Stop sending the Feature-Policy header

Fixes #172.
adamchainz · Mar 24, 2021 · df08ebf · df08ebf
1 parent ab983ee
commit df08ebf
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 48 deletions.
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -2,6 +2,9 @@
 History
 =======
 
+* Stop sending the ``Feature-Policy`` header. Chrome now logs warnings if it is
+  sent alongside ``Permissions-Policy``.
+
 * Stop distributing tests to reduce package size. Tests are not intended to be
   run outside of the tox setup in the repository. Repackagers can use GitHub's
   tarballs per tag.

diff --git a/README.rst b/README.rst
@@ -55,9 +55,7 @@ similar addition of security headers that you'll want on every response:
       ...
     ]
 
-The middleware will set the ``Permissions-Policy`` header, and also set it with
-the previous name ``Feature-Policy``, for backwards compatibility with older
-browsers.
+The middleware will set the ``Permissions-Policy`` header.
 
 The header will not be set until you configure the setting to set at least one
 policy, as below.
@@ -95,10 +93,9 @@ instantiation time, or when processing a response. The current feature list is
 pulled from the JavaScript API with
 ``document.featurePolicy.allowedFeatures()`` on Chrome.
 
-For backwards compatibility with the old ``Feature-Policy`` header and
-configuration, the value ``'none'`` is supported in lists, but ignored - it's
-preferable to use the empty list instead. It doesn't make sense to specify
-``'none'`` alongside other values.
+For backwards compatibility with old configuration, the value ``'none'`` is
+supported in lists, but ignored - it's preferable to use the empty list
+instead. It doesn't make sense to specify ``'none'`` alongside other values.
 
 Examples
 ~~~~~~~~

diff --git a/src/django_feature_policy.py b/src/django_feature_policy.py
@@ -78,7 +78,6 @@ def __call__(self, request):
         value = self.header_value
         if value:
             response["Permissions-Policy"] = value
-            response["Feature-Policy"] = self.old_header_value
         return response
 
     @cached_property
@@ -104,28 +103,6 @@ def header_value(self):
             pieces.append(feature + "=(" + " ".join(item) + ")")
         return ", ".join(pieces)
 
-    @cached_property
-    def old_header_value(self):
-        setting = self.get_setting()
-        pieces = []
-        for feature, values in sorted(setting.items()):
-            if isinstance(values, str):
-                values = (values,)
-
-            item = [feature]
-            if not values:
-                item.append("'none'")
-            else:
-                for value in values:
-                    if value == "none":
-                        item.append("'none'")
-                    elif value == "self":
-                        item.append("'self'")
-                    else:
-                        item.append(value)
-            pieces.append(" ".join(item))
-        return "; ".join(pieces)
-
     def get_setting(self):
         setting = getattr(settings, "PERMISSIONS_POLICY", None)
         if not setting:

diff --git a/tests/test_django_feature_policy.py b/tests/test_django_feature_policy.py
@@ -15,23 +15,20 @@ def test_no_setting(client):
     resp = client.get("/")
 
     assert "Permissions-Policy" not in resp
-    assert "Feature-Policy" not in resp
 
 
 def test_empty_setting(client, settings):
     settings.PERMISSIONS_POLICY = {}
     resp = client.get("/")
 
     assert "Permissions-Policy" not in resp
-    assert "Feature-Policy" not in resp
 
 
 def test_empty_setting_old_alias(client, settings):
     settings.FEATURE_POLICY = {}
     resp = client.get("/")
 
     assert "Permissions-Policy" not in resp
-    assert "Feature-Policy" not in resp
 
 
 def test_anyone_can_geolocate(client, settings):
@@ -40,7 +37,6 @@ def test_anyone_can_geolocate(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=(*)"
-    assert resp["Feature-Policy"] == "geolocation *"
 
 
 def test_anyone_can_geolocate_old_alias(client, settings):
@@ -49,7 +45,6 @@ def test_anyone_can_geolocate_old_alias(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=(*)"
-    assert resp["Feature-Policy"] == "geolocation *"
 
 
 def test_anyone_can_geolocate_list(client, settings):
@@ -58,7 +53,6 @@ def test_anyone_can_geolocate_list(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=(*)"
-    assert resp["Feature-Policy"] == "geolocation *"
 
 
 def test_no_one_can_geolocate(client, settings):
@@ -67,7 +61,6 @@ def test_no_one_can_geolocate(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=()"
-    assert resp["Feature-Policy"] == "geolocation 'none'"
 
 
 def test_no_one_can_geolocate_old_none_value(client, settings):
@@ -76,7 +69,6 @@ def test_no_one_can_geolocate_old_none_value(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=()"
-    assert resp["Feature-Policy"] == "geolocation 'none'"
 
 
 def test_self_can_geolocate(client, settings):
@@ -85,7 +77,6 @@ def test_self_can_geolocate(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=(self)"
-    assert resp["Feature-Policy"] == "geolocation 'self'"
 
 
 def test_example_com_can_geolocate(client, settings):
@@ -94,7 +85,6 @@ def test_example_com_can_geolocate(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == 'geolocation=("https://example.com")'
-    assert resp["Feature-Policy"] == "geolocation https://example.com"
 
 
 def test_multiple_allowed(client, settings):
@@ -103,7 +93,6 @@ def test_multiple_allowed(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == 'autoplay=(self "https://example.com")'
-    assert resp["Feature-Policy"] == "autoplay 'self' https://example.com"
 
 
 def test_multiple_features(client, settings):
@@ -118,10 +107,6 @@ def test_multiple_features(client, settings):
         resp["Permissions-Policy"]
         == 'accelerometer=(self), geolocation=(self "https://example.com")'
     )
-    assert (
-        resp["Feature-Policy"]
-        == "accelerometer 'self'; geolocation 'self' https://example.com"
-    )
 
 
 def test_unknown_feature(client, settings):
@@ -139,7 +124,6 @@ def test_setting_changing(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=(self)"
-    assert resp["Feature-Policy"] == "geolocation 'self'"
 
 
 def test_setting_changing_old_alias(client, settings):
@@ -150,7 +134,6 @@ def test_setting_changing_old_alias(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=(self)"
-    assert resp["Feature-Policy"] == "geolocation 'self'"
 
 
 def test_other_setting_changing(client, settings):
@@ -161,7 +144,6 @@ def test_other_setting_changing(client, settings):
     resp = client.get("/")
 
     assert resp["Permissions-Policy"] == "geolocation=(self)"
-    assert resp["Feature-Policy"] == "geolocation 'self'"
 
 
 def test_middleware_alias():