django
django copied to clipboard
Fixed #30746 -- Added support for Permissions-Policy header.
Hi all.
- I rebased this.
- Added a link in release notes from BC Misc to Security. (@claudep)
- I wrote a paragraph for the Security topic page (@pope1ni)
- I'm now inclined to merge the first 3 commits, then rebase this again, and rename it appropriately. (@felixxm)
(I seem to have broken flake8
... will fix that. — Update, Oh, no, it wasn't me. Will still fix it... 🙂)
Little weirdness in the GH UI here with the commit ordering.
To be clear I'm intending to merge:
commit 3be615fb698b9208b8081f68cc1b30a06d5f35d1
Author: Nick Pope <[email protected]>
Date: Thu Mar 21 21:33:41 2019 +0000
Fixed #29406 -- Added support for Referrer-Policy header.
Thanks to James Bennett for the initial implementation.
commit 043ee57f6e3f092af56f5fa004bb31b59303c1ea
Author: Nick Pope <[email protected]>
Date: Mon Sep 2 00:19:16 2019 +0100
Refs #30426 -- Moved release note into separate security section.
commit 35f75ebe4df1ad2b0eff776f940a70c82585f57f
Author: Nick Pope <[email protected]>
Date: Sun Mar 24 21:26:04 2019 +0000
Standardized links for headers in security middleware documentation.
(No idea why 8cc2d717e1aca01da00d21be31612393f9b418ad is showing as before 3be615fb698b9208b8081f68cc1b30a06d5f35d1)
@felixxm I pushed 4851811c7922ea043f6aaa700181e2f01ac7cffe as a fixup
. If you think 👍 I'll squash and reword the commit message.
@carltongibson fixup
looks good, thanks :+1:
OK, ta! I'll handle the niggles and pull it in. Thanks @pope1ni @claudep!
(No idea why 8cc2d71 is showing as before 3be615f)
(GH's UI confusingly sorts by commit date rather than parentage, which can mean rebasing gets things all over the place)
Nice. Thanks Adam.
OK, all corrected (except Feature Policy stuff) I will pull in the three commits in a wee bit. 🥪
Sorry for running out of time and thanks @felixxm for reviewing and @carltongibson for polishing! :star2:
I'll pick up Feature-Policy
for 3.1 - there was a lot of documentation still to write and it became a bit of a stretch to get it done.
Hey @pope1ni. Right, all merged in — Thank you for the work! — except the Feature Policy stuff, so rebased and renamed accordingly.
Not sure of the time-line for us bringing this in: maybe close this for now, and re-open, or start afresh when it's ripe?
Thanks @carltongibson. Let's leave it open - I intend to continue it fairly soon.
Rebased to 3.1, still a work in progress.
The spec is still in "Editor's Draft" status, and a lot of it is behind flags, which seems a little risky - maybe it's better to wait until it progresses?
This is true, but there is enough of it not behind flags for Chrome (and thus now Edge) and it is also being checked by some tools such as securityheaders.com. There is also ~11 months until the release of 3.1, so we can always tweak it before then.
Feature-Policy seems to have (or plans to have) reporting and a report-only mode -- see here. For Content-Security-Policy, this is quite helpful, not sure about Feature-Policy. Do you plan to have any integration with that in Django?
This is good to know. It looks as though Feature-Policy-Report-Only
has been implemented in Chrome - so, yes, I'll look into supporting this.
Edit: See my comment on the ticket.
may be should be using https://github.com/adamchainz/django-permissions-policy in the meantime
As per comments on ticket: https://code.djangoproject.com/ticket/30746#comment:2 - we will not add Permissions-Policy to django core until it's not a draft. Not much seems to have changed on that front in the two years since I posted that comment, apart from the name of the header.
As far as I'm aware, we can close this for now. PR is not mergeable and most directives are still marked as experimental or behind feature flags.
As far as I'm aware, we can close this for now. PR is not mergeable and most directives are still marked as experimental or behind feature flags.
Agreed that we should just punt this out for now.
Progress seems to be incredibly slow going on Document-Policy
/Permissions-Policy
and many features are still flagged as experimental. Mozilla are still using the earlier Feature-Policy
header in Firefox and work seems to have largely stalled for years... Although they have finally updated MDN to use the new naming.
Anyone wanting to use this should look to django-permissions-policy for now and we can revisit ticket-30746 if and when things mature.
Agree to punting. I regularly re-check the specifications for updates on the specifications as part of maintaining django-permissions-policy, and yeah, it’s slow.