From 8f98f87d1228aaf2b23f1044f6173984b667835c Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@piccirello.com>
Date: Thu, 31 May 2018 00:44:48 -0400
Subject: [PATCH] Add upgrade-insecure-requests to CSP when HTTPS is enabled

This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
---
 src/webui/webapplication.cpp | 4 ++++
 src/webui/webapplication.h   | 1 +
 2 files changed, 5 insertions(+)

diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index 983f9caaf..22d26b8b6 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -431,6 +431,7 @@ void WebApplication::configure()
 
     m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
     m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }
 
 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -538,6 +539,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
         header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
         csp += QLatin1String(" frame-ancestors 'self';");
     }
+    if (m_isHttpsEnabled) {
+        csp += QLatin1String(" upgrade-insecure-requests;");
+    }
 
     header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
 
diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
index eabb08cd1..7713cd72b 100644
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -146,4 +146,5 @@ private:
     // security related
     bool m_isClickjackingProtectionEnabled;
     bool m_isCSRFProtectionEnabled;
+    bool m_isHttpsEnabled;
 };