0

Helmet: ^5.1.1
Using NextJS with NodeJS.

Setting helmet's crossOriginEmbedderPolicy to false works to load the iframe.

app.use(
  helmet({
    crossOriginEmbedderPolicy: false,
  })
);

But can something like below be done ?

app.use(
  helmet({
    crossOriginEmbedderPolicy: {
      //disable for specific site
    }
  })
);

The following solutions didn't work for me:

  1. Setting Cross-origin-Embedder-Policy and Cross-origin-Opener-Policy headers in nodejs
  2. Cross-Origin-Embedder-Policy: how to allow only certain domains?
  3. https://github.com/helmetjs/helmet/issues/198
FatFatty
  • 76
  • 1
  • 13

1 Answers1

1

I don't know what is your software architecture, but if you host many domains, you can introduce a configuration file in your application, like this:

config.json:

{
  "domain1": {
      crossOrigin: true
  },
  "domain2": {
      crossOrigin: false
  },
  "domain3" : {
     crossOrigin: true
  }
}

And then in your code for loading configuration:

const config  = JSON.parse( fs.readFileSync( __dirname + /config.json', 'utf8' ));

Finally, set the value:

const crossOrigin = config[request.headers.host].crossOrigin;
app.use(
  helmet({
    crossOriginEmbedderPolicy: crossOrigin
  })
);
Alaindeseine
  • 3,260
  • 1
  • 11
  • 21