Disable Cross-Origin-Embedder-Policy by default

See [#411](#411).
helmetjs · Apr 10, 2023 · 20a762e · 20a762e
1 parent 5f52361
commit 20a762e
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Changed
+
+- **Breaking:** `Cross-Origin-Embedder-Policy` middleware is now disabled by default. See [#411](https://github.com/helmetjs/helmet/issues/411)
+
 ### Removed
 
 - **Breaking:** Drop support for Node 14 and 15. Node 16+ is now required

diff --git a/README.md b/README.md
@@ -31,7 +31,6 @@ By default, Helmet sets the following headers:
 
 ```http
 Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
-Cross-Origin-Embedder-Policy: require-corp
 Cross-Origin-Opener-Policy: same-origin
 Cross-Origin-Resource-Policy: same-origin
 Origin-Agent-Cluster: ?1
@@ -71,7 +70,7 @@ app.use(
 
 Helmet is [Express](https://expressjs.com) middleware. (It also works with [Connect](https://github.com/senchalabs/connect) or [no library at all](https://github.com/helmetjs/helmet/wiki/How-to-use-Helmet-without-Express)! If you need support for other frameworks or languages, [see this list](https://helmetjs.github.io/see-also/).)
 
-The top-level `helmet` function is a wrapper around 14 smaller middlewares.
+The top-level `helmet` function is a wrapper around 13 smaller middlewares.
 
 In other words, these two code snippets are equivalent:
 
@@ -89,7 +88,6 @@ import * as helmet from "helmet";
 // ...
 
 app.use(helmet.contentSecurityPolicy());
-app.use(helmet.crossOriginEmbedderPolicy());
 app.use(helmet.crossOriginOpenerPolicy());
 app.use(helmet.crossOriginResourcePolicy());
 app.use(helmet.dnsPrefetchControl());
@@ -109,17 +107,17 @@ app.use(helmet.xssFilter());
 <details>
 <summary><code>helmet(options)</code></summary>
 
-Helmet is the top-level middleware for this module, including all 14 others.
+Helmet is the top-level middleware for this module, including 13 others. One is disabled by default but can be explicitly enabled.
 
 ```js
-// Includes all 14 middlewares
+// Includes 13 middlewares
 app.use(helmet());
 ```
 
 If you want to disable one, pass options to `helmet`. For example, to disable `frameguard`:
 
 ```js
-// Includes 13 out of 14 middlewares, skipping `helmet.frameguard`
+// Includes 12 out of 13 middlewares, skipping `helmet.frameguard`
 app.use(
   helmet({
     frameguard: false,
@@ -130,7 +128,7 @@ app.use(
 Most of the middlewares have options, which are documented in more detail below. For example, to pass `{ action: "deny" }` to `frameguard`:
 
 ```js
-// Includes all 14 middlewares, setting an option for `helmet.frameguard`
+// Includes all 13 middlewares, setting an option for `helmet.frameguard`
 app.use(
   helmet({
     frameguard: {
@@ -273,6 +271,8 @@ app.use(helmet.crossOriginEmbedderPolicy());
 app.use(helmet.crossOriginEmbedderPolicy({ policy: "credentialless" }));
 ```
 
+This header is disabled by default.
+
 You can't install this module separately.
 
 </details>

diff --git a/index.ts b/index.ts
@@ -81,15 +81,20 @@ interface Helmet {
 function getArgs<T>(
   option: undefined | boolean | Readonly<T>,
   middlewareConfig: Readonly<
-    | { takesOptions?: true }
-    | {
-        name: string;
-        takesOptions: false;
-      }
+    { enabledByDefault?: boolean } & (
+      | { takesOptions?: true }
+      | {
+          name: string;
+          takesOptions: false;
+        }
+    )
   > = {}
 ): null | [] | [T] {
   switch (option) {
-    case undefined:
+    case undefined: {
+      const enabledByDefault = middlewareConfig.enabledByDefault ?? true;
+      return enabledByDefault ? [] : null;
+    }
     case true:
       return [];
     case false:
@@ -117,7 +122,8 @@ function getMiddlewareFunctionsFromOptions(
   }
 
   const crossOriginEmbedderPolicyArgs = getArgs(
-    options.crossOriginEmbedderPolicy
+    options.crossOriginEmbedderPolicy,
+    { enabledByDefault: false }
   );
   if (crossOriginEmbedderPolicyArgs) {
     result.push(crossOriginEmbedderPolicy(...crossOriginEmbedderPolicyArgs));

diff --git a/test/index.test.ts b/test/index.test.ts
@@ -30,7 +30,7 @@ describe("helmet", () => {
     const expectedHeaders = {
       "content-security-policy":
         "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
-      "cross-origin-embedder-policy": "require-corp",
+      "cross-origin-embedder-policy": null,
       "cross-origin-opener-policy": "same-origin",
       "cross-origin-resource-policy": "same-origin",
       "origin-agent-cluster": "?1",
@@ -100,7 +100,7 @@ describe("helmet", () => {
     });
   });
 
-  it("allows Cross-Origin-Embedder-Policy middleware to be enabled", async () => {
+  it("allows Cross-Origin-Embedder-Policy middleware to be explicitly enabled", async () => {
     await check(topLevel({ crossOriginEmbedderPolicy: true }), {
       "cross-origin-embedder-policy": "require-corp",
     });