Comparing version 5.0.2 to 5.1.0
# Changelog | ||
### 5.0.2 - 2022-01-22 | ||
## 5.1.0 - 2022-05-17 | ||
### Added | ||
- `Cross-Origin-Embedder-Policy`: support `credentialless` policy. See [#365](https://github.com/helmetjs/helmet/pull/365) | ||
- Documented how to set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only` | ||
### Changed | ||
- Cleaned up some documentation around `Origin-Agent-Cluster` | ||
## 5.0.2 - 2022-01-22 | ||
### Changed | ||
- Improve imports for CommonJS and ECMAScript modules. See [#345](https://github.com/helmetjs/helmet/pull/345) | ||
- Fixed some documentation | ||
### 5.0.1 - 2022-01-03 | ||
## 5.0.1 - 2022-01-03 | ||
@@ -20,3 +31,3 @@ ### Changed | ||
### 5.0.0 - 2022-01-02 | ||
## 5.0.0 - 2022-01-02 | ||
@@ -35,2 +46,4 @@ ### Added | ||
- **Breaking:** `helmet.originAgentCluster` is enabled by default | ||
- `helmet.frameguard`: add TypeScript editor autocomplete. See [#322](https://github.com/helmetjs/helmet/pull/322) | ||
- Top-level `helmet()` function is slightly faster | ||
@@ -41,9 +54,2 @@ ### Removed | ||
## Unreleased | ||
### Changed | ||
- Top-level `helmet()` function is slightly faster | ||
- `helmet.frameguard`: add TypeScript editor autocomplete. See [#322](https://github.com/helmetjs/helmet/pull/322) | ||
## 4.6.0 - 2021-05-01 | ||
@@ -50,0 +56,0 @@ |
@@ -120,5 +120,14 @@ "use strict" | ||
function crossOriginEmbedderPolicy() { | ||
const ALLOWED_POLICIES$2 = new Set(["require-corp", "credentialless"]) | ||
function getHeaderValueFromOptions$7({ policy = "require-corp" }) { | ||
if (ALLOWED_POLICIES$2.has(policy)) { | ||
return policy | ||
} else { | ||
throw new Error(`Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(policy)} policy`) | ||
} | ||
} | ||
function crossOriginEmbedderPolicy(options = {}) { | ||
const headerValue = getHeaderValueFromOptions$7(options) | ||
return function crossOriginEmbedderPolicyMiddleware(_req, res, next) { | ||
res.setHeader("Cross-Origin-Embedder-Policy", "require-corp") | ||
res.setHeader("Cross-Origin-Embedder-Policy", headerValue) | ||
next() | ||
@@ -125,0 +134,0 @@ } |
@@ -116,5 +116,14 @@ const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc") | ||
function crossOriginEmbedderPolicy() { | ||
const ALLOWED_POLICIES$2 = new Set(["require-corp", "credentialless"]) | ||
function getHeaderValueFromOptions$7({ policy = "require-corp" }) { | ||
if (ALLOWED_POLICIES$2.has(policy)) { | ||
return policy | ||
} else { | ||
throw new Error(`Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(policy)} policy`) | ||
} | ||
} | ||
function crossOriginEmbedderPolicy(options = {}) { | ||
const headerValue = getHeaderValueFromOptions$7(options) | ||
return function crossOriginEmbedderPolicyMiddleware(_req, res, next) { | ||
res.setHeader("Cross-Origin-Embedder-Policy", "require-corp") | ||
res.setHeader("Cross-Origin-Embedder-Policy", headerValue) | ||
next() | ||
@@ -121,0 +130,0 @@ } |
import { IncomingMessage, ServerResponse } from "http" | ||
declare function crossOriginEmbedderPolicy(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void | ||
export interface CrossOriginEmbedderPolicyOptions { | ||
policy?: string | ||
} | ||
declare function crossOriginEmbedderPolicy(options?: Readonly<CrossOriginEmbedderPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void | ||
export default crossOriginEmbedderPolicy |
@@ -9,3 +9,3 @@ { | ||
