Comments (8)
If you want no CSP, you don't need to include the middleware. Is there a reason why you want this middleware if it's empty?
from helmet.
We're using other directives other than the sandbox attribute. This was just to show that sandbox is always added.
You'll have the same problem if you have a config with script-src
and others.
from helmet.
This brings up a good question about what to do on IE. We've got a few options:
- Leave things as is, which @ibash points out has some undesirable behavior.
- If you don't supply a
sandbox
attribute, the header will be useless on IE (and might as well be removed), but won't break IE. We could remove it or include it, it doesn't matter much. - If you don't specify
sandbox
, try to guess it for IE (and be liberal with what you allow). For example, if yourscript-src
isnone
, then you shouldn'tallow-scripts
in the sandbox. To reiterate, this should only happen if (1) you're on IE (2) you didn't specify thesandbox
directive.
I feel like the last option is probably what people want, but it has the potential to be buggy and introduce errant behavior. I think option 2 is probably the best.
Thoughts?
@ibash, for now, you can probably do something like this:
app.use(helmet.csp({
sandbox: ['allow-forms']
})
from helmet.
I say ditto on option 2. Since csp is still relatively new I think it makes more sense to let users make the judgement call as to what happens (by making it more configurable).
With some good documentation that shouldn't be a problem, want me to write up a pull request?
On Fri, Apr 25, 2014 at 2:35 PM, Evan Hahn [email protected]
wrote:
This brings up a good question about what to do on IE. We've got a few options:
- Leave things as is, which @ibash points out has some undesirable behavior.
- If you don't supply a
sandbox
attribute, the header will be useless on IE (and might as well be removed), but won't break IE. We could remove it or include it, it doesn't matter much.- If you don't specify
sandbox
, try to guess it for IE (and be liberal with what you allow). For example, if yourscript-src
isnone
, then you shouldn'tallow-scripts
in the sandbox. To reiterate, this should only happen if (1) you're on IE (2) you didn't specify thesandbox
directive.
I feel like the last option is probably what people want, but it has the potential to be buggy and introduce errant behavior. I think option 2 is probably the best.Thoughts?
Reply to this email directly or view it on GitHub:
#42 (comment)
from helmet.
Sure! I'd imagine the PR is just removing the code that always adds sandbox
to IE.
from helmet.
@EvanHahn pull request attached, take a look and let me know what you think.
from helmet.
Closing this; let's move discussion to the PR.
from helmet.
Okay -- as a side note another common practice is to leave issues open until they're fixed by a commit message: i.e. "fixes #42"
from helmet.
Related Issues (20)
- Error while building on local and digital ocean space HOT 3
- `Unexpected token` when importing `*.d.cts` or `*.d.mts` files from helmet HOT 1
- SSL error with Safari but not Chrome HOT 8
- RFE: Static pre-computed headers HOT 6
- Helmet not handling thrown errors HOT 2
- Error: Cross-Origin-Embedder-Policy does not support the "cross-origin" policy HOT 9
- Cannot extract type for ContentSecurityPolicyOptions HOT 3
- Jest: Cannot find module 'helmet' or its corresponding type declarations HOT 3
- Consider limiting helmet to document requests or add a note HOT 4
- Deployment on Vercel using .mjs HOT 13
- X-Powered-By is not being removed from the haeder in default mode HOT 2
- Getting Error Type 'typeof import("/home/quophyie/projects/helmet-issue/node_modules/helmet/index")' has no call signatures when running tests with jest, ts-jest when using ESM / ECMAScript Modules HOT 12
- helmet + sanitizeFilter HOT 1
- Require Node 18+ HOT 5
- Support `unsafe-none` in `helmet.crossOriginEmbedderPolicy`? HOT 1
- Typescript required versions HOT 2
- 7.1.0 Rollup error HOT 17
- Disable HSTS headers by default on localhost HOT 9
- Error "script-src-elem" is an invalid directive HOT 3
- 'self' and 'none' values lack quotes HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helmet.