Currently, Helmet sets Origin-Agent-Cluster: ?1 by default. However, I don't think that this is appropriate as a default for Helmet. It has subtle implications and trade-offs and is not intended as a security feature (yeah, I know you somewhat disagree with that part). The following line from this pretty authoritative page sticks out:

You shouldn't just roll out origin-keying and hope for the best.

... which is precisely what anyone upgrading an old version of Helmet without checking would be doing.

First, thanks for filing this issue. Helmet is nothing if not a set of defaults, and it's important that we get those defaults right. IMO, it's the hardest part of maintaining the library!

I'd consider disabling it, but I suspect it won't break most applications. What subtle tradeoffs have you experienced?

I'm basing that solely on reading Domenic Denicola's document, linked in the description. My situation is that I've just upgraded from Helmet 3 to 6 in the application I'm currently working on and am looking at the the new headers, several of which were previously unfamiliar to me, to work out what to keep. I haven't seen anything good or bad resulting from including Origin-Agent-Cluster so far but I haven't tested it for very long, or benchmarked it.

To be honest, I hadn't heard of this header before today. I suspect you're right that it won't break most applications. It just seems quite an opinionated default.

If I were in your shoes, I'd probably take it out, but leaving it in is perfectly reasonable and I don't feel very strongly about it.

Chrome is showing this warning when I use createObjectURL with a Blob to use the resource url on a src attribute.
But I do not know any way to add the header on this kind of requests.

This shows since helmet added Origin-Agent-Cluster: ?1.

The page did not request an origin-keyed cluster, but was put i one anyway because blob:https://my.site/uuid the origin 'https://my.site' had previously been placed in an origin-keyed agent cluster. Update your headers to uniformly request origin-keying for all pages on the origin.

While this is annoying, it is not breaking anything in my site. I just wanted to let you know.

Origin-Agent-Cluster, if respected by the browser, does two things:

• Limits some things you can do. You can no longer set document.domain and a limits a few other cross-site communication features.
• Tells the browser that the origin, not the site, can get its own resources (e.g., shared memory)

Google says that this isn't a security feature but it still seems useful as a security feature to me. I don't think it's a huge deal either way, but I'm inclined to keep it for now.

What do other people think?

Given that no one has responded and that I want to release Helmet v7 soon, I'm going to close this issue.

If anyone has additional feedback, I'd love to hear it.