mirror of
https://github.com/tailscale/tailscale.git
synced 2025-07-29 15:23:45 +00:00
4a39a47248
Require that all non-(GET|OPTIONS|HEAD) requests to the browser mux specify Sec-Fetch-Site=same-origin to prohibit cross-origin requests. Optionally allow for requests to specify "same-site" indicating a cross-origin request from an origin that shares a root domain with the application's own. Updates tailscale/corp#25340