From 7cb07d5294f96065a3a0e0a6cbbe4690d00b77ef Mon Sep 17 00:00:00 2001 From: Blaine Bublitz Date: Tue, 3 Dec 2024 09:20:50 -0700 Subject: [PATCH] fix(nosecone)!: Remove upgradeInsecureRequests default value --- nosecone/index.ts | 1 - nosecone/test/nosecone.test.ts | 13 +++++-------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/nosecone/index.ts b/nosecone/index.ts index 6b3267b36..68026cd7f 100644 --- a/nosecone/index.ts +++ b/nosecone/index.ts @@ -429,7 +429,6 @@ const directives = { scriptSrc: ["'self'"], styleSrc: ["'self'"], workerSrc: ["'self'"], - upgradeInsecureRequests: true, } as const; export const defaults = { diff --git a/nosecone/test/nosecone.test.ts b/nosecone/test/nosecone.test.ts index f64805bbe..294344b2b 100644 --- a/nosecone/test/nosecone.test.ts +++ b/nosecone/test/nosecone.test.ts @@ -33,7 +33,7 @@ describe("nosecone", () => { const policy = createContentSecurityPolicy(); assert.deepStrictEqual(policy, [ "content-security-policy", - "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; upgrade-insecure-requests;", + "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self';", ]); }); @@ -41,7 +41,7 @@ describe("nosecone", () => { const policy = createContentSecurityPolicy({}); assert.deepStrictEqual(policy, [ "content-security-policy", - "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; upgrade-insecure-requests;", + "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self';", ]); }); @@ -552,7 +552,7 @@ describe("nosecone", () => { assert.deepStrictEqual(Array.from(headers.entries()), [ [ "content-security-policy", - "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; upgrade-insecure-requests;", + "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self';", ], ["cross-origin-embedder-policy", "require-corp"], ["cross-origin-opener-policy", "same-origin"], @@ -574,7 +574,7 @@ describe("nosecone", () => { assert.deepStrictEqual(Array.from(headers.entries()), [ [ "content-security-policy", - "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; upgrade-insecure-requests;", + "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self';", ], ["cross-origin-embedder-policy", "require-corp"], ["cross-origin-opener-policy", "same-origin"], @@ -629,7 +629,7 @@ describe("nosecone", () => { assert.deepStrictEqual(Array.from(headers.entries()), [ [ "content-security-policy", - "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; upgrade-insecure-requests;", + "base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self';", ], ["cross-origin-embedder-policy", "require-corp"], ["cross-origin-opener-policy", "same-origin"], @@ -703,7 +703,6 @@ describe("nosecone", () => { objectSrc: ["'none'"], scriptSrc: ["'self'", "https://vercel.live"], styleSrc: ["'self'", "https://vercel.live", "'unsafe-inline'"], - upgradeInsecureRequests: true, workerSrc: ["'self'"], }, }, @@ -922,7 +921,6 @@ describe("nosecone", () => { objectSrc: ["'none'"], scriptSrc: ["'self'", "https://vercel.live"], styleSrc: ["'self'", "https://vercel.live", "'unsafe-inline'"], - upgradeInsecureRequests: true, workerSrc: ["'self'"], }, }, @@ -965,7 +963,6 @@ describe("nosecone", () => { objectSrc: ["'none'"], scriptSrc: ["'self'", "https://vercel.live"], styleSrc: ["'self'", "https://vercel.live", "'unsafe-inline'"], - upgradeInsecureRequests: true, workerSrc: ["'self'"], }, },