Add permissions policy

2022-10-30 19:12:26 +00:00 · 2022-10-30 19:12:26 +00:00 · 01d78a7378
commit 01d78a7378
parent d809890b0f
3 changed files with 37 additions and 1 deletions
--- a/poetry.lock
+++ b/poetry.lock
@ -318,6 +318,17 @@ Django = "*"
 [package.extras]
 testing = ["django-modelcluster"]

+[[package]]
+name = "django-permissions-policy"
+version = "4.13.0"
+description = "Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app."
+category = "main"
+optional = false
+python-versions = ">=3.7"
+
+[package.dependencies]
+Django = ">=3.2"
+
 [[package]]
 name = "django-plausible"
 version = "0.4.0"
@ -1387,7 +1398,7 @@ testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools"
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.10"
-content-hash = "8d2f240eaa055939613b5fcd9f364df73c8488de9fe3aa9e68c691ff7ad7c3d5"
+content-hash = "24f28337794e9b5a60a33b8993b98de7815fdc9603d8ffc6cb258ee56c29f996"

 [metadata.files]
 anyascii = [
@ -1621,6 +1632,10 @@ django-permissionedforms = [
    {file = "django-permissionedforms-0.1.tar.gz", hash = "sha256:4340bb20c4477fffb13b4cc5cccf9f1b1010b64f79956c291c72d2ad2ed243f8"},
    {file = "django_permissionedforms-0.1-py2.py3-none-any.whl", hash = "sha256:d341a961a27cc77fde8cc42141c6ab55cc1f0cb886963cc2d6967b9674fa47d6"},
 ]
+django-permissions-policy = [
+    {file = "django-permissions-policy-4.13.0.tar.gz", hash = "sha256:c340f822de6ea48888b8620214f98f516c53501d0f54de53d172715ab94e0da2"},
+    {file = "django_permissions_policy-4.13.0-py3-none-any.whl", hash = "sha256:2c9aa83a7bb49d32f9bb77384d3fcf81b141f18df3c2bcf8810a154860a22e63"},
+]
 django-plausible = [
    {file = "django-plausible-0.4.0.tar.gz", hash = "sha256:0e8b90504807812f7416265d5e42377e1bf0cf102610abf4b4331d1f1bcc9383"},
    {file = "django_plausible-0.4.0-py3-none-any.whl", hash = "sha256:c81e0ba88fa476f435ec907a5d7eda9848495e725789c23b62c926eace215bf5"},
--- a/pyproject.toml
+++ b/pyproject.toml
@ -38,6 +38,7 @@ django-cors-headers = "^3.13.0"
 uritemplate = "^4.1.1"
 PyYAML = "^6.0"
 django-csp = "^3.7"
+django-permissions-policy = "^4.13.0"


 [tool.poetry.group.dev.dependencies]
--- a/website/settings.py
+++ b/website/settings.py
@ -104,6 +104,7 @@ MIDDLEWARE = [
    "wagtail.contrib.redirects.middleware.RedirectMiddleware",
    "django_htmx.middleware.HtmxMiddleware",
    "csp.middleware.CSPMiddleware",
+    "django_permissions_policy.PermissionsPolicyMiddleware",
 ]

 ROOT_URLCONF = "website.urls"
@ -392,6 +393,25 @@ SESSION_COOKIE_HTTPONLY = True

 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

+PERMISSIONS_POLICY = {
+    "accelerometer": [],
+    "ambient-light-sensor": [],
+    "autoplay": [],
+    "camera": [],
+    "display-capture": [],
+    "document-domain": [],
+    "encrypted-media": [],
+    "fullscreen": [],
+    "geolocation": [],
+    "gyroscope": [],
+    "interest-cohort": [],
+    "magnetometer": [],
+    "microphone": [],
+    "midi": [],
+    "payment": [],
+    "usb": [],
+}
+
 if not DEBUG:
    SECURE_HSTS_SECONDS = 2592000  # 30 days