dep: closes #11577

Breaking: Cross-Origin-Embedder-Policy middleware is now disabled by default. See #411
2025-10-26 08:36:12 +01:00 · 2023-05-10 17:42:56 -04:00
parent 90e53177fc
commit ad1ae29105
2 changed files with 2 additions and 4 deletions
--- a/install/package.json
+++ b/install/package.json
@@ -67,7 +67,7 @@
        "file-loader": "6.2.0",
        "fs-extra": "11.1.1",
        "graceful-fs": "4.2.11",
-        "helmet": "6.2.0",
+        "helmet": "7.0.0",
        "html-to-text": "9.0.5",
        "ipaddr.js": "2.0.1",
        "jquery": "3.6.4",
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -192,11 +192,9 @@ function setupHelmet(app) {
 		crossOriginOpenerPolicy: { policy: meta.config['cross-origin-opener-policy'] },
 		crossOriginResourcePolicy: { policy: meta.config['cross-origin-resource-policy'] },
 		referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+		crossOriginEmbedderPolicy: !!meta.config['cross-origin-embedder-policy'],
 	};

-	if (!meta.config['cross-origin-embedder-policy']) {
-		options.crossOriginEmbedderPolicy = false;
-	}
 	if (meta.config['hsts-enabled']) {
 		options.hsts = {
 			maxAge: meta.config['hsts-maxage'],