Skip to main content

Set the Permissions-Policy HTTP header on your Django app.

Project description

https://img.shields.io/github/actions/workflow/status/adamchainz/django-permissions-policy/main.yml.svg?branch=main&style=for-the-badge https://img.shields.io/badge/Coverage-100%25-success?style=for-the-badge https://img.shields.io/pypi/v/django-permissions-policy.svg?style=for-the-badge https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge pre-commit

Set the Permissions-Policy HTTP header on your Django app.


Work smarter and faster with my book Boost Your Django DX which covers many ways to improve your development experience.


Requirements

Python 3.9 to 3.13 supported.

Django 4.2 to 5.2 supported.

Installation

  1. Install with pip:

python -m pip install django-permissions-policy

2. Add the middleware in your MIDDLEWARE setting. It’s best to add it after Django’s SecurityMiddleware, so it adds the header at the same point in your stack:

MIDDLEWARE = [
    ...,
    "django.middleware.security.SecurityMiddleware",
    "django_permissions_policy.PermissionsPolicyMiddleware",
    ...,
]
  1. Add the PERMISSIONS_POLICY setting to your settings, naming at least one feature. Here’s an example that sets a strict policy to disable many potentially privacy-invading and annoying features for all scripts:

    PERMISSIONS_POLICY = {
        "accelerometer": [],
        "ambient-light-sensor": [],
        "autoplay": [],
        "camera": [],
        "display-capture": [],
        "encrypted-media": [],
        "fullscreen": [],
        "geolocation": [],
        "gyroscope": [],
        "interest-cohort": [],
        "magnetometer": [],
        "microphone": [],
        "midi": [],
        "payment": [],
        "usb": [],
    }

    See below for more information on the setting.

Setting

Change the PERMISSIONS_POLICY setting to configure the contents of the header.

The setting should be a dictionary laid out with:

  • Keys as the names of browser features - a full list is available on the W3 Spec repository. The MDN article is also worth reading.

  • Values as lists of strings, where each string is either an origin, e.g. 'https://example.com', or of the special values 'self' or '*'. If there is just one value, no containing list is necessary. To represent no origins being allowed, use an empty list.

    Note that in the header, domains are wrapped in double quotes - do not include these quotes within your Python string, as they will be added by the middleware.

If the keys or values are invalid, ImproperlyConfigured will be raised at instantiation time, or when processing a response. The current feature list is pulled from the JavaScript API with document.featurePolicy.allowedFeatures() on Chrome and Firefox. Browsers don’t always recognize all features, depending on the version and configuration. You may see warnings in the console for unavailable features in the header - these are normally safe to ignore, since django-permissions-policy already validates that you don’t have completely unknown names.

For backwards compatibility with old configuration, the value 'none' is supported in lists, but ignored - it’s preferable to use the empty list instead. It doesn’t make sense to specify 'none' alongside other values.

Examples

Disable geolocation entirely, for the current origin and any iframes:

PERMISSIONS_POLICY = {
    "geolocation": [],
}

Allow autoplay from only the current origin and iframes from https://archive.org:

PERMISSIONS_POLICY = {
    "autoplay": ["self", "https://archive.org"],
}

Allow autoplay from all origins:

PERMISSIONS_POLICY = {
    "autoplay": "*",
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_permissions_policy-4.26.0.tar.gz (10.4 kB view details)

Uploaded Source

Built Distribution

django_permissions_policy-4.26.0-py3-none-any.whl (6.7 kB view details)

Uploaded Python 3

File details

Details for the file django_permissions_policy-4.26.0.tar.gz.

File metadata

File hashes

Hashes for django_permissions_policy-4.26.0.tar.gz
Algorithm Hash digest
SHA256 0e129870453ff90521aa2cf8264978fbc57e33117d2313052809730869f8b626
MD5 5fa4c382c24eee286c019bab387bf565
BLAKE2b-256 312e421a9dc5852175802fbf5266a87c945e4c91117938a02fa24732e4f39907

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_permissions_policy-4.26.0.tar.gz:

Publisher: main.yml on adamchainz/django-permissions-policy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file django_permissions_policy-4.26.0-py3-none-any.whl.

File metadata

File hashes

Hashes for django_permissions_policy-4.26.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d5a5067b8137c326f3015e02d8e6615e980f1a12903d0dbf9cb446e227bc67dd
MD5 ac57e7d00a897cf31ce932c5376abf09
BLAKE2b-256 06f213cba28047672e4b195e4296037e78290acd6656234095ff47b85128902f

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_permissions_policy-4.26.0-py3-none-any.whl:

Publisher: main.yml on adamchainz/django-permissions-policy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page