helmetjs / helmet

@EvanHahn thanks for your continued work on this package. 🙌

I noticed that although unsafe-none is a valid value for Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy, and it is supported by helmet COOP,

helmet/middlewares/cross-origin-opener-policy/index.ts

Lines 3 to 11 in 3123831

    
           export interface CrossOriginOpenerPolicyOptions { 
        
             policy?: "same-origin" | "same-origin-allow-popups" | "unsafe-none"; 
        
           } 
        
           const ALLOWED_POLICIES = new Set([ 
        
             "same-origin", 
        
             "same-origin-allow-popups", 
        
             "unsafe-none", 
        
           ]);

but it is not supported by helmet COEP:

helmet/middlewares/cross-origin-embedder-policy/index.ts

Lines 3 to 7 in 3123831

    
           export interface CrossOriginEmbedderPolicyOptions { 
        
             policy?: "require-corp" | "credentialless"; 
        
           } 
        
           const ALLOWED_POLICIES = new Set(["require-corp", "credentialless"]);

I was wondering if this seems right to you, and if not, I'm happy to submit a PR! I don't believe this would be a breaking change.

You're right. COEP should support "unsafe-none". Feel free to open a pull request!

	export interface CrossOriginOpenerPolicyOptions {
	policy?: "same-origin" \| "same-origin-allow-popups" \| "unsafe-none";
	}

	const ALLOWED_POLICIES = new Set([
	"same-origin",
	"same-origin-allow-popups",
	"unsafe-none",
	]);

	export interface CrossOriginEmbedderPolicyOptions {
	policy?: "require-corp" \| "credentialless";
	}

	const ALLOWED_POLICIES = new Set(["require-corp", "credentialless"]);

Support `unsafe-none` in `helmet.crossOriginEmbedderPolicy`?