Sci - please stop posting on this mailing list about whatsapp etc. It's not appropriate.
Carlton - I have three thoughts re: security headers 1. I'm fine adding new settings for them. I think it's basically part of the territory. More headers are appearing, to support them we can use the same mechanism users are familiar with. Most projects should be able to go with the sensible default that Django provides. 2. On sensible defaults - the settings are currently bools but this requires users to set them to False for development and True for deployment on HTTPS. I think we could add a third value, 'on_https', that's the default. It could be true based upon request.is_secure(). This would reduce much of the user burden of these settings. 3. For new headers I think we could add a setting called e.g. ADD_HEADERS - a dict of keys to values that CommonMiddleware (or similar) could add to outgoing responses' headers. This would mean Django projects could use new security headers before Django supports them. I think the settings versions in SecurityMiddleware are still valuable since they provide defaults and allow per-view customization where reasonable. On Thu, 30 Jul 2020 at 10:08, Sci Mithilesh <mithileshrawaniind...@gmail.com> wrote: > Your contact number send me I want a VIP site > > On Thu, 30 Jul 2020, 2:37 pm Carlton Gibson, <carlton.gib...@gmail.com> > wrote: > >> Hi. >> >> (This is quite preliminary but...) >> >> So we added support for Referrer-Policy in 3.0 >> https://docs.djangoproject.com/en/3.0/ref/middleware/#referrer-policy >> >> This added the SECURE_REFERRER_POLICY setting. >> >> We have a Someday/Maybe Permissions-Policy (was Feature-Policy). >> for https://code.djangoproject.com/ticket/30746 >> >> Then a proposal for a new one Cross-Origin Opener Policy >> https://code.djangoproject.com/ticket/31840 >> >> > This can be implemented in a similar way to the Referrer-Policy header >> in the security middleware. >> >> But are we going to continue to add settings along this line, one for >> every new header that comes up? >> >> Maybe, but I feel like we might need to review how we handle such things. >> >> >> One thought that has come up (here and elsewhere) is that it would be >> good if Middleware could be configured with parameters without having to >> subclass. I wonder if (I suspect) that has come up as an idea before? >> >> >> Otherwise does anyone have thoughts on this issue? (Maybe we can just >> keep adding settings — we have a lot for *_COOKIE_* for example.) >> >> >> Thanks, >> Carlton >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-developers+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/f35d51f3-83d2-4ace-a288-daef7c31abe4o%40googlegroups.com >> <https://groups.google.com/d/msgid/django-developers/f35d51f3-83d2-4ace-a288-daef7c31abe4o%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAJP%3DbzAF4%2Bsty9iRRBo3DabH9ZMGKf38-hnGzMZ4cJjry6OZtA%40mail.gmail.com > <https://groups.google.com/d/msgid/django-developers/CAJP%3DbzAF4%2Bsty9iRRBo3DabH9ZMGKf38-hnGzMZ4cJjry6OZtA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM1j4yvaxBLwrXm%3DmJ1AvnXWMYjdfq%2BJZ-L8ocRE7iKhng%40mail.gmail.com.
