X-Frame-Options: stop special-casing ALLOW-FROM

EvanHahn · EvanHahn · commit 14cc64233ae1 · 2022-08-26T15:08:47.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Changed
 
 - **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369)
+- `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed
 
 ### Removed
 
diff --git a/middlewares/x-frame-options/CHANGELOG.md b/middlewares/x-frame-options/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Changed
 
 - **Breaking:** increase TypeScript strictness around arguments. Only affects TypeScript users. See [helmetjs/helmet#369](https://github.com/helmetjs/helmet/issues/369)
+- No longer offer a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed
 
 ## 4.0.0 - 2020-12-21
 
diff --git a/middlewares/x-frame-options/index.ts b/middlewares/x-frame-options/index.ts
@@ -16,10 +16,6 @@ function getHeaderValueFromOptions({
     case "DENY":
     case "SAMEORIGIN":
       return normalizedAction;
-    case "ALLOW-FROM":
-      throw new Error(
-        "X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See <https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive> for more info."
-      );
     default:
       throw new Error(
         `X-Frame-Options received an invalid action ${JSON.stringify(action)}`
diff --git a/test/x-frame-options.test.ts b/test/x-frame-options.test.ts
@@ -52,16 +52,12 @@ describe("X-Frame-Options middleware", () => {
   });
 
   it("throws when passed invalid actions", () => {
-    for (const action of ["allow-from", "ALLOW-FROM"]) {
-      expect(() => xFrameOptions({ action: action as any })).toThrow(
-        /^X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See <https:\/\/github.com\/helmetjs\/helmet\/wiki\/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive> for more info.$/
-      );
-    }
-
     for (const action of [
       "",
       "foo",
       " deny",
+      "allow-from",
+      "ALLOW-FROM",
       123,
       null,
       new String("SAMEORIGIN"),
