From 9ea3942b1af1ef4d84b191bc336203a3867c9cce Mon Sep 17 00:00:00 2001 From: Will Norris Date: Wed, 23 Aug 2023 14:05:23 -0700 Subject: [PATCH] client/web: don't require secure cookies for csrf Under normal circumstances, you would typically want to keep the default behavior of requiring secure cookies. In the case of the Tailscale web client, we are regularly serving on localhost (where secure cookies don't really matter), and/or we are behind a reverse proxy running on a network appliance like a NAS or Home Assistant. In those cases, those devices are regularly accessed over local IP addresses without https configured, so would not work with secure cookies. Updates tailscale/corp#13775 Signed-off-by: Will Norris --- client/web/web.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/client/web/web.go b/client/web/web.go index 27aa8bff4..cb64b8e1d 100644 --- a/client/web/web.go +++ b/client/web/web.go @@ -77,9 +77,12 @@ func NewServer(devMode bool, lc *tailscale.LocalClient) (s *Server, cleanup func cleanup = s.startDevServer() s.addProxyToDevServer() - // Create new handler for "/api" requests. - // And protect with gorilla csrf. - csrfProtect := csrf.Protect(csrfKey()) + // Create handler for "/api" requests with CSRF protection. + // We don't require secure cookies, since the web client is regularly used + // on network appliances that are served on local non-https URLs. + // The client is secured by limiting the interface it listens on, + // or by authenticating requests before they reach the web client. + csrfProtect := csrf.Protect(csrfKey(), csrf.Secure(false)) s.apiHandler = csrfProtect(&api{s: s}) } s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)