Add upgrade-insecure-requests to CSP when HTTPS is enabled

This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.

src/webui/webapplication.cpp

@@ -431,6 +431,7 @@ void WebApplication::configure()
 
     m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
     m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }
 
 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -538,6 +539,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
         header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
         csp += QLatin1String(" frame-ancestors 'self';");
     }
+    if (m_isHttpsEnabled) {
+        csp += QLatin1String(" upgrade-insecure-requests;");
+    }
 
     header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
 

src/webui/webapplication.h

@@ -146,4 +146,5 @@ private:
     // security related
     bool m_isClickjackingProtectionEnabled;
     bool m_isCSRFProtectionEnabled;
+    bool m_isHttpsEnabled;
 };