Remove default upgrade-insecure-requests

Co-authored-by: Mike Lewis <mtlewis@users.noreply.github.com> Co-authored-by: Himanshu Mishra <himanshu@orkohunter.net> Signed-off-by: Tim Hansen <timbonicus@gmail.com>
2021-06-04 10:19:16 -06:00
parent 997be24a6e
commit 92963779b5
4 changed files with 15 additions and 3 deletions
@@ -0,0 +1,13 @@
+---
+'@backstage/backend-common': patch
+---
+
+Omit the `upgrade-insecure-requests` Content-Security-Policy directive by default, to prevent automatic HTTPS request upgrading for HTTP-deployed Backstage sites.
+
+If you previously disable this using `false` in your `app-config.yaml`, this line is no longer necessary:
+
+```diff
+backend:
+  csp:
+-    upgrade-insecure-requests: false
+```
@@ -37,6 +37,8 @@ backend:
    credentials: true
  csp:
    connect-src: ["'self'", 'http:', 'https:']
+    # Other Content-Security-Policy directives can be added according to the Helmet format:
+    # https://helmetjs.github.io/#reference
  reading:
    allow:
      - host: example.com
@@ -80,6 +80,4 @@ backend:
    origin: https://your-public-url.com:3000
 ```

-If the protocol is `http`, you will need to set `backend.csp.upgrade-insecure-requests` to `false` as well.
-
 The app port must proxy web socket connections in order to make hot reloading work.
@@ -55,7 +55,6 @@ const DEFAULT_CSP = {
  'script-src': ["'self'", "'unsafe-eval'"],
  'script-src-attr': ["'none'"],
  'style-src': ["'self'", 'https:', "'unsafe-inline'"],
-  'upgrade-insecure-requests': [] as string[],
 };

 export class ServiceBuilderImpl implements ServiceBuilder {