mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 11:05:45 +00:00
tsweb: relax CSP for debug handlers (#8649)
Allow inline CSS for debug handlers to make prototyping easier. These are generally not accessible to the public and the small risk of CSS injection via user content seems acceptable. Also allow form submissions on the same domain, instead of banning all forms. An example of such form is http://webhooks.corp.ts.net:6359/debug/private-nodes/ Updates #3576 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
parent
9ab70212f4
commit
7c04846eac
@ -98,7 +98,7 @@ func (d *DebugHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// entry in /debug/ for it.
|
||||
func (d *DebugHandler) Handle(slug, desc string, handler http.Handler) {
|
||||
href := "/debug/" + slug
|
||||
d.mux.Handle(href, Protected(BrowserHeaderHandler(handler)))
|
||||
d.mux.Handle(href, Protected(debugBrowserHeaderHandler(handler)))
|
||||
d.URL(href, desc)
|
||||
}
|
||||
|
||||
@ -141,3 +141,17 @@ func gcHandler(w http.ResponseWriter, r *http.Request) {
|
||||
runtime.GC()
|
||||
w.Write([]byte("Done.\n"))
|
||||
}
|
||||
|
||||
// debugBrowserHeaderHandler is a wrapper around BrowserHeaderHandler with a
|
||||
// more relaxed Content-Security-Policy that's acceptable for internal debug
|
||||
// pages. It should not be used on any public-facing handlers!
|
||||
func debugBrowserHeaderHandler(h http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
AddBrowserHeaders(w)
|
||||
// The only difference from AddBrowserHeaders is that this policy
|
||||
// allows inline CSS styles. They make debug pages much easier to
|
||||
// prototype, while the risk of user-injected CSS is relatively low.
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'; style-src 'self' 'unsafe-inline'")
|
||||
h.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
@ -435,7 +435,7 @@ func VarzHandler(w http.ResponseWriter, r *http.Request) {
|
||||
// https://infosec.mozilla.org/guidelines/web_security
|
||||
func AddBrowserHeaders(w http.ResponseWriter) {
|
||||
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user