From 23bf86a8a834a4fce9a4716c9863f020f93cf2e4 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@piccirello.com>
Date: Thu, 31 May 2018 00:44:48 -0400
Subject: [PATCH] Add upgrade-insecure-requests to CSP when HTTPS is enabled

This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
---
 src/webui/webapplication.cpp | 4 ++++
 src/webui/webapplication.h   | 1 +
 2 files changed, 5 insertions(+)

diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index 4d7e3b588..b5ddf7717 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -432,6 +432,7 @@ void WebApplication::configure()
 
     m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
     m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }
 
 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -539,6 +540,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
         header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
         csp += QLatin1String(" frame-ancestors 'self';");
     }
+    if (m_isHttpsEnabled) {
+        csp += QLatin1String(" upgrade-insecure-requests;");
+    }
 
     header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
 
diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
index eabb08cd1..7713cd72b 100644
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -146,4 +146,5 @@ private:
     // security related
     bool m_isClickjackingProtectionEnabled;
     bool m_isCSRFProtectionEnabled;
+    bool m_isHttpsEnabled;
 };