dep: closes #11577

Breaking: Cross-Origin-Embedder-Policy middleware is now disabled by default. See #411
2025-11-03 04:25:55 +01:00 · 2023-05-10 17:42:56 -04:00
parent 90e53177fc
commit ad1ae29105
2 changed files with 2 additions and 4 deletions
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -192,11 +192,9 @@ function setupHelmet(app) {
 		crossOriginOpenerPolicy: { policy: meta.config['cross-origin-opener-policy'] },
 		crossOriginResourcePolicy: { policy: meta.config['cross-origin-resource-policy'] },
 		referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+		crossOriginEmbedderPolicy: !!meta.config['cross-origin-embedder-policy'],
 	};

-	if (!meta.config['cross-origin-embedder-policy']) {
-		options.crossOriginEmbedderPolicy = false;
-	}
 	if (meta.config['hsts-enabled']) {
 		options.hsts = {
 			maxAge: meta.config['hsts-maxage'],