From e0baa58a43deed1585454b14e61600fd18d72e79 Mon Sep 17 00:00:00 2001
From: Max Kukartsev <mxxk@users.noreply.github.com>
Date: Sun, 5 Nov 2023 05:20:16 -0800
Subject: [PATCH] Support `unsafe-none` in COEP

`unsafe-none` is a valid value for `Cross-Origin-Embedder-Policy`, so
add support for it.

See [#446][0] and [#447][1].

[0]: https://github.com/helmetjs/helmet/issues/446
[1]: https://github.com/helmetjs/helmet/pull/447
---
 middlewares/cross-origin-embedder-policy/index.ts |  8 ++++++--
 test/cross-origin-embedder-policy.test.ts         | 14 ++++++++------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/middlewares/cross-origin-embedder-policy/index.ts b/middlewares/cross-origin-embedder-policy/index.ts
index 4617b2a..3de7049 100644
--- a/middlewares/cross-origin-embedder-policy/index.ts
+++ b/middlewares/cross-origin-embedder-policy/index.ts
@@ -1,10 +1,14 @@
 import type { IncomingMessage, ServerResponse } from "http";
 
 export interface CrossOriginEmbedderPolicyOptions {
-  policy?: "require-corp" | "credentialless";
+  policy?: "require-corp" | "credentialless" | "unsafe-none";
 }
 
-const ALLOWED_POLICIES = new Set(["require-corp", "credentialless"]);
+const ALLOWED_POLICIES = new Set([
+  "require-corp",
+  "credentialless",
+  "unsafe-none",
+]);
 
 function getHeaderValueFromOptions({
   policy = "require-corp",
diff --git a/test/cross-origin-embedder-policy.test.ts b/test/cross-origin-embedder-policy.test.ts
index 69524fd..379a4a8 100644
--- a/test/cross-origin-embedder-policy.test.ts
+++ b/test/cross-origin-embedder-policy.test.ts
@@ -18,13 +18,15 @@ describe("Cross-Origin-Embedder-Policy middleware", () => {
     );
   });
 
-  (["require-corp", "credentialless"] as const).forEach((policy) => {
-    it(`sets "Cross-Origin-Embedder-Policy: ${policy}" when told to`, async () => {
-      await check(crossOriginEmbedderPolicy({ policy }), {
-        "cross-origin-embedder-policy": policy,
+  (["require-corp", "credentialless", "unsafe-none"] as const).forEach(
+    (policy) => {
+      it(`sets "Cross-Origin-Embedder-Policy: ${policy}" when told to`, async () => {
+        await check(crossOriginEmbedderPolicy({ policy }), {
+          "cross-origin-embedder-policy": policy,
+        });
       });
-    });
-  });
+    },
+  );
 
   it("throws when setting the policy to an invalid value", () => {
     const invalidValues = [