mirrors/tailscale
1
0
Fork 0
Code Issues Pull Requests Projects Wiki Activity

tsweb: relax CSP for debug handlers (#8649)

Browse Source 
Allow inline CSS for debug handlers to make prototyping easier. These
are generally not accessible to the public and the small risk of CSS
injection via user content seems acceptable.

Also allow form submissions on the same domain, instead of banning all
forms. An example of such form is
http://webhooks.corp.ts.net:6359/debug/private-nodes/

Updates #3576

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
2023-07-19 11:58:29 -07:00
committed by GitHub
parent 9ab70212f4
commit 7c04846eac
2 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tsweb/tsweb.go
View File

@ -435,7 +435,7 @@ func VarzHandler(w http.ResponseWriter, r *http.Request) {
// https://infosec.mozilla.org/guidelines/web_security
func AddBrowserHeaders(w http.ResponseWriter) {
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-Content-Type-Options", "nosniff")
}