| Name | django-permissions-policy JSON |
| Version |
4.27.0
JSON |
| download |
| home_page | None |
| Summary | Set the Permissions-Policy HTTP header on your Django app. |
| upload_time | 2025-09-08 22:50:04 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.9 |
| license | None |
| keywords |
django
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
=========================
django-permissions-policy
=========================
.. image:: https://img.shields.io/github/actions/workflow/status/adamchainz/django-permissions-policy/main.yml.svg?branch=main&style=for-the-badge
:target: https://github.com/adamchainz/django-permissions-policy/actions?workflow=CI
.. image:: https://img.shields.io/badge/Coverage-100%25-success?style=for-the-badge
:target: https://github.com/adamchainz/django-permissions-policy/actions?workflow=CI
.. image:: https://img.shields.io/pypi/v/django-permissions-policy.svg?style=for-the-badge
:target: https://pypi.org/project/django-permissions-policy/
.. image:: https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge
:target: https://github.com/psf/black
.. image:: https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white&style=for-the-badge
:target: https://github.com/pre-commit/pre-commit
:alt: pre-commit
----
Set the ``Permissions-Policy`` HTTP header on your Django app.
----
**Work smarter and faster** with my book `Boost Your Django DX <https://adamchainz.gumroad.com/l/byddx>`__ which covers many ways to improve your development experience.
----
Requirements
------------
Python 3.9 to 3.14 supported.
Django 4.2 to 5.2 supported.
Installation
------------
1. Install with **pip**:
.. code-block:: sh
python -m pip install django-permissions-policy
2. Add the middleware in your ``MIDDLEWARE`` setting. It’s best to add it
after Django's ``SecurityMiddleware``, so it adds the header at the same point
in your stack:
.. code-block:: python
MIDDLEWARE = [
...,
"django.middleware.security.SecurityMiddleware",
"django_permissions_policy.PermissionsPolicyMiddleware",
...,
]
3. Add the ``PERMISSIONS_POLICY`` setting to your settings, naming at least one
feature. Here’s an example that sets a strict policy to disable many
potentially privacy-invading and annoying features for all scripts:
.. code-block:: python
PERMISSIONS_POLICY = {
"accelerometer": [],
"ambient-light-sensor": [],
"autoplay": [],
"camera": [],
"display-capture": [],
"encrypted-media": [],
"fullscreen": [],
"geolocation": [],
"gyroscope": [],
"interest-cohort": [],
"magnetometer": [],
"microphone": [],
"midi": [],
"payment": [],
"usb": [],
}
See below for more information on the setting.
Setting
-------
Change the ``PERMISSIONS_POLICY`` setting to configure the contents of the
header.
The setting should be a dictionary laid out with:
* Keys as the names of browser features - a full list is available on the
`W3 Spec repository`_. The `MDN article`_ is also worth reading.
* Values as lists of strings, where each string is either an origin, e.g.
``'https://example.com'``, or of the special values ``'self'`` or ``'*'``. If
there is just one value, no containing list is necessary. To represent no
origins being allowed, use an empty list.
Note that in the header, domains are wrapped in double quotes - do not
include these quotes within your Python string, as they will be added by the
middleware.
.. _W3 Spec repository: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md
.. _MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility
If the keys or values are invalid, ``ImproperlyConfigured`` will be raised at instantiation time, or when processing a response.
The current feature list is pulled from the JavaScript API with ``document.featurePolicy.allowedFeatures()`` on Chrome and Firefox.
Browsers don’t always recognize all features, depending on the version and configuration.
You may see warnings in the console for unavailable features in the header - these are normally safe to ignore, since django-permissions-policy already validates that you don’t have completely unknown names.
For backwards compatibility with old configuration, the value ``'none'`` is
supported in lists, but ignored - it's preferable to use the empty list
instead. It doesn't make sense to specify ``'none'`` alongside other values.
