search

adamchainz / django-permissions-policy

Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app.
MIT License
98 stars 6 forks source link

Unrecognized feature: 'ambient-light-sensor' #298

Closed dchimeno closed 2 years ago

dchimeno commented 2 years ago

Python Version

3.8

Django Version

3.2

Package Version

latest

Description

After setting the example:

PERMISSIONS_POLICY = {
    "accelerometer": [],
    "ambient-light-sensor": [],
    "autoplay": [],
    "camera": [],
    "display-capture": [],
    "document-domain": [],
    "encrypted-media": [],
    "fullscreen": [],
    "geolocation": [],
    "gyroscope": [],
    "magnetometer": [],
    "microphone": [],
    "midi": [],
    "payment": [],
    "usb": [],
}

Chrome shows:

Error with Permissions-Policy header: Unrecognized feature: 'ambient-light-sensor'.
adamchainz commented 2 years ago

It works for me!

I just tried with django 4.0.4 and django-permissions-policy 4.10.0, and the below single file app:

#!/usr/bin/env python
import html
import os
import sys

from django.conf import settings
from django.core.wsgi import get_wsgi_application
from django.http import HttpResponse
from django.urls import path

settings.configure(
    # Dangerous: disable host header validation
    ALLOWED_HOSTS=["*"],
    # Use DEBUG=1 to enable debug mode
    DEBUG=(os.environ.get("DEBUG", "") == "1"),
    # Make this module the urlconf
    ROOT_URLCONF=__name__,
    PERMISSIONS_POLICY={
        "accelerometer": [],
        "ambient-light-sensor": [],
        "autoplay": [],
        "camera": [],
        "display-capture": [],
        "document-domain": [],
        "encrypted-media": [],
        "fullscreen": [],
        "geolocation": [],
        "gyroscope": [],
        "magnetometer": [],
        "microphone": [],
        "midi": [],
        "payment": [],
        "usb": [],
    },
    MIDDLEWARE=["django_permissions_policy.PermissionsPolicyMiddleware"],
)

def index(request):
    name = request.GET.get("name", "World")
    return HttpResponse(f"Hello, {html.escape(name)}!")

urlpatterns = [
    path("", index),
]

app = get_wsgi_application()

if __name__ == "__main__":
    from django.core.management import execute_from_command_line

    execute_from_command_line(sys.argv)
dchimeno commented 2 years ago

I would say this is not about Django or django-permissions-policy and more about Chrome (or other browsers).

Just tried again running:

document.featurePolicy.allowedFeatures()

in the Chrome Console (Versión 102.0.5005.61 (Build oficial) (x86_64))

The ambient-light-sensor is not there. After searching for a while, you need to have activated the chrome://flags 

#enable-generic-sensor-extra-classes

After that, the featurePolicy is allowed.

So probably doesnt set ambient-light-sensor in the examples is enough, or probably this doesnt need action at all.

adamchainz commented 2 years ago

Oh right, I missed that the error was from Chrome, I thought it was the check built in to the package.

I update the list of known features every quarter, I will do that now and update the example.

adamchainz commented 2 years ago

Huh, with Chrome Dev 104 I don't need to change a flag to see ambient-light-sensors. I'm on macOS. Is the message you see a warning or an error? I would guess that an unrecognized feature should just be a warning, and the other features should still be applied.

dchimeno commented 2 years ago

It's just a warning in the Console.

I'm sure mantaining such a list is not gonna be a easy task, too many versions/variables.

adamchainz commented 2 years ago

If it's jsut a warning, it doesn't break anything, and it's kind of inevitable between browser versions. I'm adding a note in the docs about this in #298.