helmet: Allow referrerPolicy.policy to be an array of strings (#44235)

* Setting a referrer policy as an array of strings is permitted. This will result in a comma-separated list of policies, where the last policy understood by the browser would be the one applied. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy, "Specifying a fallback policy". * Added a test for when referrerPolicy.policy is an array of strings.
2026-02-06 10:56:53 +00:00 · 2020-04-26 12:20:57 -05:00 · 2020-04-26 12:20:57 -05:00 · 02f28e78a6
commit 02f28e78a6
parent 5acdc8f0a7
2 changed files with 3 additions and 2 deletions
--- a/types/helmet/helmet-tests.ts
+++ b/types/helmet/helmet-tests.ts
@ -232,7 +232,8 @@ function noSniffTest() {
 * @summary Test for {@see helmet#referrerPolicy} function.
 */
 function referrerPolicyTest() {
-    app.use(helmet.referrerPolicy({ policy: 'same-origin' }))
+    app.use(helmet.referrerPolicy({ policy: 'same-origin' }));
+    app.use(helmet.referrerPolicy({ policy: ['no-referrer', 'origin', 'strict-origin', 'strict-origin-when-cross-origin'] }));
 }

 /**
--- a/types/helmet/index.d.ts
+++ b/types/helmet/index.d.ts
@ -168,7 +168,7 @@ declare namespace helmet {
    }

    export interface IHelmetReferrerPolicyConfiguration {
-        policy?: string;
+        policy?: string | string[];
    }

    export interface IHelmetXssFilterConfiguration {