client/web: fix CSRF handler order in web UI - tailscale - The easiest, most secure way to use WireGuard and 2FA

diff options

author	Patrick O'Doherty <patrick@tailscale.com>	2025-02-26 20:44:27 +0000
committer	Patrick O'Doherty <patrick@tailscale.com>	2025-02-27 11:42:53 -0800
commit	a4e843c1b6134c33fb52b14c3408aafca4ca0992 (patch)
tree	39ec2793746b17012046d7abb0cb20e9015fab7f /smallzstd/testdata
parent	ae303d41dd1850b4306848a5ada87ea8b14a088d (diff)
download	tailscale-patrickod/reverse-web-handler-order-csrf.tar.xz tailscale-patrickod/reverse-web-handler-order-csrf.zip

client/web: fix CSRF handler order in web UIpatrickod/reverse-web-handler-order-csrf

Fix the order of the CSRF handlers (HTTP plaintext context setting, _then_ enforcement) in the construction of the web UI server. This resolves false-positive "invalid Origin" 403 exceptions when attempting to update settings in the web UI. Add unit test to exercise the CSRF protection failure and success cases for our web UI configuration. Updates #14822 Updates #14872 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

Diffstat (limited to 'smallzstd/testdata')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: