Opened 5 years ago
Last modified 19 months ago
#30746 new New feature
Add Permissions-Policy (was Feature-Policy) header support.
| Reported by: | Nick Pope | Owned by: | |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | feature-policy, permissions-policy |
| Cc: | Triage Stage: | Someday/Maybe | |
| Has patch: | yes | Needs documentation: | yes |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Similar to planned support for Referrer-Policy, we should add Permissions-Policy (was Feature-Policy) which allows controlling use of browser features.
Change History (8)
comment:1 by , 5 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
follow-up: 4 comment:2 by , 5 years ago
comment:3 by , 5 years ago
| Triage Stage: | Accepted → Someday/Maybe |
|---|
I agree with Adam, it's too early. This header is still under development and it isn't wide-supported.
comment:4 by , 5 years ago
| Has patch: | set |
|---|---|
| Needs documentation: | set |
| Patch needs improvement: | set |
Replying to Adam (Chainz) Johnson:
I'm -1 on adding Feature-Policy to Django... right now. It's far too experimental and evolving much faster than Django's release cycle.
...
I think it'll be settled in a year or so and then it'll be worth adding to Django core.
Replying to felixxm:
I agree with Adam, it's too early. This header is still under development and it isn't wide-supported.
I understand and agree. I was hoping to look into supporting Content-Security-Policy too for 3.1 and this is somewhat less complex, but also similar in syntax, so exploring this will help. Thus I will probably progress the PR as far as possible for now and then leave it on ice. We'll have a better idea come April~May 2020.
comment:5 by , 5 years ago
Cool, thanks Nick. I'll be updating django-feature-policy in the mean time so it'll be useful to see what the changes are (I have a calendar reminder to check the specs every 3 months).
comment:7 by , 5 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | feature-policy permissions-policy added |
| Summary: | Add Feature-Policy header support → Add Permissions-Policy (was Feature-Policy) header support. |
comment:8 by , 19 months ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
See my comment on the PR.
This basically isn't progressing very quickly right now and much still seems to be in flux.
If and when things progress/stabilize, we can revisit this.
I'm -1 on adding Feature-Policy to Django... right now. It's far too experimental and evolving much faster than Django's release cycle.
I created django-feature-policy to support it in October last year. Since then I've done two "breaking changes" releases to update to the supported set of headers: https://github.com/adamchainz/django-feature-policy/blob/master/HISTORY.rst
It's still an actively developed w3c spec: https://github.com/w3c/webappsec-feature-policy/commits/master . Also on the MDN page the support grid shows that most support, even in Chrome, remains behind feature flags: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility
I think it'll be settled in a year or so and then it'll be worth adding to Django core.