Add Permissions Policy directive browsing-topics

wntrblm · Jul 29, 2023 · 6851edd · 6851edd
1 parent 5314ee2
commit 6851edd
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/README.rst b/README.rst
@@ -35,6 +35,8 @@ The default configuration:
 -  Sets a strict `Referrer-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy>`_
    of ``strict-origin-when-cross-origin`` that governs which referrer information should be included with
    requests made.
+-  Disables ``browsing-topics`` by default in the `Permissions-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy>`_
+   like `Drupal <https://www.drupal.org/project/drupal/issues/3209628>`_ to enhance privacy protection.
 
 
 In addition to Talisman, you **should always use a cross-site request
@@ -110,7 +112,7 @@ Options
 
 -  ``feature_policy``, default ``{}``, see the `Feature Policy`_ section (`about Feature Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy>`_).
 
--  ``permissions_policy``, default ``{}``, see the `Permissions Policy`_ section (`about Permissions Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy>`_).
+-  ``permissions_policy``, default ``{'browsing-topics': '()'}``, see the `Permissions Policy`_ section (`about Permissions Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy>`_).
 -  ``document_policy``, default ``{}``, see the `Document Policy`_ section (`about Document Policy <https://wicg.github.io/document-policy/>`_).
 
 -  ``session_cookie_secure``, default ``True``, set the session cookie
@@ -371,6 +373,10 @@ the Permission Policy setting will take precedence in browsers that support both
 It should be noted that the syntax differs between Feature Policy and Permission Policy
 as can be seen from the ``geolocation`` examples provided.
 
+The default Permissions Policy is ``browsing-topics=()``, which opts sites out of
+`Federated Learning of Cohorts <https://wicg.github.io/floc/>`_ an interest-based advertising initiative
+called Topics API.
+
 Permission Policy can be set either using a dictionary, or using a string.
 
 Geolocation and Microphone Example

diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py
@@ -46,6 +46,8 @@
 }
 
 DEFAULT_PERMISSIONS_POLICY = {
+    # Disable Topics API
+    'browsing-topics': '()'
 }
 
 DEFAULT_DOCUMENT_POLICY = {

diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py
@@ -303,12 +303,14 @@ def testPermissionsPolicy(self):
         self.talisman.permissions_policy['geolocation'] = '()'
         response = self.client.get('/', environ_overrides=HTTPS_ENVIRON)
         permissions_policy = response.headers['Permissions-Policy']
+        self.assertIn('browsing-topics=()', permissions_policy)
         self.assertIn('geolocation=()', permissions_policy)
 
         self.talisman.permissions_policy['geolocation'] = '()'
         self.talisman.permissions_policy['fullscreen'] = '(self, "https://example.com")'
         response = self.client.get('/', environ_overrides=HTTPS_ENVIRON)
         permissions_policy = response.headers['Permissions-Policy']
+        self.assertIn('browsing-topics=()', permissions_policy)
         self.assertIn('geolocation=(), fullscreen=(self, "https://example.com")', permissions_policy)
 
         # no policy