From 01d78a7378f9505050cf73b4933665366d60b0ef Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sun, 30 Oct 2022 19:12:26 +0000
Subject: [PATCH] Add permissions policy

---
 poetry.lock         | 17 ++++++++++++++++-
 pyproject.toml      |  1 +
 website/settings.py | 20 ++++++++++++++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/poetry.lock b/poetry.lock
index 5a091d9..736e991 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -318,6 +318,17 @@ Django = "*"
 [package.extras]
 testing = ["django-modelcluster"]
 
+[[package]]
+name = "django-permissions-policy"
+version = "4.13.0"
+description = "Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app."
+category = "main"
+optional = false
+python-versions = ">=3.7"
+
+[package.dependencies]
+Django = ">=3.2"
+
 [[package]]
 name = "django-plausible"
 version = "0.4.0"
@@ -1387,7 +1398,7 @@ testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools"
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.10"
-content-hash = "8d2f240eaa055939613b5fcd9f364df73c8488de9fe3aa9e68c691ff7ad7c3d5"
+content-hash = "24f28337794e9b5a60a33b8993b98de7815fdc9603d8ffc6cb258ee56c29f996"
 
 [metadata.files]
 anyascii = [
@@ -1621,6 +1632,10 @@ django-permissionedforms = [
     {file = "django-permissionedforms-0.1.tar.gz", hash = "sha256:4340bb20c4477fffb13b4cc5cccf9f1b1010b64f79956c291c72d2ad2ed243f8"},
     {file = "django_permissionedforms-0.1-py2.py3-none-any.whl", hash = "sha256:d341a961a27cc77fde8cc42141c6ab55cc1f0cb886963cc2d6967b9674fa47d6"},
 ]
+django-permissions-policy = [
+    {file = "django-permissions-policy-4.13.0.tar.gz", hash = "sha256:c340f822de6ea48888b8620214f98f516c53501d0f54de53d172715ab94e0da2"},
+    {file = "django_permissions_policy-4.13.0-py3-none-any.whl", hash = "sha256:2c9aa83a7bb49d32f9bb77384d3fcf81b141f18df3c2bcf8810a154860a22e63"},
+]
 django-plausible = [
     {file = "django-plausible-0.4.0.tar.gz", hash = "sha256:0e8b90504807812f7416265d5e42377e1bf0cf102610abf4b4331d1f1bcc9383"},
     {file = "django_plausible-0.4.0-py3-none-any.whl", hash = "sha256:c81e0ba88fa476f435ec907a5d7eda9848495e725789c23b62c926eace215bf5"},
diff --git a/pyproject.toml b/pyproject.toml
index 14bd125..2d8cfae 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -38,6 +38,7 @@ django-cors-headers = "^3.13.0"
 uritemplate = "^4.1.1"
 PyYAML = "^6.0"
 django-csp = "^3.7"
+django-permissions-policy = "^4.13.0"
 
 
 [tool.poetry.group.dev.dependencies]
diff --git a/website/settings.py b/website/settings.py
index f1d25ef..536704a 100644
--- a/website/settings.py
+++ b/website/settings.py
@@ -104,6 +104,7 @@ MIDDLEWARE = [
     "wagtail.contrib.redirects.middleware.RedirectMiddleware",
     "django_htmx.middleware.HtmxMiddleware",
     "csp.middleware.CSPMiddleware",
+    "django_permissions_policy.PermissionsPolicyMiddleware",
 ]
 
 ROOT_URLCONF = "website.urls"
@@ -392,6 +393,25 @@ SESSION_COOKIE_HTTPONLY = True
 
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
+PERMISSIONS_POLICY = {
+    "accelerometer": [],
+    "ambient-light-sensor": [],
+    "autoplay": [],
+    "camera": [],
+    "display-capture": [],
+    "document-domain": [],
+    "encrypted-media": [],
+    "fullscreen": [],
+    "geolocation": [],
+    "gyroscope": [],
+    "interest-cohort": [],
+    "magnetometer": [],
+    "microphone": [],
+    "midi": [],
+    "payment": [],
+    "usb": [],
+}
+
 if not DEBUG:
     SECURE_HSTS_SECONDS = 2592000  # 30 days