Giters

helmetjs / helmet

Help secure Express apps with various HTTP headers

Home Page:https://helmetjs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

crossOriginEmbedderPolicy options are ignored when passed to helmet(config)

yacc opened this issue · comments

commented

The options to crossOriginEmbedderPolicy are ignored when passed to helmet(config).
Passing the options through the middleware works fine.
See test bellow to reproduce.

Test

const request = require("supertest");
const express = require('express');
const helmet = require('helmet');

describe("Cross-Origin-Embedder-Policy through helmet()", function () {
  const app = express();
  const config = {
    crossOriginEmbedderPolicy: {
      policy: "credentialless",
    }
  };

  app.use(
    helmet(config)
  );

  app.use("/ping", function (req, res) {
    res.send("ok");
  });

  it("should insert Cross-Origin-Embedder-Policy", function (done) {
    request(app).get("/ping").expect("Cross-Origin-Embedder-Policy", /credentialless/).expect(200, done);
  });

});

describe("Cross-Origin-Embedder-Policy standalone", function () {
  const app = express();
  const config = {
    crossOriginEmbedderPolicy: {
      policy: "credentialless",
    }
  };

  app.use(
    helmet.crossOriginEmbedderPolicy(config.crossOriginEmbedderPolicy)
  );

  app.use("/ping", function (req, res) {
    res.send("ok");
  });

  it("should insert Cross-Origin-Embedder-Policy", function (done) {
    request(app).get("/ping").expect("Cross-Origin-Embedder-Policy", /credentialless/).expect(200, done);
  });

});

Test results

crossOriginEmbedderPolicy does not take options. Remove the property to silence this warning.


  Cross-Origin-Embedder-Policy through helmet()
    1) should insert Cross-Origin-Embedder-Policy

  Cross-Origin-Embedder-Policy standalone
    ✔ should insert Cross-Origin-Embedder-Policy


  1 passing (22ms)
  1 failing

  1) Cross-Origin-Embedder-Policy through helmet()
       should insert Cross-Origin-Embedder-Policy:
     Error: expected "Cross-Origin-Embedder-Policy" matching /credentialless/, got "require-corp"
      at Context.<anonymous> (test/crossOriginEmbedderPolicy_test.js:22:31)
      at processImmediate (node:internal/timers:466:21)
  ----
      at Test._assertHeader (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:232:16)
      at /Users/yacin/WORKSPACE/DEVELOPMENT/SUPERPOWER/salus/node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:308:13
      at Test._assertFunction (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:285:13)
      at Test.assert (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:164:23)
      at Server.localAssert (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:120:14)
      at Object.onceWrapper (node:events:641:28)
      at Server.emit (node:events:527:28)
      at emitCloseNT (node:net:1679:8)
      at processTicksAndRejections (node:internal/process/task_queues:82:21)
commented

This is fixed in Helmet 6.0.1. Thanks for reporting!