django icon indicating copy to clipboard operation
django copied to clipboard

Published 20 hours ago verified publisher icon django

Fixed #30746 -- Added support for Permissions-Policy header.

Open ngnpope opened this issue 4 years ago • 14 comments

Ticket #30746

Note that Feature-Policy was renamed to Permissions-Policy.

ngnpope avatar Sep 01 '19 23:09 ngnpope

Hi all.

  • I rebased this.
  • Added a link in release notes from BC Misc to Security. (@claudep)
  • I wrote a paragraph for the Security topic page (@pope1ni)
  • I'm now inclined to merge the first 3 commits, then rebase this again, and rename it appropriately. (@felixxm)

(I seem to have broken flake8... will fix that. — Update, Oh, no, it wasn't me. Will still fix it... 🙂)

carltongibson avatar Sep 09 '19 09:09 carltongibson

Little weirdness in the GH UI here with the commit ordering.

To be clear I'm intending to merge:

commit 3be615fb698b9208b8081f68cc1b30a06d5f35d1
Author: Nick Pope <[email protected]>
Date:   Thu Mar 21 21:33:41 2019 +0000

    Fixed #29406 -- Added support for Referrer-Policy header.
    
    Thanks to James Bennett for the initial implementation.

commit 043ee57f6e3f092af56f5fa004bb31b59303c1ea
Author: Nick Pope <[email protected]>
Date:   Mon Sep 2 00:19:16 2019 +0100

    Refs #30426 -- Moved release note into separate security section.

commit 35f75ebe4df1ad2b0eff776f940a70c82585f57f
Author: Nick Pope <[email protected]>
Date:   Sun Mar 24 21:26:04 2019 +0000

    Standardized links for headers in security middleware documentation.

(No idea why 8cc2d717e1aca01da00d21be31612393f9b418ad is showing as before 3be615fb698b9208b8081f68cc1b30a06d5f35d1)

carltongibson avatar Sep 09 '19 09:09 carltongibson

@felixxm I pushed 4851811c7922ea043f6aaa700181e2f01ac7cffe as a fixup. If you think 👍 I'll squash and reword the commit message.

carltongibson avatar Sep 09 '19 09:09 carltongibson

@carltongibson fixup looks good, thanks :+1:

felixxm avatar Sep 09 '19 09:09 felixxm

OK, ta! I'll handle the niggles and pull it in. Thanks @pope1ni @claudep!

carltongibson avatar Sep 09 '19 09:09 carltongibson

(No idea why 8cc2d71 is showing as before 3be615f)

(GH's UI confusingly sorts by commit date rather than parentage, which can mean rebasing gets things all over the place)

adamchainz avatar Sep 09 '19 10:09 adamchainz

Nice. Thanks Adam.

carltongibson avatar Sep 09 '19 10:09 carltongibson

OK, all corrected (except Feature Policy stuff) I will pull in the three commits in a wee bit. 🥪

carltongibson avatar Sep 09 '19 10:09 carltongibson

Sorry for running out of time and thanks @felixxm for reviewing and @carltongibson for polishing! :star2:

I'll pick up Feature-Policy for 3.1 - there was a lot of documentation still to write and it became a bit of a stretch to get it done.

ngnpope avatar Sep 09 '19 10:09 ngnpope

Hey @pope1ni. Right, all merged in — Thank you for the work! — except the Feature Policy stuff, so rebased and renamed accordingly.

Not sure of the time-line for us bringing this in: maybe close this for now, and re-open, or start afresh when it's ripe?

carltongibson avatar Sep 09 '19 11:09 carltongibson

Thanks @carltongibson. Let's leave it open - I intend to continue it fairly soon.

ngnpope avatar Sep 09 '19 12:09 ngnpope

Rebased to 3.1, still a work in progress.

The spec is still in "Editor's Draft" status, and a lot of it is behind flags, which seems a little risky - maybe it's better to wait until it progresses?

This is true, but there is enough of it not behind flags for Chrome (and thus now Edge) and it is also being checked by some tools such as securityheaders.com. There is also ~11 months until the release of 3.1, so we can always tweak it before then.

Feature-Policy seems to have (or plans to have) reporting and a report-only mode -- see here. For Content-Security-Policy, this is quite helpful, not sure about Feature-Policy. Do you plan to have any integration with that in Django?

This is good to know. It looks as though Feature-Policy-Report-Only has been implemented in Chrome - so, yes, I'll look into supporting this.

Edit: See my comment on the ticket.

ngnpope avatar Sep 10 '19 14:09 ngnpope

may be should be using https://github.com/adamchainz/django-permissions-policy in the meantime

auvipy avatar Sep 16 '21 11:09 auvipy

As per comments on ticket: https://code.djangoproject.com/ticket/30746#comment:2 - we will not add Permissions-Policy to django core until it's not a draft. Not much seems to have changed on that front in the two years since I posted that comment, apart from the name of the header.

adamchainz avatar Sep 16 '21 11:09 adamchainz

As far as I'm aware, we can close this for now. PR is not mergeable and most directives are still marked as experimental or behind feature flags.

felixxm avatar Jul 14 '23 11:07 felixxm

As far as I'm aware, we can close this for now. PR is not mergeable and most directives are still marked as experimental or behind feature flags.

Agreed that we should just punt this out for now.

Progress seems to be incredibly slow going on Document-Policy/Permissions-Policy and many features are still flagged as experimental. Mozilla are still using the earlier Feature-Policy header in Firefox and work seems to have largely stalled for years... Although they have finally updated MDN to use the new naming.

Anyone wanting to use this should look to django-permissions-policy for now and we can revisit ticket-30746 if and when things mature.

ngnpope avatar Jul 14 '23 14:07 ngnpope

Agree to punting. I regularly re-check the specifications for updates on the specifications as part of maintaining django-permissions-policy, and yeah, it’s slow.

adamchainz avatar Jul 23 '23 21:07 adamchainz