django-feature-policy.svg
   :target: https://pypi.python.org/pypi/django-feature-policy

.. image:: https://img.shields.io/badge/code%20style-black-000000.svg
   :target: https://github.com/python/black

Set the draft security HTTP header ``Feature-Policy`` on your Django app.

Requirements
------------

Python 3.5 to 3.8 supported.

Django 2.0 to 3.0 supported.

Installation
------------

Install with **pip**:

.. code-block:: sh

    python -m pip install django-feature-policy

Then add the middleware, best after Django's ``SecurityMiddleware`` as it does
similar addition of security headers that you'll want on every response:

.. code-block:: python

    MIDDLEWARE = [
      ...
      'django.middleware.security.SecurityMiddleware',
      'django_feature_policy.FeaturePolicyMiddleware',
      ...
    ]

By default no header will be set, configure the setting as below.

Setting
-------

Change the ``FEATURE_POLICY`` setting to configure what ``Feature-Policy``
header gets set.

This should be a dictionary laid out with:

* Keys as the names of browser features - a full list is available on the
  `W3 Spec repository`_. The `MDN article`_ is also worth reading.
* Values as lists of strings, where each string is either an origin, e.g.
  ``'https://example.com'``, or of the special values ``'self'``, ``'none'``,
  or ``'*'``. If there is just one value, no containing list is necessary. Note
  that in the header, special values like ``'none'`` include single quotes
  around them - do not include these quotes in your Python string, they will be
  added by the middleware.

.. _W3 Spec repository: https://github.com/w3c/webappsec-feature-policy/blob/master/features.md
.. _MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility

If the keys or values are invalid, ``ImproperlyConfigured`` will be raised at
instantiation time, or when processing a response. The current feature list is
pulled from the JavaScript API with
``document.featurePolicy.allowedFeatures()`` on Chrome.

Examples
~~~~~~~~

Disable geolocation from running in the current page and any iframe:

.. code-block:: python

    FEATURE_POLICY = {
        'geolocation': 'none',
    }

Allow autoplay from the current origin and iframes from
``https://archive.org``:

.. code-block:: python

    FEATURE_POLICY = {
        'autoplay': ['self', 'https://archive.org'],
    }

History
=======

3.3.0 (2020-04-09)
------------------

* Drop Django 1.11 support. Only Django 2.0+ is supported now.
* Updated to the latest set of features from Chrome 81. This adds
  'ch-ua-mobile', removes 'document-access', and 'vr', and renames
  'downloads-without-user-activation' to 'downloads'.

3.2.0 (2020-01-19)
------------------

* Updated to the latest set of features from Chrome. This adds 2 new features:
  'document-access' and 'xr-spatial-tracking'. This also removes the 'speaker'
  since it has now been
  `removed from the w3c specification <https://github.com/w3c/webappsec-feature-policy/commit/18707d396e1d3f0be3de348fc432383cc8866e0b>`__.

3.1.0 (2019-11-15)
------------------

* Updated to the latest set of features from Chrome. This adds 17 new features:
  'ch-device-memory', 'ch-downlink', 'ch-dpr', 'ch-ect', 'ch-lang', 'ch-rtt',
  'ch-ua', 'ch-ua-arch', 'ch-ua-model', 'ch-ua-platform', 'ch-viewport-width',
  'ch-width', 'execution-while-not-rendered', and
  'execution-while-out-of-viewport'. Chrome has also removed support for
  'speaker' but since this is still in the specification, it has been left.
* Converted setuptools metadata to configuration file. This meant removing the
  ``__version__`` attribute from the package. If you want to inspect the
  installed version, use
  ``importlib.metadata.version("django-feature-policy")``
  (`docs <https://docs.python.org/3.8/library/importlib.metadata.html#distribution-versions>`__ /
  `backport <https://pypi.org/project/importlib-metadata/>`__).
* Suport Python 3.8.

3.0.0 (2019-08-02)
------------------

* Updated to the latest set of features from Chrome. This removes
  'legacy-image-formats' and 'unoptimized-images', and adds 17 new features:
  'downloads-without-user-activation', 'focus-without-user-activation',
  'forms', 'hid', 'idle-detection', 'loading-frame-default-eager', 'modals',
  'orientation-lock', 'pointer-lock', 'popups', 'presentation', 'scripts',
  'serial', 'top-navigation', 'unoptimized-lossless-images',
  'unoptimized-lossless-images-strict' and  'unoptimized-lossy-images'. Note
  that most of these are still experimental as can be seen on the [W3C feature
  list](https://github.com/w3c/webappsec-feature-policy/blob/master/features.md).

* Stop marking the distributed wheel as universal. Python 2 was never supported
  so the wheel was never actually universal.

2.3.0 (2019-05-19)
------------------

* Update Python support to 3.5-3.7, as 3.4 has reached its end of life.

* Make the generated header deterministic by iterating the settings dict in
  sorted order.

* Support Django 1.11 for completeness.

2.2.0 (2019-05-08)
------------------

* Fix interpretation of '*' by not automatically adding quotes.
* Optimize header generation to reduce impact on every request.

2.1.0 (2019-04-28)
------------------

* Tested on Django 2.2. No changes were needed for compatibility.

2.0.0 (2019-03-29)
------------------

* Updated to the latest set of features from Chrome.
  'animations', 'image-compression', and 'max-downscaling-image' have been
  removed, whilst 'document-domain', 'font-display-late-swap',
  'layout-animations', 'oversized-images', 'unoptimized-images', and
  'wake-lock' have been added.
  See more at https://github.com/w3c/webappsec-feature-policy/blob/master/features.md .

1.0.1 (2019-01-02)
------------------

* Support for new 'lazyload' feature, per https://www.chromestatus.com/feature/5641405942726656.

1.0.0 (2018-10-24)
------------------

* First release, supporting adding the header with a middleware.


