Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app.

Related tags

Djangodjango-permissions-policy
Overview

django-permissions-policy

https://img.shields.io/github/workflow/status/adamchainz/django-permissions-policy/CI/main?style=for-the-badge https://img.shields.io/codecov/c/github/adamchainz/django-permissions-policy/main?style=for-the-badge https://img.shields.io/pypi/v/django-permissions-policy.svg?style=for-the-badge https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge pre-commit

Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app.

Requirements

Python 3.6 to 3.10 supported.

Django 2.2 to 4.0 supported.

Are your tests slow? Check out my book Speed Up Your Django Tests which covers loads of best practices so you can write faster, more accurate tests.

Installation

  1. Install with pip:
python -m pip install django-permissions-policy

2. Add the middleware in your MIDDLEWARE setting. It’s best to add it after Django's SecurityMiddleware, so it adds the header at the same point in your stack:

MIDDLEWARE = [
    ...,
    "django.middleware.security.SecurityMiddleware",
    "django_permissions_policy.PermissionsPolicyMiddleware",
    ...,
]

  1. Add the PERMISSIONS_POLICY setting to your settings, naming at least one feature. Here’s an example that sets a strict policy to disable many potentially privacy-invading and annoying features for all scripts:

    PERMISSIONS_POLICY = {
    "accelerometer": [],
    "ambient-light-sensor": [],
    "autoplay": [],
    "camera": [],
    "display-capture": [],
    "document-domain": [],
    "encrypted-media": [],
    "fullscreen": [],
    "geolocation": [],
    "gyroscope": [],
    "interest-cohort": [],
    "magnetometer": [],
    "microphone": [],
    "midi": [],
    "payment": [],
    "usb": [],
}

    See below for more information on the setting.

Setting

Change the PERMISSIONS_POLICY setting to configure the contents of the header.

The setting should be a dictionary laid out with:

  • Keys as the names of browser features - a full list is available on the W3 Spec repository. The MDN article is also worth reading.

  • Values as lists of strings, where each string is either an origin, e.g. 'https://example.com', or of the special values 'self' or '*'. If there is just one value, no containing list is necessary. To represent no origins being allowed, use an empty list.

    Note that in the header, domains are wrapped in double quotes - do not include these quotes within your Python string, as they will be added by the middleware.

If the keys or values are invalid, ImproperlyConfigured will be raised at instantiation time, or when processing a response. The current feature list is pulled from the JavaScript API with document.featurePolicy.allowedFeatures() on Chrome.

For backwards compatibility with old configuration, the value 'none' is supported in lists, but ignored - it's preferable to use the empty list instead. It doesn't make sense to specify 'none' alongside other values.

Examples

Disable geolocation entirely, for the current origin and any iframes:

PERMISSIONS_POLICY = {
    "geolocation": [],
}

Allow autoplay from only the current origin and iframes from https://archive.org:

PERMISSIONS_POLICY = {
    "autoplay": ["self", "https://archive.org"],
}

Allow autoplay from all origins:

PERMISSIONS_POLICY = {
    "autoplay": "*",
}
Owner
Adam Johnson
🦄 @django technical board member 🇬🇧 @djangolondon co-organizer ✍ AWS/Django/Python Author and Consultant
Adam Johnson
GitHub Repository
Redia Cache implementation in django.

django-redis Recipe APP Simple Recipe app which shows different kinds off recipe to the user. Why Cache ? Accessing data from cache is much faster tha

Avinash Alanjkar 1 Sep 21, 2022
:couple: Multi-user accounts for Django projects

django-organizations Summary Groups and multi-user account management Author Ben Lopatin (http://benlopatin.com / https://wellfire.co) Status Separate

Ben Lopatin 1.1k Jan 01, 2023
This is a personal django website for forum posts

Django Web Forum This is a personal django website for forum posts It includes login, registration and forum posts with date time. Tech / Framework us

5 May 12, 2022
Django StatusPage - App to display statuspage for your services

Django StatusPage - App to display statuspage for your services

Gorlik 1 Oct 27, 2021
Running in outer Django project folder (cd django_project)

Django Running in outer Django project folder (cd django_project) Make Migrations python manage.py makemigrations Migrate to Database python manage.py

1 Feb 07, 2022
Django friendly finite state machine support

Django friendly finite state machine support django-fsm adds simple declarative state management for django models. If you need parallel task executio

Viewflow 2.1k Dec 31, 2022
Money fields for Django forms and models.

django-money A little Django app that uses py-moneyed to add support for Money fields in your models and forms. Django versions supported: 1.11, 2.1,

1.4k Jan 06, 2023
Simply integrate Summernote editor with Django project.

django-summernote Summernote is a simple WYSIWYG editor. django-summernote allows you to embed Summernote into Django very handy. Support admin mixins

Summernote 936 Jan 02, 2023
Tutorial para o projeto negros.dev - A Essência do Django

Negros Dev Tutorial para o site negros.dev Este projeto foi feito com: Python 3.8.9 Django 3.1.8 Bootstrap 4.0 Como rodar o projeto? Clone esse reposi

Regis Santos 6 Aug 12, 2022
An app that allows you to add recipes from the dashboard made using DJango, JQuery, JScript and HTMl.

An app that allows you to add recipes from the dashboard. Then visitors filter based on different categories also each ingredient has a unique page with their related recipes.

Pablo Sagredo 1 Jan 31, 2022
REST API with Django and SQLite3

REST API with Django and SQLite3

Luis Quiñones Requelme 1 Nov 07, 2021
A tool to automatically fix Django deprecations.

A tool to help upgrade Django projects to newer version of the framework by automatically fixing deprecations. The problem When maintaining a Django s

Bruno Alla 155 Dec 14, 2022
🔥 Campus-Run Django Server🔥

🏫 Campus-Run Campus-Run is a 3D racing game set on a college campus. Designed this service to comfort university students who are unable to visit the

Youngkwon Kim 1 Feb 08, 2022
Simple tagging for django

django-taggit This is a Jazzband project. By contributing you agree to abide by the Contributor Code of Conduct and follow the guidelines. django-tagg

Jazzband 3k Jan 02, 2023
Dashboad Full Stack utilizando o Django.

Dashboard FullStack completa Projeto finalizado | Informações Cadastro de cliente Menu interatico mostrando quantidade de pessoas bloqueadas, liberada

Lucas Silva 1 Dec 15, 2021
A UUIDField for Django

django-uuidfield Provides a UUIDField for your Django models. Installation Install it with pip (or easy_install): pip install django-uuidfield Usage

David Cramer 265 Nov 30, 2022
Django Email Sender

Email-Sender Django Email Sender Installation 1.clone Repository & Install Packages git clone https://github.com/telman03/Email-Sender.git pip install

Telman Gadimov 0 Dec 26, 2021
A generic system for filtering Django QuerySets based on user selections

Django Filter Django-filter is a reusable Django application allowing users to declaratively add dynamic QuerySet filtering from URL parameters. Full

Carlton Gibson 3.9k Jan 03, 2023
Django-pwned - A collection of django password validators

Django Pwned A collection of django password validators. Compatibility Python: 3

Quera 22 Jun 27, 2022
A set of functions related with Django

django-extra-tools Table of contents Installation Quick start Template filters parse_datetime parse_date parse_time parse_duration Aggregation First L

Tomasz Jakub Rup 3 Mar 04, 2020