This repository has been archived by the owner on May 3, 2024. It is now read-only.
fix(helmet): disable breaking headers #780
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Size Change: 0 B Total Size: 681 kB ℹ️ View Unchanged
|
Matthew-Mallimo
approved these changes
Jul 6, 2022
10xLaCroixDrinker
approved these changes
Jul 6, 2022
JAdshead
added a commit
that referenced
this pull request
Jul 19, 2022
JAdshead
added a commit
that referenced
this pull request
Jul 20, 2022
giulianok
added a commit
that referenced
this pull request
Sep 2, 2022
* feat(deps): upgrade to react 17 BREAKING CHANGE: Upgrade from React 16 to 17 * feat(server): drop node 12 support BREAKING CHANGE: minimum supported node version is 16 * test(modules): fix dep resolution error * chore(release): 6.0.0-rc.0 * chore(bundle-size-action): wider strip-hash capture * chore(deps): update packages to latest compatible versions * chore(babel): update packages * chore(commitlint): update * chore(rollup-plugins): update * chore(acorn): uninstall * chore(babel-preset-amex): update to 4 * chore(body-parser): update * chore(dev-deps): update * chore(holocron): update 1.3.0 * chore(redux): update 4.2.0 * chore(core-js): update 3.23.3 * chore(deps): run npm update * chore(husky): update to 8.x * chore(chalk): downgrade to non esm version * chore(webdriverio): update 7.x * feat(dockerfile): update node version to 16.15.1 * chore(deps): update supertest * fix(node): set min version 16.15.1 * chore(deps): dedupe * test(createRequestHtmlFragment): more reliable error message * chore(jest): upgrade 28.1.2 * fix(helmet): disable breaking headers (#780) * feat(deps): upgrade to react 17 BREAKING CHANGE: Upgrade from React 16 to 17 * feat(server): drop node 12 support BREAKING CHANGE: minimum supported node version is 16 * test(modules): fix dep resolution error * chore(release): 6.0.0-rc.0 * chore(bundle-size-action): wider strip-hash capture * chore(deps): update packages to latest compatible versions * chore(babel): update packages * chore(commitlint): update * chore(rollup-plugins): update * chore(acorn): uninstall * chore(babel-preset-amex): update to 4 * chore(body-parser): update * chore(dev-deps): update * chore(holocron): update 1.3.0 * chore(redux): update 4.2.0 * chore(core-js): update 3.23.3 * chore(deps): run npm update * chore(husky): update to 8.x * chore(chalk): downgrade to non esm version * chore(webdriverio): update 7.x * feat(dockerfile): update node version to 16.15.1 * chore(deps): update supertest * fix(node): set min version 16.15.1 * chore(deps): dedupe * test(createRequestHtmlFragment): more reliable error message * chore(jest): upgrade 28.1.2 * fix(helmet): disable breaking headers (#780) * chore(changelog): correct 5.15.0 * feat: running app through fastify * chore: fixing unit tests * chore: fixed unit testing * fix: tests * feat: added rate limiter in metrics api * chore: minor adjustments * feat: metrics server fastify migration * refactor: migrated logging middleware to fastify as plugin * test: added missing test for coverage * refactor: added rate limit plugin * refactor: converted hardcoded route into decorator * refactor: removed health check middleware * chore: feedback Co-authored-by: Jamie King <jamie.king@aexp.com> Co-authored-by: Jonny Adshead <JAdshead@users.noreply.github.com> Co-authored-by: Jonathan Adshead <jonathan.adshead@aexp.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Helmet@5 included breaking changes which were initially missed during the update and will have an impact on One App applications:
Breaking: helmet.crossOriginEmbedderPolicy is enabled by default
Breaking: helmet.crossOriginOpenerPolicy is enabled by default
Breaking: helmet.crossOriginResourcePolicy is enabled by default
Breaking: helmet.originAgentCluster is enabled by default
We should consider enabling these to be opt in (non breaking)or defaulting to more restrictive options with an opt out (breaking change)
crossOriginEmbedderPolicy
crossOriginOpenerPolicy
crossOriginResourcePolicy
originAgentCluster
Motivation and Context
Revert breaking changes.
How Has This Been Tested?
Test suite and running with locally served modules.
Types of Changes
Checklist:
What is the Impact to Developers Using One App?