From 0b61f48129e666eed4c34dbbf759ab0013153022 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Tue, 4 May 2021 11:10:53 +0200 Subject: [PATCH] Fix upgradeInsecureRequests CSP directive The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren --- lib/csp.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/csp.js b/lib/csp.js index 108f2a22d..08efdd795 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -85,9 +85,9 @@ function getCspNonce (req, res) { function addUpgradeUnsafeRequestsOptionTo (directives) { if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) { - directives.upgradeInsecureRequests = true + directives.upgradeInsecureRequests = [] } else if (config.csp.upgradeInsecureRequests === true) { - directives.upgradeInsecureRequests = true + directives.upgradeInsecureRequests = [] } }