django-feature-policy is now django-permissions-policy

This sheep doesn’t need permission to walk how it likes.

I created django-feature-policy in 2018 allow Django projects to control the draft security header Feature-Policy. Feature-Policy allows your site to restrict which origins can use some sensitive browser features, such as the the payments API or access to the webcam. This is valuable if you’re using any third party JavaScript. Whether such JavaScript comes from npm or an external script tag, you can protect against it doing some bad things with your users.

In 2020 a new specification renamed the header to Permissions-Policy, with different syntax. Browsers updated accordingly, so I also updated django-feature-policy. I left it sending both the old and new forms so that older browser versions would remain protected.

A few weeks ago, I updated my package once more, renaming it to django-permissions-policy, and removing the old Feature-Policy header. This is because Chrome now logs warnings about the old Feature-Policy header.

To update for the rename, I uploaded the new version as django-permissions-policy version 4.0.0, and released django-feature-policy 4.0.0 as an empty package that depends on the new name. Thanks to Simon Willison for his repo template demonstrating this technique.

If you are using django-feature-policy, updated and swap it for django-permissions-policy. And if you’re not, try it out, and score your site an extra grade on SecurityHeaders.com.

For reference, here’s the policy I’m using on DB Buddy:

PERMISSIONS_POLICY = {
    "accelerometer": [],
    "ambient-light-sensor": [],
    "autoplay": [],
    "camera": [],
    "document-domain": [],
    "encrypted-media": [],
    "fullscreen": [],
    "geolocation": [],
    "gyroscope": [],
    "magnetometer": [],
    "microphone": [],
    "midi": [],
    "payment": [],
    "sync-xhr": [],
    "usb": [],
}

This policy disables many privacy-sensitive features for all origins, including the site itself. It also disables the sync-xhr feature, which prevents AJAX requests from blocking the main thread - this helps performance rather than improving security. If you add any policy to an existing site, be sure to test all functionality thoroughly with your browser console open.

To further boost your site’s security, check out my Django Security Headers Guide, although with renames like this it’s getting a little dated!

Fin

May your site be ever more secure,

—Adam

Read my book Boost Your Git DX to Git better.

Subscribe via RSS, Twitter, Mastodon, or email:

One summary email a week, no spam, I pinky promise.

Related posts:

Tags: