Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support unsafe-none in helmet.crossOriginEmbedderPolicy? #446

Closed
mxxk opened this issue Nov 4, 2023 · 1 comment · Fixed by #447
Closed

Support unsafe-none in helmet.crossOriginEmbedderPolicy? #446

mxxk opened this issue Nov 4, 2023 · 1 comment · Fixed by #447

Comments

@mxxk
Copy link
Contributor

mxxk commented Nov 4, 2023
edited
Loading

@EvanHahn thanks for your continued work on this package. 🙌

I noticed that although unsafe-none is a valid value for Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy, and it is supported by helmet COOP,

helmet/middlewares/cross-origin-opener-policy/index.ts

Lines 3 to 11 in 3123831

export interface CrossOriginOpenerPolicyOptions {
policy?: "same-origin" | "same-origin-allow-popups" | "unsafe-none";
}
const ALLOWED_POLICIES = new Set([
"same-origin",
"same-origin-allow-popups",
"unsafe-none",
]);

but it is not supported by helmet COEP:

helmet/middlewares/cross-origin-embedder-policy/index.ts

Lines 3 to 7 in 3123831

export interface CrossOriginEmbedderPolicyOptions {
policy?: "require-corp" | "credentialless";
}
const ALLOWED_POLICIES = new Set(["require-corp", "credentialless"]);

I was wondering if this seems right to you, and if not, I'm happy to submit a PR! I don't believe this would be a breaking change.
@mxxk mxxk changed the title Support helmet.crossOriginEmbedderPolicy({ policy: 'unsafe-none' })? Support unsafe-none in helmet.crossOriginEmbedderPolicy? Nov 4, 2023
@EvanHahn
Copy link
Member

EvanHahn commented Nov 4, 2023

You're right. COEP should support "unsafe-none". Feel free to open a pull request!

mxxk added a commit to mxxk-forks/helmet that referenced this issue Nov 5, 2023
@mxxk
Support unsafe-none in COEP
5d05986 
`unsafe-none` is a valid value for `Cross-Origin-Embedder-Policy`, so
add support for it.

Fixes helmetjs#446.
@mxxk mxxk mentioned this issue Nov 5, 2023
Merged
EvanHahn pushed a commit that referenced this issue Nov 5, 2023
@mxxk
Support unsafe-none in COEP
e0baa58 
`unsafe-none` is a valid value for `Cross-Origin-Embedder-Policy`, so
add support for it.

See [#446][0] and [#447][1].

[0]: #446
[1]: #447
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support unsafe-none in COEP mxxk-forks/helmet
2 participants
@EvanHahn @mxxk