Fix crossOriginEmbedderPolicy top-level options

See [#390][0] for a detailed report. [0]: #390
helmetjs · Nov 29, 2022 · a9f141b · a9f141b
1 parent 1140fb5
commit a9f141b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 6.0.1 - 2022-11-29
+
+### Fixed
+
+- `crossOriginEmbedderPolicy` did not accept options at the top level. See [#390](https://github.com/helmetjs/helmet/issues/390)
+
 ## 6.0.0 - 2022-08-26
 
 ### Changed

diff --git a/index.ts b/index.ts
@@ -2,7 +2,9 @@ import { IncomingMessage, ServerResponse } from "http";
 import contentSecurityPolicy, {
   ContentSecurityPolicyOptions,
 } from "./middlewares/content-security-policy/index.js";
-import crossOriginEmbedderPolicy from "./middlewares/cross-origin-embedder-policy/index.js";
+import crossOriginEmbedderPolicy, {
+  CrossOriginEmbedderPolicyOptions,
+} from "./middlewares/cross-origin-embedder-policy/index.js";
 import crossOriginOpenerPolicy, {
   CrossOriginOpenerPolicyOptions,
 } from "./middlewares/cross-origin-opener-policy/index.js";
@@ -33,7 +35,7 @@ import xXssProtection from "./middlewares/x-xss-protection/index.js";
 
 export interface HelmetOptions {
   contentSecurityPolicy?: ContentSecurityPolicyOptions | boolean;
-  crossOriginEmbedderPolicy?: boolean;
+  crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicyOptions | boolean;
   crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean;
   crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean;
   dnsPrefetchControl?: XDnsPrefetchControlOptions | boolean;
@@ -120,14 +122,10 @@ function getMiddlewareFunctionsFromOptions(
   }
 
   const crossOriginEmbedderPolicyArgs = getArgs(
-    options.crossOriginEmbedderPolicy,
-    {
-      name: "crossOriginEmbedderPolicy",
-      takesOptions: false,
-    }
+    options.crossOriginEmbedderPolicy
   );
   if (crossOriginEmbedderPolicyArgs) {
-    result.push(crossOriginEmbedderPolicy());
+    result.push(crossOriginEmbedderPolicy(...crossOriginEmbedderPolicyArgs));
   }
 
   const crossOriginOpenerPolicyArgs = getArgs(options.crossOriginOpenerPolicy);

diff --git a/test/index.test.ts b/test/index.test.ts
@@ -126,6 +126,15 @@ describe("helmet", () => {
     });
   });
 
+  it("allows Cross-Origin-Embedder-Policy middleware to be enabled with custom arguments", async () => {
+    await check(
+      topLevel({ crossOriginEmbedderPolicy: { policy: "credentialless" } }),
+      {
+        "cross-origin-embedder-policy": "credentialless",
+      }
+    );
+  });
+
   it("allows Cross-Origin-Opener-Policy middleware to be enabled with its default", async () => {
     await check(topLevel({ crossOriginOpenerPolicy: true }), {
       "cross-origin-opener-policy": "same-origin",
@@ -218,15 +227,6 @@ describe("helmet", () => {
       jest.spyOn(console, "warn").mockImplementation(() => {});
     });
 
-    it("logs a warning when passing options to crossOriginEmbedderPolicy", () => {
-      topLevel({ crossOriginEmbedderPolicy: { option: "foo" } as any });
-
-      expect(console.warn).toHaveBeenCalledTimes(1);
-      expect(console.warn).toHaveBeenCalledWith(
-        "crossOriginEmbedderPolicy does not take options. Remove the property to silence this warning."
-      );
-    });
-
     it("logs a warning when passing options to hidePoweredBy", () => {
       topLevel({ hidePoweredBy: { setTo: "deprecated option" } as any });