diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fedbc3..ebb5c7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### Changed - **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369) +- **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default - `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed ### Removed diff --git a/README.md b/README.md index dbb8297..7b0bb6a 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ app.use(helmet()); By default, Helmet sets the following headers: ```http -Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests +Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin @@ -155,7 +155,7 @@ Each middleware's name is listed below. Default: ```http -Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests +Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests ``` `helmet.contentSecurityPolicy` sets the `Content-Security-Policy` header which helps mitigate cross-site scripting attacks, among other things. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). @@ -168,7 +168,6 @@ These directives are merged into a default policy, which you can disable by sett default-src 'self'; base-uri 'self'; - block-all-mixed-content; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; diff --git a/middlewares/content-security-policy/CHANGELOG.md b/middlewares/content-security-policy/CHANGELOG.md index 8964590..7d25cc0 100644 --- a/middlewares/content-security-policy/CHANGELOG.md +++ b/middlewares/content-security-policy/CHANGELOG.md @@ -6,10 +6,11 @@ - **Breaking:** `useDefaults` option now defaults to `true` - **Breaking:** `form-action` directive is now set to `'self'` by default +- **Breaking:** `block-all-mixed-content` is no longer set by default ### Removed -- **Breaking:** Drop support for Node 10 and 11. Node 12+ is now required +- **Breaking:** Node 14+ is now required ## 3.4.0 - 2021-05-02 diff --git a/middlewares/content-security-policy/README.md b/middlewares/content-security-policy/README.md index 72aff8b..bf389a1 100644 --- a/middlewares/content-security-policy/README.md +++ b/middlewares/content-security-policy/README.md @@ -29,7 +29,6 @@ If no directives are supplied, the following policy is set (whitespace added for default-src 'self'; base-uri 'self'; - block-all-mixed-content; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; diff --git a/middlewares/content-security-policy/index.ts b/middlewares/content-security-policy/index.ts index 6ca6063..e9fa8d7 100644 --- a/middlewares/content-security-policy/index.ts +++ b/middlewares/content-security-policy/index.ts @@ -42,7 +42,6 @@ const DEFAULT_DIRECTIVES: Record< > = { "default-src": ["'self'"], "base-uri": ["'self'"], - "block-all-mixed-content": [], "font-src": ["'self'", "https:", "data:"], "form-action": ["'self'"], "frame-ancestors": ["'self'"], diff --git a/test/content-security-policy.test.ts b/test/content-security-policy.test.ts index e18f8b0..477fcca 100644 --- a/test/content-security-policy.test.ts +++ b/test/content-security-policy.test.ts @@ -31,7 +31,6 @@ describe("Content-Security-Policy middleware", () => { const expectedDirectives = new Set([ "default-src 'self'", "base-uri 'self'", - "block-all-mixed-content", "font-src 'self' https: data:", "form-action 'self'", "frame-ancestors 'self'", @@ -225,7 +224,6 @@ describe("Content-Security-Policy middleware", () => { it("can override the default options", async () => { const expectedDirectives = new Set([ "default-src 'self' example.com", - "block-all-mixed-content", "font-src 'self' https: data:", "form-action 'self'", "frame-ancestors 'self'", @@ -481,7 +479,6 @@ describe("Content-Security-Policy middleware", () => { ], expectedDirectives: new Set([ "base-uri 'self'", - "block-all-mixed-content", "font-src 'self' https: data:", "form-action 'self'", "frame-ancestors 'self'", @@ -537,7 +534,6 @@ describe("getDefaultDirectives", () => { it("returns the middleware's default directives", () => { expect(getDefaultDirectives()).toEqual({ "base-uri": ["'self'"], - "block-all-mixed-content": [], "default-src": ["'self'"], "font-src": ["'self'", "https:", "data:"], "form-action": ["'self'"], diff --git a/test/index.test.ts b/test/index.test.ts index c7acffa..b2b9910 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -30,7 +30,7 @@ describe("helmet", () => { // we should update this test to be more robust. const expectedHeaders = { "content-security-policy": - "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests", + "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests", "cross-origin-embedder-policy": "require-corp", "cross-origin-opener-policy": "same-origin", "cross-origin-resource-policy": "same-origin",