Stop setting Cross-Origin-Embedder-Policy by default in next major version
EvanHahn opened this issue · comments
This has caused lots of problems for people.
The middleware should still be there, but it should be disabled by default.
@EvanHahn Curious what kind of problem it has caused, if you are available to elaborate in a few sentences
Good question.
Many users (especially those on Stack Overflow) had a lot of trouble with this header because of the way they were loading cross-origin resources. Helmet is supposed to be easy-to-use and this was causing a lot of trouble for a lot of people, which is why I changed the default.
@EvanHahn understood, thank you
@stfsy It's great you've brought this up. I've had my fair share of issues with COEP, specifically having Helmet 5 & 6 setting the Cross-Origin-Embedder-Policy
header to require-corp
by default. This blocked cross-origin embedded iframes in my case and couldn't figure out what the issue was until I stumbled on @EvanHahn 's explanation on SO https://stackoverflow.com/questions/70752770/helmet-express-err-blocked-by-response-notsameorigin-200
The following solved the issue relatively painlessly:
app.use(
helmet({
crossOriginEmbedderPolicy: false
})
);
Helmet 7 comes with COEP disabled out of the box.
@EvanHahn could you elaborate how to disable the COEP for .html files. I couldn't find resources to assist me in this. I referred and got to know about the issue from here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
It's showing as default in VScode
@PulastTiwari Could you please open a new issue to discuss this? Please include your Helmet configuration, too—it will make it easier to answer your question.