Fix Tor instances

[ghost]

@zyachel

Closes #58 Related to #59

Before merging this, we should be sure that this is safe to do, because this disables the Upgrade insecure requests helmetjs directive.

I'll test this with Lokinet and I2P too.

[ghost]

@zyachel Please note that I couldn't test this with I2P/Lokinet (I simply couldn't configure it), although, it should work just fine.

If somebody encounters an issue with an I2P/Lokinet instance, please, feel free to file a bug.

[gi-yt]

I do not know much JS but maybe forcing https only if domain is !.onion would work

[ghost]

I do not know much JS but maybe forcing https only if domain is !.onion would work

Sadly, I don't know how to do that, this is just a quick improper fix. See issue #59 for proper methods.

[zyachel]

The problem is upgrade-insecure-requests and block-all-mixed-content directives in CSP header.

You can do something like this to disable selected directives:

 helmet({
    contentSecurityPolicy: {
      directives: {
        'script-src': ["'self'", 'cdn.jsdelivr.net'],
        'block-all-mixed-content': null, // deprecated.
        'upgrade-insecure-requests': process.env.NO_UPGRADE ? null : [],
      },
    },
    crossOriginEmbedderPolicy: false,
  })

and in .env & .env.example add the corresponding flag like this:

# add any value here(e.g.: 1, true, 'por favor') if you're using any service where http is the preferred method, else leave it blank
NO_UPGRADE=

I've tested it and seems to work(for .onion).