FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348)

FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348)

If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS

If for any reason you attempt to link to non HTTPS reachable content content may appear broken

diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index f3382e3..daebd99 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -8,6 +8,7 @@ class ContentSecurityPolicy
     def initialize(base_url:)
       @base_url = base_url
       @directives = {}.tap do |directives|
+        directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
         directives[:base_uri] = [:none]
         directives[:object_src] = [:none]
         directives[:script_src] = script_src
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index c203c85..32a4db4 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -32,6 +32,18 @@ describe ContentSecurityPolicy do
     end
   end
 
+  describe 'upgrade-insecure-requests' do
+    it 'is not included when force_https is off' do
+      SiteSetting.force_https = false
+      expect(parse(policy)['upgrade-insecure-requests']).to eq(nil)
+    end
+
+    it 'is included when force_https is on' do
+      SiteSetting.force_https = true
+      expect(parse(policy)['upgrade-insecure-requests']).to eq([])
+    end
+  end
+
   describe 'worker-src' do
     it 'has expected values' do
       worker_srcs = parse(policy)['worker-src']

GitHub sha: 6f764790548ebe28bb4d2679210425eccf3ee45a

This commit appears in #13348 which was approved by ZogStriP. It was merged by SamSaffron.