6.0.1: crossOriginEmbedderPolicy breaking change

Question

6.0.1: crossOriginEmbedderPolicy breaking change

glensc opened this issue a year ago · comments

4.6.0 to 6.0.1 has breaking change not listed in changelog:

an application (graphiql) served with this middleware installed resulting all requests end up with:
net:: ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200" errors.

StackOverflow post

https://stackoverflow.com/questions/70695881/neterr-blocked-by-response-notsameoriginafterdefaultedtosameoriginbycoep-200

to fix, had to add to option middleware:

  app.use(
    helmet({
      // @link https://github.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide#there-is-now-a-default-policy
      contentSecurityPolicy: false,
+      crossOriginEmbedderPolicy: false,
    }),
  );

I think this should be also noted as breaking change in the changelog

Evan Hahn · Answer 1 · Tue Mar 28 2023 09:20:48 GMT+0800 (China Standard Time)

Two things:

This was mentioned in the changelog for 5.0.0
Lots of people have had trouble with this so I intend to remove this header by default in future versions of Helmet.

I'm going to close this issue for now because I think this is resolved.

Elan Ruusamäe · Answer 2 · Tue Mar 28 2023 14:17:49 GMT+0800 (China Standard Time)

oh, lol. how I managed to jump two major versions and read only release notes for 6.x 🤣 . thanks!

Evan Hahn · Answer 3 · Tue Mar 28 2023 19:16:10 GMT+0800 (China Standard Time)

No worries at all! Thanks for using Helmet. Feel free to open a new issue any time.