Examples
~~~~~~~~
Disable geolocation entirely, for the current origin and any iframes:
.. code-block:: python
PERMISSIONS_POLICY = {
"geolocation": [],
}
Allow autoplay from only the current origin and iframes from
``https://archive.org``:
.. code-block:: python
PERMISSIONS_POLICY = {
"autoplay": ["self", "https://archive.org"],
}
Allow autoplay from all origins:
.. code-block:: python
PERMISSIONS_POLICY = {
"autoplay": "*",
}
Raw data
{
"_id": null,
"home_page": null,
"name": "django-permissions-policy",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "Django",
"author": null,
"author_email": "Adam Johnson <me@adamj.eu>",
"download_url": "https://files.pythonhosted.org/packages/57/73/9fa46c7522506bab424f9bb8f8274874958d759a762917060cea35e859f2/django_permissions_policy-4.27.0.tar.gz",
"platform": null,
"description": "=========================\ndjango-permissions-policy\n=========================\n\n.. image:: https://img.shields.io/github/actions/workflow/status/adamchainz/django-permissions-policy/main.yml.svg?branch=main&style=for-the-badge\n :target: https://github.com/adamchainz/django-permissions-policy/actions?workflow=CI\n\n.. image:: https://img.shields.io/badge/Coverage-100%25-success?style=for-the-badge\n :target: https://github.com/adamchainz/django-permissions-policy/actions?workflow=CI\n\n.. image:: https://img.shields.io/pypi/v/django-permissions-policy.svg?style=for-the-badge\n :target: https://pypi.org/project/django-permissions-policy/\n\n.. image:: https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge\n :target: https://github.com/psf/black\n\n.. image:: https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white&style=for-the-badge\n :target: https://github.com/pre-commit/pre-commit\n :alt: pre-commit\n\n----\n\nSet the ``Permissions-Policy`` HTTP header on your Django app.\n\n----\n\n**Work smarter and faster** with my book `Boost Your Django DX <https://adamchainz.gumroad.com/l/byddx>`__ which covers many ways to improve your development experience.\n\n----\n\nRequirements\n------------\n\nPython 3.9 to 3.14 supported.\n\nDjango 4.2 to 5.2 supported.\n\nInstallation\n------------\n\n1. Install with **pip**:\n\n.. code-block:: sh\n\n python -m pip install django-permissions-policy\n\n2. Add the middleware in your ``MIDDLEWARE`` setting. It\u2019s best to add it\nafter Django's ``SecurityMiddleware``, so it adds the header at the same point\nin your stack:\n\n.. code-block:: python\n\n MIDDLEWARE = [\n ...,\n \"django.middleware.security.SecurityMiddleware\",\n \"django_permissions_policy.PermissionsPolicyMiddleware\",\n ...,\n ]\n\n3. Add the ``PERMISSIONS_POLICY`` setting to your settings, naming at least one\n feature. Here\u2019s an example that sets a strict policy to disable many\n potentially privacy-invading and annoying features for all scripts:\n\n .. code-block:: python\n\n PERMISSIONS_POLICY = {\n \"accelerometer\": [],\n \"ambient-light-sensor\": [],\n \"autoplay\": [],\n \"camera\": [],\n \"display-capture\": [],\n \"encrypted-media\": [],\n \"fullscreen\": [],\n \"geolocation\": [],\n \"gyroscope\": [],\n \"interest-cohort\": [],\n \"magnetometer\": [],\n \"microphone\": [],\n \"midi\": [],\n \"payment\": [],\n \"usb\": [],\n }\n\n See below for more information on the setting.\n\nSetting\n-------\n\nChange the ``PERMISSIONS_POLICY`` setting to configure the contents of the\nheader.\n\nThe setting should be a dictionary laid out with:\n\n* Keys as the names of browser features - a full list is available on the\n `W3 Spec repository`_. The `MDN article`_ is also worth reading.\n* Values as lists of strings, where each string is either an origin, e.g.