Support upgrade-insecure-requests

[BBosman]

Summary

Add support for upgrade-insecure-requests (details).

As it's a directive without values (it's either present, or it's not) it didn't feel right to add it to the regular directives as it would require quite a bit of code changes to support Boolean directives, so I decided to add it to the additional options.

Requirements (place an x in each [ ])

• [X] I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• [X] I've read and agree to the Code of Conduct.
• [X] I've written tests to cover the new code and functionality included in this PR.
• [X] I've read, agree to, and signed the Contributor License Agreement (CLA).

[melloware]

@BBosman why not just add this to your policy config?

 policy: {
      'base-uri': "'self'",
      'object-src': "'none'",
      'script-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"],
      'style-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"],
      'upgrade-insecure-requests': []
    },

Wouldn't that work above? I just did it and it produced this...

<meta http-equiv="Content-Security-Policy" 
content="base-uri 'self'; 
object-src 'none'; script-src 'self'  https: 'nonce-d9jxN8cqF4Lcixfi0+Rx2Q=='; 
style-src 'self' https: *.googleapis.com 'nonce-Pjzirc+Fa1JGW9x7dvH5kg==' 'nonce-UhE6yprNh+mr8d3IQWW6ag=='; default-src 'none'; 
connect-src 'self' https:; worker-src 'self' blob:; img-src 'self' blob: data: content:; font-src 'self'; 
frame-src 'self' https://www.google.com/;
 upgrade-insecure-requests ">

[BBosman]

Because it's a Boolean property I never thought of trying to configure it with just an empty array. :astonished:

Maybe adding a sentence or two on this to the docs would be a good idea to help others facing the same issue in the future, but as my issue is solved without code changes I'll close out this PR.

[melloware]

Ha yeah I just took a guess abs tried it! Glad it helped you out.