Opened 11 months ago

Last modified 4 weeks ago

#30746 assigned New feature

Add Permissions-Policy (was Feature-Policy) header support.

Reported by: Nick Pope Owned by: Nick Pope
Component: Utilities Version: master
Severity: Normal Keywords: feature-policy, permissions-policy
Cc: Triage Stage: Someday/Maybe
Has patch: yes Needs documentation: yes
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Nick Pope)

Similar to planned support for Referrer-Policy, we should add Permissions-Policy (was Feature-Policy) which allows controlling use of browser features.

Change History (7)

comment:1 Changed 11 months ago by Carlton Gibson

Triage Stage: UnreviewedAccepted

comment:2 Changed 11 months ago by Adam (Chainz) Johnson

I'm -1 on adding Feature-Policy to Django... right now. It's far too experimental and evolving much faster than Django's release cycle.

I created django-feature-policy to support it in October last year. Since then I've done two "breaking changes" releases to update to the supported set of headers: https://github.com/adamchainz/django-feature-policy/blob/master/HISTORY.rst

It's still an actively developed w3c spec: https://github.com/w3c/webappsec-feature-policy/commits/master . Also on the MDN page the support grid shows that most support, even in Chrome, remains behind feature flags: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility

I think it'll be settled in a year or so and then it'll be worth adding to Django core.

comment:3 Changed 11 months ago by felixxm

Triage Stage: AcceptedSomeday/Maybe

I agree with Adam, it's too early. This header is still under development and it isn't wide-supported.

comment:4 in reply to:  2 Changed 11 months ago by Nick Pope

Has patch: set
Needs documentation: set
Patch needs improvement: set

Replying to Adam (Chainz) Johnson:

I'm -1 on adding Feature-Policy to Django... right now. It's far too experimental and evolving much faster than Django's release cycle.

...

I think it'll be settled in a year or so and then it'll be worth adding to Django core.

Replying to felixxm:

I agree with Adam, it's too early. This header is still under development and it isn't wide-supported.

I understand and agree. I was hoping to look into supporting Content-Security-Policy too for 3.1 and this is somewhat less complex, but also similar in syntax, so exploring this will help. Thus I will probably progress the PR as far as possible for now and then leave it on ice. We'll have a better idea come April~May 2020.

comment:5 Changed 11 months ago by Adam (Chainz) Johnson

Cool, thanks Nick. I'll be updating django-feature-policy in the mean time so it'll be useful to see what the changes are (I have a calendar reminder to check the specs every 3 months).

comment:6 Changed 11 months ago by Adam (Chainz) Johnson

P.S. CSP is very ambitious :)

comment:7 Changed 4 weeks ago by Nick Pope

Description: modified (diff)
Keywords: feature-policy permissions-policy added
Summary: Add Feature-Policy header supportAdd Permissions-Policy (was Feature-Policy) header support.
Note: See TracTickets for help on using tickets.
Back to Top