Hi Y'all,
I suggested the addition of the COOP header. I don't have enough experience contributing to Django to know if the process of adding new headers should be streamlined. I am curious though if CORS or CORP support has ever been considered as a part of the security middleware. COOP is usually implemented with a header called Cross-origin Embedder Policy but it relies on CORS or CORP being set to a specific value. I know that currently Django projects use a middleware to handle CORS but we can't have a safe default for COEP set unless we know they are using this middleware. The middleware is also not a Mozilla repository. Maybe now is a good time to add support for CORS/CORP while we are adding many other security headers? I would be interested in contributing to this and could submit a new issue for it or do it as a part of the COOP ticket. Another +1 to Adam's Add_Headers idea. This would be an effective way of keeping up with new security standards for concerned developers but would offer no protection to the average Django user. Thanks, Megan On Friday, July 31, 2020 at 1:25:08 PM UTC-4 Adam Johnson wrote: > > I would suggest that the redirection part be moved to a different > middleware. > > I doubt this would have any noticeable performance impact on any > application. I’d like to see profiling data before imposing such a change > on users. > > Also I find myself using the Django redirect with several different > “serverlwss” deployment setups. > > On Thu, 30 Jul 2020 at 17:43, Claude Paroz <cla...@2xlibre.net> wrote: > >> By the way, while reviewing the SecurityMiddleware, I would suggest that >> the redirection part be moved to a different middleware. >> http to https redirection should preferably be done at the Web server >> level, and for those doing that properly, they still pay for the unneeded >> (albeit small) overhead of the `SecurityMiddleware.process_request`. >> >> > 3. For new headers I think we could add a setting called e.g. >> ADD_HEADERS - a dict of keys to values that >> > CommonMiddleware (or similar) could add to outgoing responses' headers. >> >> +1 to that proposal. >> >> Claude >> >> -- >> > You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-develop...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/3da2e385-551e-4905-83e8-7f2b99896f18o%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-developers/3da2e385-551e-4905-83e8-7f2b99896f18o%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > Adam > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/138e2004-49e2-4d70-a410-a53f4d80aa6an%40googlegroups.com.
