Closed ghost closed 1 year ago
@zyachel Please note that I couldn't test this with I2P/Lokinet (I simply couldn't configure it), although, it should work just fine.
If somebody encounters an issue with an I2P/Lokinet instance, please, feel free to file a bug.
I do not know much JS but maybe forcing https only if domain is !.onion would work
I do not know much JS but maybe forcing https only if domain is !.onion would work
Sadly, I don't know how to do that, this is just a quick improper fix. See issue #59 for proper methods.
The problem is upgrade-insecure-requests
and block-all-mixed-content
directives in CSP header.
You can do something like this to disable selected directives:
helmet({
contentSecurityPolicy: {
directives: {
'script-src': ["'self'", 'cdn.jsdelivr.net'],
'block-all-mixed-content': null, // deprecated.
'upgrade-insecure-requests': process.env.NO_UPGRADE ? null : [],
},
},
crossOriginEmbedderPolicy: false,
})
and in .env
& .env.example
add the corresponding flag like this:
# add any value here(e.g.: 1, true, 'por favor') if you're using any service where http is the preferred method, else leave it blank
NO_UPGRADE=
I've tested it and seems to work(for .onion).
@zyachel
Closes #58 Related to #59
Before merging this, we should be sure that this is safe to do, because this disables the Upgrade insecure requests helmetjs directive.
I'll test this with Lokinet and I2P too.