X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fcsp.ts;h=e2a75a17ebae7427e70bf6da5ca2e9782bfdd48b;hb=f89189907bbdff6c4bc6d3460ed9ef4c49515f17;hp=f5de6960311634a0fb9c7e2c11891a6be581d9cc;hpb=7cd1b12c19d0589d1d692ed0571ca0800f028aea;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index f5de69603..e2a75a17e 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -1,4 +1,4 @@
-import * as helmet from 'helmet'
+import { contentSecurityPolicy } from 'helmet'
 import { CONFIG } from '../initializers/config'
 
 const baseDirectives = Object.assign({},
@@ -19,18 +19,16 @@ const baseDirectives = Object.assign({},
     workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
   },
   CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
-  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
+  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
 )
 
-const baseCSP = helmet.contentSecurityPolicy({
+const baseCSP = contentSecurityPolicy({
   directives: baseDirectives,
-  browserSniff: false,
   reportOnly: CONFIG.CSP.REPORT_ONLY
 })
 
-const embedCSP = helmet.contentSecurityPolicy({
+const embedCSP = contentSecurityPolicy({
   directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
-  browserSniff: false, // assumes a modern browser, but allows CDN in front
   reportOnly: CONFIG.CSP.REPORT_ONLY
 })