Skip to content

Commit

Permalink
Content-Security-Policy: remove block-all-mixed-content
Browse files Browse the repository at this point in the history
To quote [MDN][mdn]:

> Deprecated: This feature is no longer recommended. Though some
> browsers might still support it, it may have already been removed from
> relevant web standards [...]. Avoid using it, and update existing code
> if possible [...]

See [#371][371] and [#372][372].

[mdn]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
[371]: #371
[372]: #372
  • Loading branch information
fcrozatier authored and EvanHahn committed Aug 26, 2022
1 parent 14cc642 commit 3874c6b
Show file tree
Hide file tree
Showing 7 changed files with 6 additions and 11 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
### Changed

- **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369)
- **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default
- `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed

### Removed
Expand Down
5 changes: 2 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ app.use(helmet());
By default, Helmet sets the following headers:

```http
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Expand Down Expand Up @@ -155,7 +155,7 @@ Each middleware's name is listed below.
Default:

```http
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
```

`helmet.contentSecurityPolicy` sets the `Content-Security-Policy` header which helps mitigate cross-site scripting attacks, among other things. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
Expand All @@ -168,7 +168,6 @@ These directives are merged into a default policy, which you can disable by sett

default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
Expand Down
3 changes: 2 additions & 1 deletion middlewares/content-security-policy/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@

- **Breaking:** `useDefaults` option now defaults to `true`
- **Breaking:** `form-action` directive is now set to `'self'` by default
- **Breaking:** `block-all-mixed-content` is no longer set by default

### Removed

- **Breaking:** Drop support for Node 10 and 11. Node 12+ is now required
- **Breaking:** Node 14+ is now required

## 3.4.0 - 2021-05-02

Expand Down
1 change: 0 additions & 1 deletion middlewares/content-security-policy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ If no directives are supplied, the following policy is set (whitespace added for

default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
Expand Down
1 change: 0 additions & 1 deletion middlewares/content-security-policy/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ const DEFAULT_DIRECTIVES: Record<
> = {
"default-src": ["'self'"],
"base-uri": ["'self'"],
"block-all-mixed-content": [],
"font-src": ["'self'", "https:", "data:"],
"form-action": ["'self'"],
"frame-ancestors": ["'self'"],
Expand Down
4 changes: 0 additions & 4 deletions test/content-security-policy.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ describe("Content-Security-Policy middleware", () => {
const expectedDirectives = new Set([
"default-src 'self'",
"base-uri 'self'",
"block-all-mixed-content",
"font-src 'self' https: data:",
"form-action 'self'",
"frame-ancestors 'self'",
Expand Down Expand Up @@ -225,7 +224,6 @@ describe("Content-Security-Policy middleware", () => {
it("can override the default options", async () => {
const expectedDirectives = new Set([
"default-src 'self' example.com",
"block-all-mixed-content",
"font-src 'self' https: data:",
"form-action 'self'",
"frame-ancestors 'self'",
Expand Down Expand Up @@ -481,7 +479,6 @@ describe("Content-Security-Policy middleware", () => {
],
expectedDirectives: new Set([
"base-uri 'self'",
"block-all-mixed-content",
"font-src 'self' https: data:",
"form-action 'self'",
"frame-ancestors 'self'",
Expand Down Expand Up @@ -537,7 +534,6 @@ describe("getDefaultDirectives", () => {
it("returns the middleware's default directives", () => {
expect(getDefaultDirectives()).toEqual({
"base-uri": ["'self'"],
"block-all-mixed-content": [],
"default-src": ["'self'"],
"font-src": ["'self'", "https:", "data:"],
"form-action": ["'self'"],
Expand Down
2 changes: 1 addition & 1 deletion test/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ describe("helmet", () => {
// we should update this test to be more robust.
const expectedHeaders = {
"content-security-policy":
"default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
"default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
"cross-origin-embedder-policy": "require-corp",
"cross-origin-opener-policy": "same-origin",
"cross-origin-resource-policy": "same-origin",
Expand Down

0 comments on commit 3874c6b

Please sign in to comment.