FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348)

If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS If for any reason you attempt to link to non HTTPS reachable content content may appear broken
2025-06-03 02:48:28 +08:00 · 2021-06-09 20:53:10 -04:00
parent 2a4a20ad67
commit 6f76479054
2 changed files with 13 additions and 0 deletions
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@ -32,6 +32,18 @@ describe ContentSecurityPolicy do
    end
  end

+  describe 'upgrade-insecure-requests' do
+    it 'is not included when force_https is off' do
+      SiteSetting.force_https = false
+      expect(parse(policy)['upgrade-insecure-requests']).to eq(nil)
+    end
+
+    it 'is included when force_https is on' do
+      SiteSetting.force_https = true
+      expect(parse(policy)['upgrade-insecure-requests']).to eq([])
+    end
+  end
+
  describe 'worker-src' do
    it 'has expected values' do
      worker_srcs = parse(policy)['worker-src']