Stop setting Cross-Origin-Embedder-Policy by default in next major version

[EvanHahn]

This has caused lots of problems for people.

The middleware should still be there, but it should be disabled by default.

[EvanHahn]

This is done in the v7 branch. See #412.

[EvanHahn]

Merged in 61357a5.

[stfsy]

@EvanHahn Curious what kind of problem it has caused, if you are available to elaborate in a few sentences

[EvanHahn]

Good question.

Many users (especially those on Stack Overflow) had a lot of trouble with this header because of the way they were loading cross-origin resources. Helmet is supposed to be easy-to-use and this was causing a lot of trouble for a lot of people, which is why I changed the default.

[stfsy]

@EvanHahn understood, thank you

[lorand-horvath]

@stfsy It's great you've brought this up. I've had my fair share of issues with COEP, specifically having Helmet 5 & 6 setting the Cross-Origin-Embedder-Policy header to require-corp by default. This blocked cross-origin embedded iframes in my case and couldn't figure out what the issue was until I stumbled on @EvanHahn 's explanation on SO https://stackoverflow.com/questions/70752770/helmet-express-err-blocked-by-response-notsameorigin-200

The following solved the issue relatively painlessly:

app.use(
  helmet({
    crossOriginEmbedderPolicy: false
  })
);

Helmet 7 comes with COEP disabled out of the box.

[PulastTiwari]

@EvanHahn could you elaborate how to disable the COEP for .html files. I couldn't find resources to assist me in this. I referred and got to know about the issue from here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

It's showing as default in VScode

[EvanHahn]

@PulastTiwari Could you please open a new issue to discuss this? Please include your Helmet configuration, too—it will make it easier to answer your question.