crossOriginEmbedderPolicy options are ignored when passed to helmet(config)
yacc opened this issue · comments
The options to crossOriginEmbedderPolicy
are ignored when passed to helmet(config)
.
Passing the options through the middleware works fine.
See test bellow to reproduce.
Test
const request = require("supertest");
const express = require('express');
const helmet = require('helmet');
describe("Cross-Origin-Embedder-Policy through helmet()", function () {
const app = express();
const config = {
crossOriginEmbedderPolicy: {
policy: "credentialless",
}
};
app.use(
helmet(config)
);
app.use("/ping", function (req, res) {
res.send("ok");
});
it("should insert Cross-Origin-Embedder-Policy", function (done) {
request(app).get("/ping").expect("Cross-Origin-Embedder-Policy", /credentialless/).expect(200, done);
});
});
describe("Cross-Origin-Embedder-Policy standalone", function () {
const app = express();
const config = {
crossOriginEmbedderPolicy: {
policy: "credentialless",
}
};
app.use(
helmet.crossOriginEmbedderPolicy(config.crossOriginEmbedderPolicy)
);
app.use("/ping", function (req, res) {
res.send("ok");
});
it("should insert Cross-Origin-Embedder-Policy", function (done) {
request(app).get("/ping").expect("Cross-Origin-Embedder-Policy", /credentialless/).expect(200, done);
});
});
Test results
crossOriginEmbedderPolicy does not take options. Remove the property to silence this warning.
Cross-Origin-Embedder-Policy through helmet()
1) should insert Cross-Origin-Embedder-Policy
Cross-Origin-Embedder-Policy standalone
✔ should insert Cross-Origin-Embedder-Policy
1 passing (22ms)
1 failing
1) Cross-Origin-Embedder-Policy through helmet()
should insert Cross-Origin-Embedder-Policy:
Error: expected "Cross-Origin-Embedder-Policy" matching /credentialless/, got "require-corp"
at Context.<anonymous> (test/crossOriginEmbedderPolicy_test.js:22:31)
at processImmediate (node:internal/timers:466:21)
----
at Test._assertHeader (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:232:16)
at /Users/yacin/WORKSPACE/DEVELOPMENT/SUPERPOWER/salus/node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:308:13
at Test._assertFunction (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:285:13)
at Test.assert (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:164:23)
at Server.localAssert (node_modules/.pnpm/supertest@6.3.1/node_modules/supertest/lib/test.js:120:14)
at Object.onceWrapper (node:events:641:28)
at Server.emit (node:events:527:28)
at emitCloseNT (node:net:1679:8)
at processTicksAndRejections (node:internal/process/task_queues:82:21)
This is fixed in Helmet 6.0.1. Thanks for reporting!