TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-05-16 15:29:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

safeweb: Set Cross-Origin-Opener-Policy for browser requests (#15936)

Browse Source 
Set Cross-Origin-Opener-Policy: same-origin for all browser requests to
prevent window.location manipulation by malicious origins.

Updates tailscale/corp#28480

Thank you to Triet H.M. Pham for the report.

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
This commit is contained in:
Patrick O'Doherty 2025-05-09 13:44:36 -07:00 committed by GitHub
parent 3c98964065
commit 3177e50b14
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
safeweb/http.go
View File

@ -376,6 +376,7 @@ func (s *Server) serveBrowser(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Security-Policy", s.csp)
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Referer-Policy", "same-origin")
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
if s.SecureContext {
w.Header().Set("Strict-Transport-Security", cmp.Or(s.StrictTransportSecurityOptions, DefaultStrictTransportSecurityOptions))
}