From 3177e50b1402052bca4fd2cfb69279bd82380f73 Mon Sep 17 00:00:00 2001
From: Patrick O'Doherty <patrick@tailscale.com>
Date: Fri, 9 May 2025 13:44:36 -0700
Subject: [PATCH] safeweb: Set Cross-Origin-Opener-Policy for browser requests
 (#15936)

Set Cross-Origin-Opener-Policy: same-origin for all browser requests to
prevent window.location manipulation by malicious origins.

Updates tailscale/corp#28480

Thank you to Triet H.M. Pham for the report.

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
---
 safeweb/http.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/safeweb/http.go b/safeweb/http.go
index 143c4dcee..d085fcb88 100644
--- a/safeweb/http.go
+++ b/safeweb/http.go
@@ -376,6 +376,7 @@ func (s *Server) serveBrowser(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Security-Policy", s.csp)
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Referer-Policy", "same-origin")
+	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 	if s.SecureContext {
 		w.Header().Set("Strict-Transport-Security", cmp.Or(s.StrictTransportSecurityOptions, DefaultStrictTransportSecurityOptions))
 	}