From 50fcdebdb18ce7581f338d473680fb08046f4d08 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Tue, 25 Aug 2020 13:54:59 +0200
Subject: Update server dependencies

---
 server/initializers/config.ts | 2 +-
 server/middlewares/csp.ts     | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

(limited to 'server')

diff --git a/server/initializers/config.ts b/server/initializers/config.ts
index 04ba605b6..b40e525a5 100644
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -125,7 +125,7 @@ const CONFIG = {
   CSP: {
     ENABLED: config.get<boolean>('csp.enabled'),
     REPORT_ONLY: config.get<boolean>('csp.report_only'),
-    REPORT_URI: config.get<boolean>('csp.report_uri')
+    REPORT_URI: config.get<string>('csp.report_uri')
   },
   TRACKER: {
     ENABLED: config.get<boolean>('tracker.enabled'),
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index f5de69603..0ee44bf47 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -19,18 +19,16 @@ const baseDirectives = Object.assign({},
     workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
   },
   CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
-  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
+  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
 )
 
 const baseCSP = helmet.contentSecurityPolicy({
   directives: baseDirectives,
-  browserSniff: false,
   reportOnly: CONFIG.CSP.REPORT_ONLY
 })
 
 const embedCSP = helmet.contentSecurityPolicy({
   directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
-  browserSniff: false, // assumes a modern browser, but allows CDN in front
   reportOnly: CONFIG.CSP.REPORT_ONLY
 })
 
-- 
cgit v1.2.3