Disable Cross-Origin-Embedder-Policy by default

See [#411](#411).

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Changed
+
+- **Breaking:** `Cross-Origin-Embedder-Policy` middleware is now disabled by default. See [#411](https://github.com/helmetjs/helmet/issues/411)
+
 ### Removed
 
 - **Breaking:** Drop support for Node 14 and 15. Node 16+ is now required

README.md

@@ -27,7 +27,6 @@ You can also `require("helmet")` if you prefer.
 By default, Helmet sets the following headers:
 
 - [`Content-Security-Policy`](#content-security-policy): A powerful allow-list of what can happen on your page which mitigates many attacks
-- [`Cross-Origin-Embedder-Policy`](#cross-origin-embedder-policy): Controls cross-origin loading of resources, like images
 - [`Cross-Origin-Opener-Policy`](#cross-origin-opener-policy): Helps process-isolate your page
 - [`Cross-Origin-Resource-Policy`](#cross-origin-resource-policy): Blocks others from loading your resources cross-origin
 - [`Origin-Agent-Cluster`](#origin-agent-cluster): Changes process isolation to be origin-based
@@ -195,24 +194,22 @@ You can use this as standalone middleware with `app.use(helmet.contentSecurityPo
 <details id="cross-origin-embedder-policy">
 <summary><code>Cross-Origin-Embedder-Policy</code></summary>
 
-Default:
-
-```http
-Cross-Origin-Embedder-Policy: require-corp
-```
+This header is not set by default.
 
-The `Cross-Origin-Embedder-Policy` header helps control what resources, such as images, can be loaded cross-origin. See [MDN's article on this header](https://developer.cdn.mozilla.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) for more.
+The `Cross-Origin-Embedder-Policy` header helps control what resources can be loaded cross-origin. See [MDN's article on this header](https://developer.cdn.mozilla.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) for more.
 
 ```js
+// Helmet does not set Cross-Origin-Embedder-Policy
+// by default.
+app.use(helmet());
+
 // Sets "Cross-Origin-Embedder-Policy: require-corp"
 app.use(helmet({ crossOriginEmbedderPolicy: true }));
 
 // Sets "Cross-Origin-Embedder-Policy: credentialless"
 app.use(helmet({ crossOriginEmbedderPolicy: { policy: "credentialless" } }));
 ```
 
-This header will still be around in the next version of Helmet, but will be off by default.
-
 You can use this as standalone middleware with `app.use(helmet.crossOriginEmbedderPolicy())`.
 
 </details>

index.ts

@@ -152,11 +152,11 @@ function getMiddlewareFunctionsFromOptions(
 
   switch (options.crossOriginEmbedderPolicy) {
     case undefined:
+    case false:
+      break;
     case true:
       result.push(crossOriginEmbedderPolicy());
       break;
-    case false:
-      break;
     default:
       result.push(crossOriginEmbedderPolicy(options.crossOriginEmbedderPolicy));
       break;

test/index.test.ts

@@ -23,14 +23,14 @@ import xXssProtection from "../middlewares/x-xss-protection";
 describe("helmet", () => {
   const topLevel = helmet.default;
 
-  it("includes all middleware with their default options", async () => {
+  it("includes all middleware, except COEP, with their default options", async () => {
     // NOTE: This test relies on the CSP object being ordered a certain way,
     // which could change (and be non-breaking). If that becomes a problem,
     // we should update this test to be more robust.
     const expectedHeaders = {
       "content-security-policy":
         "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
-      "cross-origin-embedder-policy": "require-corp",
+      "cross-origin-embedder-policy": null,
       "cross-origin-opener-policy": "same-origin",
       "cross-origin-resource-policy": "same-origin",
       "origin-agent-cluster": "?1",
@@ -100,7 +100,7 @@ describe("helmet", () => {
     });
   });
 
-  it("allows Cross-Origin-Embedder-Policy middleware to be enabled", async () => {
+  it("allows Cross-Origin-Embedder-Policy middleware to be explicitly enabled", async () => {
     await check(topLevel({ crossOriginEmbedderPolicy: true }), {
       "cross-origin-embedder-policy": "require-corp",
     });