Rocket.Chat referencing http assets when deployed over https

[wenzowski]

The Rocket.Chat application is intermittently making http references to images/assets while being served over https. This results in a security warning in all major browsers.

Screenshots courtesy of @garywong-bc

it's intermittent.. two Chrome browser windows.. screen shots taken 2 seconds apart

Proposed solution as discussed with @patricksimonian on RC is to add a Content-Security-Policy with an upgrade-insecure-requests directive.

This could be implemented

1. at the cluster-wide haproxy load balancer level for all sites (using http headers)
2. via a webserver placed in front of the node process (still using http headers)
3. via middleware in the express layer of the node process (still using http headers)
4. via an html tag in the RC theme (no http headers needed)

This cannot be implemented upstream as CSP reports & PRs are discouraged.

Looking at approach 4 first, are we already using a custom theme? There's a little BCDevExchange logo in the bottom left corner of every page...how is that being injected?

from RC via @wenzowski (me)

yes, seeing telltale classes like .pathfinder-terms in theme.css as well

...but upon inspection of this repo I can't find those classes or a theme.css so...is there another repo perhaps? Or some things deployed that haven't been committed?

It appears that rc-work is the branch to fork for resolution of this issue, as the RC app has its own integration branch. Also to note, @ShellyXueHan has a large open PR in progress that we should avoid creating conflicts with #603