client/web: add some security checks for full client

Require that requests to servers in manage mode are made to the
Tailscale IP (either ipv4 or ipv6) or quad-100. Also set various
security headers on those responses.  These might be too restrictive,
but we can relax them as needed.

Allow requests to /ok (even in manage mode) with no checks. This will be
used for the connectivity check from a login client to see if the
management client is reachable.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>

ipn/ipnlocal/web_client_stub.go

@@ -12,6 +12,8 @@ import (
 	"tailscale.com/client/tailscale"
 )
 
+const webClientPort = 5252
+
 type webClient struct{}
 
 func (b *LocalBackend) SetWebLocalClient(lc *tailscale.LocalClient) {}