Metadata-Version: 2.1
Name: django-feature-policy
Version: 3.3.0
Summary: Set the draft security HTTP header Feature-Policy on your Django app.
Home-page: https://github.com/adamchainz/django-feature-policy
Author: Adam Johnson
Author-email: me@adamj.eu
License: ISC
Project-URL: Changelog, https://github.com/adamchainz/django-feature-policy/blob/master/HISTORY.rst
Description: django-feature-policy
        =====================
        
        .. image:: https://github.com/adamchainz/django-feature-policy/workflows/CI/badge.svg?branch=master
           :target: https://github.com/adamchainz/django-feature-policy/actions?workflow=CI
        
        .. image:: https://img.shields.io/pypi/v/django-feature-policy.svg
           :target: https://pypi.python.org/pypi/django-feature-policy
        
        .. image:: https://img.shields.io/badge/code%20style-black-000000.svg
           :target: https://github.com/python/black
        
        Set the draft security HTTP header ``Feature-Policy`` on your Django app.
        
        Requirements
        ------------
        
        Python 3.5 to 3.8 supported.
        
        Django 2.0 to 3.0 supported.
        
        Installation
        ------------
        
        Install with **pip**:
        
        .. code-block:: sh
        
            python -m pip install django-feature-policy
        
        Then add the middleware, best after Django's ``SecurityMiddleware`` as it does
        similar addition of security headers that you'll want on every response:
        
        .. code-block:: python
        
            MIDDLEWARE = [
              ...
              'django.middleware.security.SecurityMiddleware',
              'django_feature_policy.FeaturePolicyMiddleware',
              ...
            ]
        
        By default no header will be set, configure the setting as below.
        
        Setting
        -------
        
        Change the ``FEATURE_POLICY`` setting to configure what ``Feature-Policy``
        header gets set.
        
        This should be a dictionary laid out with:
        
        * Keys as the names of browser features - a full list is available on the
          `W3 Spec repository`_. The `MDN article`_ is also worth reading.
        * Values as lists of strings, where each string is either an origin, e.g.
          ``'https://example.com'``, or of the special values ``'self'``, ``'none'``,
          or ``'*'``. If there is just one value, no containing list is necessary. Note
          that in the header, special values like ``'none'`` include single quotes
          around them - do not include these quotes in your Python string, they will be
          added by the middleware.
        
        .. _W3 Spec repository: https://github.com/w3c/webappsec-feature-policy/blob/master/features.md
        .. _MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility
        
        If the keys or values are invalid, ``ImproperlyConfigured`` will be raised at
        instantiation time, or when processing a response. The current feature list is
        pulled from the JavaScript API with
        ``document.featurePolicy.allowedFeatures()`` on Chrome.
        
        Examples
        ~~~~~~~~
        
        Disable geolocation from running in the current page and any iframe:
        
        .. code-block:: python
        
            FEATURE_POLICY = {
                'geolocation': 'none',
            }
        
        Allow autoplay from the current origin and iframes from
        ``https://archive.org``:
        
        .. code-block:: python
        
            FEATURE_POLICY = {
                'autoplay': ['self', 'https://archive.org'],
            }
        
        History
        =======
        
        3.3.0 (2020-04-09)
        ------------------
        
        * Drop Django 1.11 support. Only Django 2.0+ is supported now.
        * Updated to the latest set of features from Chrome 81. This adds
          'ch-ua-mobile', removes 'document-access', and 'vr', and renames
          'downloads-without-user-activation' to 'downloads'.
        
        3.2.0 (2020-01-19)
        ------------------
        
        * Updated to the latest set of features from Chrome. This adds 2 new features:
          'document-access' and 'xr-spatial-tracking'. This also removes the 'speaker'
          since it has now been
          `removed from the w3c specification <https://github.com/w3c/webappsec-feature-policy/commit/18707d396e1d3f0be3de348fc432383cc8866e0b>`__.
        
        3.1.0 (2019-11-15)
        ------------------
        
        * Updated to the latest set of features from Chrome. This adds 17 new features:
          'ch-device-memory', 'ch-downlink', 'ch-dpr', 'ch-ect', 'ch-lang', 'ch-rtt',
          'ch-ua', 'ch-ua-arch', 'ch-ua-model', 'ch-ua-platform', 'ch-viewport-width',
          'ch-width', 'execution-while-not-rendered', and
          'execution-while-out-of-viewport'. Chrome has also removed support for
          'speaker' but since this is still in the specification, it has been left.
        * Converted setuptools metadata to configuration file. This meant removing the
          ``__version__`` attribute from the package. If you want to inspect the
          installed version, use
          ``importlib.metadata.version("django-feature-policy")``
          (`docs <https://docs.python.org/3.8/library/importlib.metadata.html#distribution-versions>`__ /
          `backport <https://pypi.org/project/importlib-metadata/>`__).
        * Suport Python 3.8.
        
        3.0.0 (2019-08-02)
        ------------------
        
        * Updated to the latest set of features from Chrome. This removes
          'legacy-image-formats' and 'unoptimized-images', and adds 17 new features:
          'downloads-without-user-activation', 'focus-without-user-activation',
          'forms', 'hid', 'idle-detection', 'loading-frame-default-eager', 'modals',
          'orientation-lock', 'pointer-lock', 'popups', 'presentation', 'scripts',
          'serial', 'top-navigation', 'unoptimized-lossless-images',
          'unoptimized-lossless-images-strict' and  'unoptimized-lossy-images'. Note
          that most of these are still experimental as can be seen on the [W3C feature
          list](https://github.com/w3c/webappsec-feature-policy/blob/master/features.md).
        
        * Stop marking the distributed wheel as universal. Python 2 was never supported
          so the wheel was never actually universal.
        
        2.3.0 (2019-05-19)
        ------------------
        
        * Update Python support to 3.5-3.7, as 3.4 has reached its end of life.
        
        * Make the generated header deterministic by iterating the settings dict in
          sorted order.
        
        * Support Django 1.11 for completeness.
        
        2.2.0 (2019-05-08)
        ------------------
        
        * Fix interpretation of '*' by not automatically adding quotes.
        * Optimize header generation to reduce impact on every request.
        
        2.1.0 (2019-04-28)
        ------------------
        
        * Tested on Django 2.2. No changes were needed for compatibility.
        
        2.0.0 (2019-03-29)
        ------------------
        
        * Updated to the latest set of features from Chrome.
          'animations', 'image-compression', and 'max-downscaling-image' have been
          removed, whilst 'document-domain', 'font-display-late-swap',
          'layout-animations', 'oversized-images', 'unoptimized-images', and
          'wake-lock' have been added.
          See more at https://github.com/w3c/webappsec-feature-policy/blob/master/features.md .
        
        1.0.1 (2019-01-02)
        ------------------
        
        * Support for new 'lazyload' feature, per https://www.chromestatus.com/feature/5641405942726656.
        
        1.0.0 (2018-10-24)
        ------------------
        
        * First release, supporting adding the header with a middleware.
        
Keywords: Django
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Framework :: Django :: 2.0
Classifier: Framework :: Django :: 2.1
Classifier: Framework :: Django :: 2.2
Classifier: Framework :: Django :: 3.0
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: ISC License (ISCL)
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Requires-Python: >=3.5
Description-Content-Type: text/x-rst
