I couldn't get Firefox or Edge to load the web UI until I patched the server to remove the upgrade-insecure-requests directive. It causes JS files to be loaded through HTTPS, causing an SSL handshake error.
This is the workaround I came up with:
diff --git a/server/src/index.ts b/server/src/index.ts
index 9bebb21..d0eff14 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -36,6 +36,7 @@ app.use(helmet({
crossOriginResourcePolicy: { policy: 'cross-origin' },
crossOriginEmbedderPolicy: false,
contentSecurityPolicy: {
+ useDefaults: false,
directives: {
defaultSrc: ["'self'"],
baseUri: ["'self'"],
@@ -49,7 +50,6 @@ app.use(helmet({
styleSrc: ["'self'", 'https:', "'unsafe-inline'"],
workerSrc: ["'self'", 'blob:'],
connectSrc: ["'self'", 'blob:', 'data:'],
- upgradeInsecureRequests: [],
},
},
}));
I couldn't get Firefox or Edge to load the web UI until I patched the server to remove the
upgrade-insecure-requestsdirective. It causes JS files to be loaded through HTTPS, causing an SSL handshake error.This is the workaround I came up with: