-import * as helmet from 'helmet'
+import { contentSecurityPolicy } from 'helmet'
import { CONFIG } from '../initializers/config'
const baseDirectives = Object.assign({},
workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
},
CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
- CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
+ CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
)
-const baseCSP = helmet.contentSecurityPolicy({
+const baseCSP = contentSecurityPolicy({
directives: baseDirectives,
- browserSniff: false,
reportOnly: CONFIG.CSP.REPORT_ONLY
})
-const embedCSP = helmet.contentSecurityPolicy({
+const embedCSP = contentSecurityPolicy({
directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
- browserSniff: false, // assumes a modern browser, but allows CDN in front
reportOnly: CONFIG.CSP.REPORT_ONLY
})