6.0.1: crossOriginEmbedderPolicy breaking change
glensc opened this issue · comments
4.6.0 to 6.0.1 has breaking change not listed in changelog:
an application (graphiql
) served with this middleware installed resulting all requests end up with:
net:: ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200"
errors.
StackOverflow post
to fix, had to add to option middleware:
app.use(
helmet({
// @link https://github.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide#there-is-now-a-default-policy
contentSecurityPolicy: false,
+ crossOriginEmbedderPolicy: false,
}),
);
I think this should be also noted as breaking change in the changelog
Two things:
- This was mentioned in the changelog for 5.0.0
- Lots of people have had trouble with this so I intend to remove this header by default in future versions of Helmet.
I'm going to close this issue for now because I think this is resolved.
oh, lol. how I managed to jump two major versions and read only release notes for 6.x 🤣 . thanks!
No worries at all! Thanks for using Helmet. Feel free to open a new issue any time.