"description": "help secure Express/Connect apps with various HTTP headers", | ||
"version": "5.0.2", | ||
"version": "5.1.0", | ||
"keywords": [ | ||
@@ -29,16 +29,16 @@ "express", | ||
"devDependencies": { | ||
"@rollup/plugin-typescript": "^8.3.0", | ||
"@rollup/plugin-typescript": "^8.3.2", | ||
"@types/connect": "^3.4.35", | ||
"@types/jest": "^27.0.3", | ||
"@types/supertest": "^2.0.11", | ||
"@typescript-eslint/eslint-plugin": "^5.4.0", | ||
"@typescript-eslint/parser": "^5.4.0", | ||
"@types/jest": "^27.5.1", | ||
"@types/supertest": "^2.0.12", | ||
"@typescript-eslint/eslint-plugin": "^5.25.0", | ||
"@typescript-eslint/parser": "^5.25.0", | ||
"connect": "^3.7.0", | ||
"eslint": "^8.3.0", | ||
"jest": "^27.3.1", | ||
"prettier": "^2.4.1", | ||
"rollup": "^2.60.2", | ||
"supertest": "^6.1.6", | ||
"ts-jest": "^27.0.7", | ||
"typescript": "^4.5.2" | ||
"eslint": "^8.15.0", | ||
"jest": "^28.1.0", | ||
"prettier": "^2.6.2", | ||
"rollup": "^2.73.0", | ||
"supertest": "^6.2.3", | ||
"ts-jest": "^28.0.2", | ||
"typescript": "^4.6.4" | ||
}, | ||
@@ -49,3 +49,3 @@ "scripts": { | ||
"lint": "npm run lint:eslint && npm run lint:prettier", | ||
"lint:eslint": "eslint \"**/*.ts\"", | ||
"lint:eslint": "eslint .", | ||
"lint:prettier": "prettier --check .", | ||
@@ -52,0 +52,0 @@ "format": "prettier --write .", |
@@ -157,3 +157,3 @@ # Helmet | ||
`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. | ||
`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. If you want to set _both_ the normal and `Report-Only` headers, see [this code snippet](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560). | ||
@@ -238,14 +238,6 @@ You can also get the default directives object with `helmet.contentSecurityPolicy.getDefaultDirectives()`. | ||
<details> | ||
<summary><code>helmet.crossOriginEmbedderPolicy()</code></summary> | ||
<summary><code>helmet.crossOriginEmbedderPolicy(options)</code></summary> | ||
`helmet.crossOriginEmbedderPolicy` sets the `Cross-Origin-Embedder-Policy` header to `require-corp`. See [MDN's article on this header](https://developer.cdn.mozilla.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) for more. | ||
Example usage with Helmet: | ||
```js | ||
// Uses the default Helmet options and adds the `crossOriginEmbedderPolicy` middleware. | ||
// Sets "Cross-Origin-Embedder-Policy: require-corp" | ||
app.use(helmet({ crossOriginEmbedderPolicy: true })); | ||
``` | ||
Standalone example: | ||
@@ -256,2 +248,5 @@ | ||
app.use(helmet.crossOriginEmbedderPolicy()); | ||
// Sets "Cross-Origin-Embedder-Policy: credentialless" | ||
app.use(helmet.crossOriginEmbedderPolicy({ policy: "credentialless" })); | ||
``` | ||
@@ -462,10 +457,2 @@ | ||
Example usage with Helmet: | ||
```js | ||
// Uses the default Helmet options and adds the `originAgentCluster` middleware. | ||
// Sets "Origin-Agent-Cluster: ?1" | ||
app.use(helmet({ originAgentCluster: true })); | ||
``` | ||
Standalone example: | ||
@@ -594,3 +581,3 @@ | ||
If you're using Express, this middleware will work, but you should use `app.disable("x-powered-by")` instead. | ||
Note: [Express has a built-in way to disable the `X-Powered-By` header](https://stackoverflow.com/a/12484642/804100), which you may wish to use instead of this middleware. | ||
@@ -597,0 +584,0 @@ Examples: |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
87448
1072
0
607