client/web: add Sec-Fetch-Site CSRF protection (#16046)

RELNOTE=Fix CSRF errors in the client Web UI Replace gorilla/csrf with a Sec-Fetch-Site based CSRF protection middleware that falls back to comparing the Host & Origin headers if no SFS value is passed by the client. Add an -origin override to the web CLI that allows callers to specify the origin at which the web UI will be available if it is hosted behind a reverse proxy or within another application via CGI. Updates #14872 Updates #15065 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
2025-08-25 04:37:42 +00:00 · 2025-05-22 12:26:02 -07:00
parent 3ee4c60ff0
commit a05924a9e5
8 changed files with 184 additions and 169 deletions
--- a/client/web/src/api.ts
+++ b/client/web/src/api.ts
@@ -249,7 +249,6 @@ export function useAPI() {
  return api
 }

-let csrfToken: string
 let synoToken: string | undefined // required for synology API requests
 let unraidCsrfToken: string | undefined // required for unraid POST requests (#8062)

@@ -298,12 +297,10 @@ export function apiFetch<T>(
    headers: {
      Accept: "application/json",
      "Content-Type": contentType,
-      "X-CSRF-Token": csrfToken,
    },
    body: body,
  })
    .then((r) => {
-      updateCsrfToken(r)
      if (!r.ok) {
        return r.text().then((err) => {
          throw new Error(err)
@@ -322,13 +319,6 @@ export function apiFetch<T>(
    })
 }

-function updateCsrfToken(r: Response) {
-  const tok = r.headers.get("X-CSRF-Token")
-  if (tok) {
-    csrfToken = tok
-  }
-}
-
 export function setSynoToken(token?: string) {
  synoToken = token
 }