Opened 5 years ago

Last modified 18 months ago

#30746 new New feature

Add Permissions-Policy (was Feature-Policy) header support.

Reported by: Nick Pope Owned by:
Component: Utilities Version: dev
Severity: Normal Keywords: feature-policy, permissions-policy
Cc: Triage Stage: Someday/Maybe
Has patch: yes Needs documentation: yes
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Nick Pope)

Similar to planned support for Referrer-Policy, we should add Permissions-Policy (was Feature-Policy) which allows controlling use of browser features.

Change History (8)

comment:1 by Carlton Gibson, 5 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Adam Johnson, 5 years ago

I'm -1 on adding Feature-Policy to Django... right now. It's far too experimental and evolving much faster than Django's release cycle.

I created django-feature-policy to support it in October last year. Since then I've done two "breaking changes" releases to update to the supported set of headers: https://github.com/adamchainz/django-feature-policy/blob/master/HISTORY.rst

It's still an actively developed w3c spec: https://github.com/w3c/webappsec-feature-policy/commits/master . Also on the MDN page the support grid shows that most support, even in Chrome, remains behind feature flags: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility

I think it'll be settled in a year or so and then it'll be worth adding to Django core.

comment:3 by Mariusz Felisiak, 5 years ago

Triage Stage: AcceptedSomeday/Maybe

I agree with Adam, it's too early. This header is still under development and it isn't wide-supported.

in reply to:  2 comment:4 by Nick Pope, 5 years ago

Has patch: set
Needs documentation: set
Patch needs improvement: set

Replying to Adam (Chainz) Johnson:

I'm -1 on adding Feature-Policy to Django... right now. It's far too experimental and evolving much faster than Django's release cycle.

...

I think it'll be settled in a year or so and then it'll be worth adding to Django core.

Replying to felixxm:

I agree with Adam, it's too early. This header is still under development and it isn't wide-supported.

I understand and agree. I was hoping to look into supporting Content-Security-Policy too for 3.1 and this is somewhat less complex, but also similar in syntax, so exploring this will help. Thus I will probably progress the PR as far as possible for now and then leave it on ice. We'll have a better idea come April~May 2020.

comment:5 by Adam Johnson, 5 years ago

Cool, thanks Nick. I'll be updating django-feature-policy in the mean time so it'll be useful to see what the changes are (I have a calendar reminder to check the specs every 3 months).

comment:6 by Adam Johnson, 5 years ago

P.S. CSP is very ambitious :)

comment:7 by Nick Pope, 4 years ago

Description: modified (diff)
Keywords: feature-policy permissions-policy added
Summary: Add Feature-Policy header supportAdd Permissions-Policy (was Feature-Policy) header support.

comment:8 by Nick Pope, 18 months ago

Owner: Nick Pope removed
Status: assignednew

See my comment on the PR.

This basically isn't progressing very quickly right now and much still seems to be in flux.

If and when things progress/stabilize, we can revisit this.

Note: See TracTickets for help on using tickets.
Back to Top