FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348)

If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS

If for any reason you attempt to link to non HTTPS reachable content content may appear broken

lib/content_security_policy/default.rb

@@ -8,6 +8,7 @@ class ContentSecurityPolicy
     def initialize(base_url:)
       @base_url = base_url
       @directives = {}.tap do |directives|
+        directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
         directives[:base_uri] = [:none]
         directives[:object_src] = [:none]
         directives[:script_src] = script_src

spec/lib/content_security_policy_spec.rb

@@ -32,6 +32,18 @@ describe ContentSecurityPolicy do
     end
   end
 
+  describe 'upgrade-insecure-requests' do
+    it 'is not included when force_https is off' do
+      SiteSetting.force_https = false
+      expect(parse(policy)['upgrade-insecure-requests']).to eq(nil)
+    end
+
+    it 'is included when force_https is on' do
+      SiteSetting.force_https = true
+      expect(parse(policy)['upgrade-insecure-requests']).to eq([])
+    end
+  end
+
   describe 'worker-src' do
     it 'has expected values' do
       worker_srcs = parse(policy)['worker-src']