\n ``'https://example.com'``, or of the special values ``'self'`` or ``'*'``. If\n there is just one value, no containing list is necessary. To represent no\n origins being allowed, use an empty list.\n\n Note that in the header, domains are wrapped in double quotes - do not\n include these quotes within your Python string, as they will be added by the\n middleware.\n\n.. _W3 Spec repository: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md\n.. _MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy#Browser_compatibility\n\nIf the keys or values are invalid, ``ImproperlyConfigured`` will be raised at instantiation time, or when processing a response.\nThe current feature list is pulled from the JavaScript API with ``document.featurePolicy.allowedFeatures()`` on Chrome and Firefox.\nBrowsers don\u2019t always recognize all features, depending on the version and configuration.\nYou may see warnings in the console for unavailable features in the header - these are normally safe to ignore, since django-permissions-policy already validates that you don\u2019t have completely unknown names.\n\nFor backwards compatibility with old configuration, the value ``'none'`` is\nsupported in lists, but ignored - it's preferable to use the empty list\ninstead. It doesn't make sense to specify ``'none'`` alongside other values.\n\nExamples\n~~~~~~~~\n\nDisable geolocation entirely, for the current origin and any iframes:\n\n.. code-block:: python\n\n PERMISSIONS_POLICY = {\n \"geolocation\": [],\n }\n\nAllow autoplay from only the current origin and iframes from\n``https://archive.org``:\n\n.. code-block:: python\n\n PERMISSIONS_POLICY = {\n \"autoplay\": [\"self\", \"https://archive.org\"],\n }\n\nAllow autoplay from all origins:\n\n.. code-block:: python\n\n PERMISSIONS_POLICY = {\n \"autoplay\": \"*\",\n }\n",
"bugtrack_url": null,
"license": null,
"summary": "Set the Permissions-Policy HTTP header on your Django app.",
"version": "4.27.0",
"project_urls": {
"Changelog": "https://github.com/adamchainz/django-permissions-policy/blob/main/CHANGELOG.rst",
"Funding": "https://adamj.eu/books/",
"Repository": "https://github.com/adamchainz/django-permissions-policy"
},
"split_keywords": [
"django"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "37c82f6ef1d5c7e202215a40f563c8213edbe3d3cf8822c0ad993a8951e0e261",
"md5": "423ffe29241b42150d65c2096b960983",
"sha256": "2e2462f097f6ab1c6074a5c18870a5eb2e7f0622a21ecada848feddac1218817"
},
"downloads": -1,
"filename": "django_permissions_policy-4.27.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "423ffe29241b42150d65c2096b960983",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 6772,
"upload_time": "2025-09-08T22:50:02",
"upload_time_iso_8601": "2025-09-08T22:50:02.871861Z",
"url": "https://files.pythonhosted.org/packages/37/c8/2f6ef1d5c7e202215a40f563c8213edbe3d3cf8822c0ad993a8951e0e261/django_permissions_policy-4.27.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "57739fa46c7522506bab424f9bb8f8274874958d759a762917060cea35e859f2",
"md5": "54c6fa2f64395bae161ad58d19160aee",
"sha256": "c524aa01196d524dbbad74dbd6dedfe4af48a49aa5c8cf8dd3af148f70240903"
},
"downloads": -1,
"filename": "django_permissions_policy-4.27.0.tar.gz",
"has_sig": false,
"md5_digest": "54c6fa2f64395bae161ad58d19160aee",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 10695,
"upload_time": "2025-09-08T22:50:04",
"upload_time_iso_8601": "2025-09-08T22:50:04.036321Z",
"url": "https://files.pythonhosted.org/packages/57/73/9fa46c7522506bab424f9bb8f8274874958d759a762917060cea35e859f2/django_permissions_policy-4.27.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-09-08 22:50:04",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "adamchainz",
"github_project": "django-permissions-policy",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "django-permissions-policy"
}
