Don't set upgrade_insecure_requests for HTTP requests

Copilot · fletchto99 · Copilot · commit a8c6a2205003 · 2025-12-17T20:00:09.000Z
Co-authored-by: fletchto99 &lt;718681+fletchto99@users.noreply.github.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,4 @@ coverage
 pkg
 rdoc
 spec/reports
+vendor/bundle
diff --git a/lib/secure_headers.rb b/lib/secure_headers.rb
@@ -133,6 +133,7 @@ def opt_out_of_all_protection(request)
     # request.
     #
     # StrictTransportSecurity is not applied to http requests.
+    # upgrade_insecure_requests is not applied to http requests.
     # See #config_for to determine which config is used for a given request.
     #
     # Returns a hash of header names => header values. The value
@@ -146,6 +147,22 @@ def header_hash_for(request)
 
       if request.scheme != HTTPS
         headers.delete(StrictTransportSecurity::HEADER_NAME)
+        
+        # Remove upgrade_insecure_requests from CSP headers for HTTP requests
+        # as it doesn't make sense to upgrade requests when the page itself is served over HTTP
+        if !config.csp.opt_out? && config.csp.directive_value(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS)
+          modified_csp_config = config.csp.dup
+          modified_csp_config.update_directive(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS, false)
+          header_name, value = ContentSecurityPolicy.make_header(modified_csp_config)
+          headers[header_name] = value if header_name && value
+        end
+        
+        if !config.csp_report_only.opt_out? && config.csp_report_only.directive_value(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS)
+          modified_csp_report_only_config = config.csp_report_only.dup
+          modified_csp_report_only_config.update_directive(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS, false)
+          header_name, value = ContentSecurityPolicy.make_header(modified_csp_report_only_config)
+          headers[header_name] = value if header_name && value
+        end
       end
       headers
     end
diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb
@@ -436,6 +436,68 @@ module SecureHeaders
 
           end
         end
+
+        it "does not set upgrade-insecure-requests if request is over HTTP" do
+          reset_config
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w('self'),
+              upgrade_insecure_requests: true
+            }
+          end
+          
+          plaintext_request = Rack::Request.new({})
+          hash = SecureHeaders.header_hash_for(plaintext_request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src 'self'")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).not_to include("upgrade-insecure-requests")
+        end
+
+        it "sets upgrade-insecure-requests if request is over HTTPS" do
+          reset_config
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w('self'),
+              upgrade_insecure_requests: true
+            }
+          end
+          
+          https_request = Rack::Request.new("HTTPS" => "on")
+          hash = SecureHeaders.header_hash_for(https_request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src 'self'; upgrade-insecure-requests")
+        end
+
+        it "does not set upgrade-insecure-requests in report-only mode if request is over HTTP" do
+          reset_config
+          Configuration.default do |config|
+            config.csp_report_only = {
+              default_src: %w('self'),
+              script_src: %w('self'),
+              upgrade_insecure_requests: true
+            }
+          end
+          
+          plaintext_request = Rack::Request.new({})
+          hash = SecureHeaders.header_hash_for(plaintext_request)
+          expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src 'self'")
+          expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).not_to include("upgrade-insecure-requests")
+        end
+
+        it "sets upgrade-insecure-requests in report-only mode if request is over HTTPS" do
+          reset_config
+          Configuration.default do |config|
+            config.csp_report_only = {
+              default_src: %w('self'),
+              script_src: %w('self'),
+              upgrade_insecure_requests: true
+            }
+          end
+          
+          https_request = Rack::Request.new("HTTPS" => "on")
+          hash = SecureHeaders.header_hash_for(https_request)
+          expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src 'self'; upgrade-insecure-requests")
+        end
       end
     end
 
