diff --git a/CHANGELOG.md b/CHANGELOG.md index 50404aa..7fedbc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### Changed - **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369) +- `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed ### Removed diff --git a/middlewares/x-frame-options/CHANGELOG.md b/middlewares/x-frame-options/CHANGELOG.md index 0a90132..5fc9019 100644 --- a/middlewares/x-frame-options/CHANGELOG.md +++ b/middlewares/x-frame-options/CHANGELOG.md @@ -5,6 +5,7 @@ ### Changed - **Breaking:** increase TypeScript strictness around arguments. Only affects TypeScript users. See [helmetjs/helmet#369](https://github.com/helmetjs/helmet/issues/369) +- No longer offer a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed ## 4.0.0 - 2020-12-21 diff --git a/middlewares/x-frame-options/index.ts b/middlewares/x-frame-options/index.ts index 6638c41..57062a9 100644 --- a/middlewares/x-frame-options/index.ts +++ b/middlewares/x-frame-options/index.ts @@ -16,10 +16,6 @@ function getHeaderValueFromOptions({ case "DENY": case "SAMEORIGIN": return normalizedAction; - case "ALLOW-FROM": - throw new Error( - "X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See for more info." - ); default: throw new Error( `X-Frame-Options received an invalid action ${JSON.stringify(action)}` diff --git a/test/x-frame-options.test.ts b/test/x-frame-options.test.ts index 7277ffc..528f53d 100644 --- a/test/x-frame-options.test.ts +++ b/test/x-frame-options.test.ts @@ -52,16 +52,12 @@ describe("X-Frame-Options middleware", () => { }); it("throws when passed invalid actions", () => { - for (const action of ["allow-from", "ALLOW-FROM"]) { - expect(() => xFrameOptions({ action: action as any })).toThrow( - /^X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See for more info.$/ - ); - } - for (const action of [ "", "foo", " deny", + "allow-from", + "ALLOW-FROM", 123, null, new String("SAMEORIGIN"),