Closed EvanHahn closed 4 months ago
Two things to note:
structuredClone
API provided by Node does perform a deep copy but doesn't copy functions. Is that a deal breaker?You could cause a problem if you mutate one of the arrays. For example:
const one = getDefaultDirectives();
one["script-src"].push("https://garbage.example");
const two = getDefaultDirectives();
console.log(two["script-src"]);
// => ["'self'", "https://garbage.example"]
Done in d9319b801c3c2dfef3ab23bdd29f1de99c94e95b/#465.
getDefaultDirectives
returns a shallow copy:https://github.com/helmetjs/helmet/blob/6475da1139677ff4b9da71d4dc7cb58d3c9aef54/middlewares/content-security-policy/index.ts#L71
Someone could mutate this object and cause chaos. We should:
getDefaultDirectives
again.This is technically a breaking change so it should be made against the
v8.0.0
branch.