Merge pull request #24723 from backstage/fix-csp-camelCase

Added support for camerCase csp in app-config

.changeset/olive-pants-leave.md

@@ -0,0 +1,11 @@
+---
+'@backstage/backend-app-api': patch
+---
+
+Added support for camel case CSP directives in app-config. For example:
+
+```yaml
+backend:
+  csp:
+    upgradeInsecureRequests: false
+```

packages/backend-app-api/src/http/readHelmetOptions.test.ts

@@ -47,7 +47,8 @@ describe('readHelmetOptions', () => {
       csp: {
         key: ['value'],
         'img-src': false,
-        'script-src-attr': ['custom'],
+        scriptSrcAttr: ['custom'],
+        'object-src': ['asd'],
       },
     });
     expect(readHelmetOptions(config)).toEqual({
@@ -58,7 +59,7 @@ describe('readHelmetOptions', () => {
           'base-uri': ["'self'"],
           'font-src': ["'self'", 'https:', 'data:'],
           'frame-ancestors': ["'self'"],
-          'object-src': ["'none'"],
+          'object-src': ['asd'],
           'script-src': ["'self'", "'unsafe-eval'"],
           'style-src': ["'self'", 'https:', "'unsafe-inline'"],
           'script-src-attr': ['custom'],

packages/backend-app-api/src/http/readHelmetOptions.ts

@@ -18,6 +18,7 @@ import { Config } from '@backstage/config';
 import helmet from 'helmet';
 import { HelmetOptions } from 'helmet';
 import { ContentSecurityPolicyOptions } from 'helmet/dist/types/middlewares/content-security-policy';
+import kebabCase from 'lodash/kebabCase';
 
 /**
  * Attempts to read Helmet options from the backend configuration object.
@@ -97,10 +98,11 @@ export function applyCspDirectives(
 
   if (directives) {
     for (const [key, value] of Object.entries(directives)) {
+      const kebabCaseKey = kebabCase(key);
       if (value === false) {
-        delete result[key];
+        delete result[kebabCaseKey];
       } else {
-        result[key] = value;
+        result[kebabCaseKey] = value;
       }
     }
   }