sa6anw/hedgedoc-hedgeagent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix upgradeInsecureRequests CSP directive

Browse Source 
The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.

Closes #1221

See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy

Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren
2021-05-04 11:10:53 +02:00
parent e6d4ac5f9a
commit 0b61f48129
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/csp.js
View File

@@ -85,9 +85,9 @@ function getCspNonce (req, res) {
function addUpgradeUnsafeRequestsOptionTo (directives) { function addUpgradeUnsafeRequestsOptionTo (directives) {
if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) { if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
directives.upgradeInsecureRequests = true directives.upgradeInsecureRequests = []
} else if (config.csp.upgradeInsecureRequests === true) { } else if (config.csp.upgradeInsecureRequests === true) {
directives.upgradeInsecureRequests = true directives.upgradeInsecureRequests = []
} }
} }