From 0b61f48129e666eed4c34dbbf759ab0013153022 Mon Sep 17 00:00:00 2001
From: David Mehren
Date: Tue, 4 May 2021 11:10:53 +0200
Subject: Fix upgradeInsecureRequests CSP directive

The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.

Closes #1221

See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy

Signed-off-by: David Mehren <git@herrmehren.de>
---
 lib/csp.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/csp.js b/lib/csp.js
index 108f2a22..08efdd79 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -85,9 +85,9 @@ function getCspNonce (req, res) {
 
 function addUpgradeUnsafeRequestsOptionTo (directives) {
   if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
-    directives.upgradeInsecureRequests = true
+    directives.upgradeInsecureRequests = []
   } else if (config.csp.upgradeInsecureRequests === true) {
-    directives.upgradeInsecureRequests = true
+    directives.upgradeInsecureRequests = []
   }
 }
 
-- 
cgit v1.2.3