Content-Security-Policy: remove block-all-mixed-content

To quote [MDN][mdn]: > Deprecated: This feature is no longer recommended. Though some > browsers might still support it, it may have already been removed from > relevant web standards [...]. Avoid using it, and update existing code > if possible [...] See [#371][371] and [#372][372]. [mdn]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content [371]: #371 [372]: #372
helmetjs · Aug 3, 2022 · 1245693 · 1245693
1 parent 4953389
commit 1245693
Show file tree

Hide file tree

Showing 7 changed files with 6 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Changed
 
 - **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369)
+- **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default
 - `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed
 
 ### Removed

diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ app.use(helmet());
 By default, Helmet sets the following headers:
 
 ```http
-Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
+Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
 Cross-Origin-Embedder-Policy: require-corp
 Cross-Origin-Opener-Policy: same-origin
 Cross-Origin-Resource-Policy: same-origin
@@ -155,7 +155,7 @@ Each middleware's name is listed below.
 Default:
 
 ```http
-Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
+Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
 ```
 
 `helmet.contentSecurityPolicy` sets the `Content-Security-Policy` header which helps mitigate cross-site scripting attacks, among other things. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
@@ -168,7 +168,6 @@ These directives are merged into a default policy, which you can disable by sett
 
     default-src 'self';
     base-uri 'self';
-    block-all-mixed-content;
     font-src 'self' https: data:;
     form-action 'self';
     frame-ancestors 'self';

diff --git a/middlewares/content-security-policy/CHANGELOG.md b/middlewares/content-security-policy/CHANGELOG.md
@@ -6,10 +6,11 @@
 
 - **Breaking:** `useDefaults` option now defaults to `true`
 - **Breaking:** `form-action` directive is now set to `'self'` by default
+- **Breaking:** `block-all-mixed-content` is no longer set by default
 
 ### Removed
 
-- **Breaking:** Drop support for Node 10 and 11. Node 12+ is now required
+- **Breaking:** Node 14+ is now required
 
 ## 3.4.0 - 2021-05-02
 

diff --git a/middlewares/content-security-policy/README.md b/middlewares/content-security-policy/README.md
@@ -29,7 +29,6 @@ If no directives are supplied, the following policy is set (whitespace added for
 
     default-src 'self';
     base-uri 'self';
-    block-all-mixed-content;
     font-src 'self' https: data:;
     form-action 'self';
     frame-ancestors 'self';

diff --git a/middlewares/content-security-policy/index.ts b/middlewares/content-security-policy/index.ts
@@ -42,7 +42,6 @@ const DEFAULT_DIRECTIVES: Record<
 > = {
   "default-src": ["'self'"],
   "base-uri": ["'self'"],
-  "block-all-mixed-content": [],
   "font-src": ["'self'", "https:", "data:"],
   "form-action": ["'self'"],
   "frame-ancestors": ["'self'"],

diff --git a/test/content-security-policy.test.ts b/test/content-security-policy.test.ts
@@ -31,7 +31,6 @@ describe("Content-Security-Policy middleware", () => {
     const expectedDirectives = new Set([
       "default-src 'self'",
       "base-uri 'self'",
-      "block-all-mixed-content",
       "font-src 'self' https: data:",
       "form-action 'self'",
       "frame-ancestors 'self'",
@@ -225,7 +224,6 @@ describe("Content-Security-Policy middleware", () => {
   it("can override the default options", async () => {
     const expectedDirectives = new Set([
       "default-src 'self' example.com",
-      "block-all-mixed-content",
       "font-src 'self' https: data:",
       "form-action 'self'",
       "frame-ancestors 'self'",
@@ -481,7 +479,6 @@ describe("Content-Security-Policy middleware", () => {
       ],
       expectedDirectives: new Set([
         "base-uri 'self'",
-        "block-all-mixed-content",
         "font-src 'self' https: data:",
         "form-action 'self'",
         "frame-ancestors 'self'",
@@ -537,7 +534,6 @@ describe("getDefaultDirectives", () => {
   it("returns the middleware's default directives", () => {
     expect(getDefaultDirectives()).toEqual({
       "base-uri": ["'self'"],
-      "block-all-mixed-content": [],
       "default-src": ["'self'"],
       "font-src": ["'self'", "https:", "data:"],
       "form-action": ["'self'"],

diff --git a/test/index.test.ts b/test/index.test.ts
@@ -30,7 +30,7 @@ describe("helmet", () => {
     // we should update this test to be more robust.
     const expectedHeaders = {
       "content-security-policy":
-        "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
+        "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
       "cross-origin-embedder-policy": "require-corp",
       "cross-origin-opener-policy": "same-origin",
       "cross-origin-resource-policy": "same-origin",