diff --git a/CHANGELOG.md b/CHANGELOG.md index aab225a..50404aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## Unreleased +### Changed + +- **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369) + ### Removed - **Breaking:** Dropped support for Node 12 and 13. Node 14+ is now required diff --git a/middlewares/cross-origin-embedder-policy/index.ts b/middlewares/cross-origin-embedder-policy/index.ts index 43a166c..992f6b3 100644 --- a/middlewares/cross-origin-embedder-policy/index.ts +++ b/middlewares/cross-origin-embedder-policy/index.ts @@ -1,7 +1,7 @@ import { IncomingMessage, ServerResponse } from "http"; export interface CrossOriginEmbedderPolicyOptions { - policy?: string; + policy?: "require-corp" | "credentialless"; } const ALLOWED_POLICIES = new Set(["require-corp", "credentialless"]); diff --git a/middlewares/cross-origin-opener-policy/index.ts b/middlewares/cross-origin-opener-policy/index.ts index 1200ced..4c6bc03 100644 --- a/middlewares/cross-origin-opener-policy/index.ts +++ b/middlewares/cross-origin-opener-policy/index.ts @@ -1,7 +1,7 @@ import { IncomingMessage, ServerResponse } from "http"; export interface CrossOriginOpenerPolicyOptions { - policy?: string; + policy?: "same-origin" | "same-origin-allow-popups" | "unsafe-none"; } const ALLOWED_POLICIES = new Set([ diff --git a/middlewares/cross-origin-resource-policy/CHANGELOG.md b/middlewares/cross-origin-resource-policy/CHANGELOG.md index d2cc8ae..cd3f19d 100644 --- a/middlewares/cross-origin-resource-policy/CHANGELOG.md +++ b/middlewares/cross-origin-resource-policy/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## Unreleased + +### Changed + +- **Breaking:** increase TypeScript strictness around arguments. Only affects TypeScript users. See [helmetjs/helmet#369](https://github.com/helmetjs/helmet/issues/369) + ## 0.3.0 - 2021-04-17 ### Added diff --git a/middlewares/cross-origin-resource-policy/index.ts b/middlewares/cross-origin-resource-policy/index.ts index 74e6938..a24e91d 100644 --- a/middlewares/cross-origin-resource-policy/index.ts +++ b/middlewares/cross-origin-resource-policy/index.ts @@ -1,7 +1,7 @@ import { IncomingMessage, ServerResponse } from "http"; export interface CrossOriginResourcePolicyOptions { - policy?: string; + policy?: "same-origin" | "same-site" | "cross-origin"; } const ALLOWED_POLICIES = new Set(["same-origin", "same-site", "cross-origin"]); diff --git a/middlewares/referrer-policy/CHANGELOG.md b/middlewares/referrer-policy/CHANGELOG.md index 0e4f2a0..9ca3d20 100644 --- a/middlewares/referrer-policy/CHANGELOG.md +++ b/middlewares/referrer-policy/CHANGELOG.md @@ -1,10 +1,16 @@ # Changelog +## Unreleased + +### Changed + +- **Breaking:** increase TypeScript strictness around arguments. Only affects TypeScript users. See [helmetjs/helmet#369](https://github.com/helmetjs/helmet/issues/369) + ## 2.0.0 - Unreleased ### Removed -- Dropped support for old Node versions. Node 10+ is now required +- **Breaking:** Dropped support for old Node versions. Node 10+ is now required ## 1.2.0 - 2019-05-03 diff --git a/middlewares/referrer-policy/index.ts b/middlewares/referrer-policy/index.ts index 0e6e7e3..c3ca27c 100644 --- a/middlewares/referrer-policy/index.ts +++ b/middlewares/referrer-policy/index.ts @@ -1,10 +1,21 @@ import { IncomingMessage, ServerResponse } from "http"; +type ReferrerPolicyToken = + | "no-referrer" + | "no-referrer-when-downgrade" + | "same-origin" + | "origin" + | "strict-origin" + | "origin-when-cross-origin" + | "strict-origin-when-cross-origin" + | "unsafe-url" + | ""; + export interface ReferrerPolicyOptions { - policy?: string | string[]; + policy?: ReferrerPolicyToken | ReferrerPolicyToken[]; } -const ALLOWED_TOKENS = new Set([ +const ALLOWED_TOKENS = new Set([ "no-referrer", "no-referrer-when-downgrade", "same-origin", @@ -25,7 +36,7 @@ function getHeaderValueFromOptions({ throw new Error("Referrer-Policy received no policy tokens"); } - const tokensSeen = new Set(); + const tokensSeen = new Set(); tokens.forEach((token) => { if (!ALLOWED_TOKENS.has(token)) { throw new Error( diff --git a/middlewares/x-frame-options/CHANGELOG.md b/middlewares/x-frame-options/CHANGELOG.md index 300649f..0a90132 100644 --- a/middlewares/x-frame-options/CHANGELOG.md +++ b/middlewares/x-frame-options/CHANGELOG.md @@ -4,7 +4,7 @@ ### Changed -- Add TypeScript editor autocomplete. See [#322](https://github.com/helmetjs/helmet/pull/322) +- **Breaking:** increase TypeScript strictness around arguments. Only affects TypeScript users. See [helmetjs/helmet#369](https://github.com/helmetjs/helmet/issues/369) ## 4.0.0 - 2020-12-21 diff --git a/middlewares/x-frame-options/index.ts b/middlewares/x-frame-options/index.ts index cc99a24..6638c41 100644 --- a/middlewares/x-frame-options/index.ts +++ b/middlewares/x-frame-options/index.ts @@ -1,12 +1,11 @@ import { IncomingMessage, ServerResponse } from "http"; export interface XFrameOptionsOptions { - // This offers autocomplete while still supporting regular `string`s. - action?: "DENY" | "SAMEORIGIN" | (string & { _?: never }); + action?: "deny" | "sameorigin"; } function getHeaderValueFromOptions({ - action = "SAMEORIGIN", + action = "sameorigin", }: Readonly): string { const normalizedAction = typeof action === "string" ? action.toUpperCase() : action; diff --git a/middlewares/x-permitted-cross-domain-policies/CHANGELOG.md b/middlewares/x-permitted-cross-domain-policies/CHANGELOG.md index 94be14c..9ced42b 100644 --- a/middlewares/x-permitted-cross-domain-policies/CHANGELOG.md +++ b/middlewares/x-permitted-cross-domain-policies/CHANGELOG.md @@ -2,9 +2,13 @@ ## Unreleased +### Changed + +- **Breaking:** increase TypeScript strictness around arguments. Only affects TypeScript users. See [helmetjs/helmet#369](https://github.com/helmetjs/helmet/issues/369) + ### Removed -- Dropped support for old Node versions. Node 10+ is now required +- Dropped support for old Node versions. Node 14+ is now required ## 0.5.0 - 2019-09-01 diff --git a/middlewares/x-permitted-cross-domain-policies/index.ts b/middlewares/x-permitted-cross-domain-policies/index.ts index b991daa..96c0c44 100644 --- a/middlewares/x-permitted-cross-domain-policies/index.ts +++ b/middlewares/x-permitted-cross-domain-policies/index.ts @@ -1,7 +1,7 @@ import { IncomingMessage, ServerResponse } from "http"; export interface XPermittedCrossDomainPoliciesOptions { - permittedPolicies?: string; + permittedPolicies?: "none" | "master-only" | "by-content-type" | "all"; } const ALLOWED_PERMITTED_POLICIES = new Set([ diff --git a/test/cross-origin-embedder-policy.test.ts b/test/cross-origin-embedder-policy.test.ts index 692cb35..7cc52b3 100644 --- a/test/cross-origin-embedder-policy.test.ts +++ b/test/cross-origin-embedder-policy.test.ts @@ -18,7 +18,7 @@ describe("Cross-Origin-Embedder-Policy middleware", () => { ); }); - ["require-corp", "credentialless"].forEach((policy) => { + (["require-corp", "credentialless"] as const).forEach((policy) => { it(`sets "Cross-Origin-Embedder-Policy: ${policy}" when told to`, async () => { await check(crossOriginEmbedderPolicy({ policy }), { "cross-origin-embedder-policy": policy, diff --git a/test/cross-origin-opener-policy.test.ts b/test/cross-origin-opener-policy.test.ts index ff57056..07ff10a 100644 --- a/test/cross-origin-opener-policy.test.ts +++ b/test/cross-origin-opener-policy.test.ts @@ -15,7 +15,7 @@ describe("Cross-Origin-Opener-Policy middleware", () => { ); }); - ["same-origin", "same-origin-allow-popups", "unsafe-none"].forEach( + (["same-origin", "same-origin-allow-popups", "unsafe-none"] as const).forEach( (policy) => { it(`sets "Cross-Origin-Opener-Policy: ${policy}" when told to`, async () => { await check(crossOriginOpenerPolicy({ policy }), { diff --git a/test/cross-origin-resource-policy.test.ts b/test/cross-origin-resource-policy.test.ts index f1eb4b6..f725b23 100644 --- a/test/cross-origin-resource-policy.test.ts +++ b/test/cross-origin-resource-policy.test.ts @@ -18,7 +18,7 @@ describe("Cross-Origin-Resource-Policy middleware", () => { ); }); - ["same-origin", "same-site", "cross-origin"].forEach((policy) => { + (["same-origin", "same-site", "cross-origin"] as const).forEach((policy) => { it(`sets "Cross-Origin-Resource-Policy: ${policy}" when told to`, async () => { await check(crossOriginResourcePolicy({ policy }), { "cross-origin-resource-policy": policy, diff --git a/test/referrer-policy.test.ts b/test/referrer-policy.test.ts index 0b300fc..fb07ca4 100644 --- a/test/referrer-policy.test.ts +++ b/test/referrer-policy.test.ts @@ -17,17 +17,19 @@ describe("Referrer-Policy middleware", () => { }); }); - [ - "no-referrer", - "no-referrer-when-downgrade", - "same-origin", - "origin", - "strict-origin", - "origin-when-cross-origin", - "strict-origin-when-cross-origin", - "unsafe-url", - "", - ].forEach((policy) => { + ( + [ + "no-referrer", + "no-referrer-when-downgrade", + "same-origin", + "origin", + "strict-origin", + "origin-when-cross-origin", + "strict-origin-when-cross-origin", + "unsafe-url", + "", + ] as const + ).forEach((policy) => { it(`can set the header to "${policy}" by specifying it as a string`, async () => { await check(referrerPolicy({ policy }), { "referrer-policy": policy, diff --git a/test/x-frame-options.test.ts b/test/x-frame-options.test.ts index fc09583..7277ffc 100644 --- a/test/x-frame-options.test.ts +++ b/test/x-frame-options.test.ts @@ -18,38 +18,42 @@ describe("X-Frame-Options middleware", () => { }); it('can set "X-Frame-Options: DENY"', async () => { - await check(xFrameOptions({ action: "DENY" }), { + await check(xFrameOptions({ action: "deny" }), { "x-frame-options": "DENY", }); - await check(xFrameOptions({ action: "deny" }), { + + // These are not allowed by the types, but are supported. + await check(xFrameOptions({ action: "DENY" as any }), { "x-frame-options": "DENY", }); - await check(xFrameOptions({ action: "deNY" }), { + await check(xFrameOptions({ action: "deNY" as any }), { "x-frame-options": "DENY", }); }); it('can set "X-Frame-Options: SAMEORIGIN" when specified', async () => { - await check(xFrameOptions({ action: "SAMEORIGIN" }), { + await check(xFrameOptions({ action: "sameorigin" }), { "x-frame-options": "SAMEORIGIN", }); - await check(xFrameOptions({ action: "sameorigin" }), { + + // These are not allowed by the types, but are supported. + await check(xFrameOptions({ action: "SAMEORIGIN" as any }), { "x-frame-options": "SAMEORIGIN", }); - await check(xFrameOptions({ action: "sameORIGIN" }), { + await check(xFrameOptions({ action: "sameORIGIN" as any }), { "x-frame-options": "SAMEORIGIN", }); - await check(xFrameOptions({ action: "SAME-ORIGIN" }), { + await check(xFrameOptions({ action: "SAME-ORIGIN" as any }), { "x-frame-options": "SAMEORIGIN", }); - await check(xFrameOptions({ action: "same-origin" }), { + await check(xFrameOptions({ action: "same-origin" as any }), { "x-frame-options": "SAMEORIGIN", }); }); it("throws when passed invalid actions", () => { for (const action of ["allow-from", "ALLOW-FROM"]) { - expect(() => xFrameOptions({ action })).toThrow( + expect(() => xFrameOptions({ action: action as any })).toThrow( /^X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See for more info.$/ ); } diff --git a/test/x-permitted-cross-domain-policies.test.ts b/test/x-permitted-cross-domain-policies.test.ts index 13c49d0..ac74fa6 100644 --- a/test/x-permitted-cross-domain-policies.test.ts +++ b/test/x-permitted-cross-domain-policies.test.ts @@ -18,7 +18,7 @@ describe("X-Permitted-Cross-Domain-Policies middleware", () => { ); }); - ["none", "master-only", "by-content-type", "all"].forEach( + (["none", "master-only", "by-content-type", "all"] as const).forEach( (permittedPolicies) => { it(`sets "X-Permitted-Cross-Domain-Policies: ${permittedPolicies}" when told to`, async () => { await check(xPermittedCrossDomainPolicies({ permittedPolicies }), {