diff options
| author | Patrick O'Doherty <patrick@tailscale.com> | 2025-05-22 12:26:02 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-22 12:26:02 -0700 |
| commit | a05924a9e5018da6f64fd92eb9ba37e599cab567 (patch) | |
| tree | cbde6e6df234c63dbc35f60b439898c9f86105a8 /control/controlhttp/controlhttpserver/controlhttpserver.go | |
| parent | 3ee4c60ff0257d11842523c1c59492345030dce2 (diff) | |
| download | tailscale-a05924a9e5018da6f64fd92eb9ba37e599cab567.tar.xz tailscale-a05924a9e5018da6f64fd92eb9ba37e599cab567.zip | |
client/web: add Sec-Fetch-Site CSRF protection (#16046)
RELNOTE=Fix CSRF errors in the client Web UI
Replace gorilla/csrf with a Sec-Fetch-Site based CSRF protection
middleware that falls back to comparing the Host & Origin headers if no
SFS value is passed by the client.
Add an -origin override to the web CLI that allows callers to specify
the origin at which the web UI will be available if it is hosted behind
a reverse proxy or within another application via CGI.
Updates #14872
Updates #15065
Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions
