feat: add ACP toggles for COEP and CORP headers

src/webserver.js

@@ -184,16 +184,21 @@ function setupExpressApp(app) {
 }
 
 function setupHelmet(app) {
+	/**
+	 * The only reason why these middlewares are all explicitly spelled out is because
+	 * helmet.contentSecurityPolicy() is too restrictive and breaks plugins.
+	 *
+	 * It should be implemented in the future... 🔜
+	 */
+	if (meta.config['cross-origin-embedder-policy']) {
+		app.use(helmet.crossOriginEmbedderPolicy());
+	}
+	app.use(helmet.crossOriginOpenerPolicy());
+	app.use(helmet.crossOriginResourcePolicy({ policy: meta.config['cross-origin-resource-policy'] }));
 	app.use(helmet.dnsPrefetchControl());
 	app.use(helmet.expectCt());
 	app.use(helmet.frameguard());
 	app.use(helmet.hidePoweredBy());
-	app.use(helmet.ieNoOpen());
-	app.use(helmet.noSniff());
-	app.use(helmet.permittedCrossDomainPolicies());
-	app.use(helmet.xssFilter());
-
-	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	if (meta.config['hsts-enabled']) {
 		app.use(helmet.hsts({
 			maxAge: meta.config['hsts-maxage'],
@@ -201,6 +206,12 @@ function setupHelmet(app) {
 			preload: !!meta.config['hsts-preload'],
 		}));
 	}
+	app.use(helmet.ieNoOpen());
+	app.use(helmet.noSniff());
+	app.use(helmet.originAgentCluster());
+	app.use(helmet.permittedCrossDomainPolicies());
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
+	app.use(helmet.xssFilter());
 }