ipn/{localapi,ipnserver}: set a CSP for ServeHTMLStatus, refactor host check

Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto 2022-11-18 09:47:06 -08:00 committed by Tom
parent a011320370
commit 2a991a3541
1 changed files with 4 additions and 1 deletions

View File

@ -1031,11 +1031,14 @@ func (s *Server) localhostHandler(ci connIdentity) http.Handler {
func (s *Server) ServeHTMLStatus(w http.ResponseWriter, r *http.Request) { func (s *Server) ServeHTMLStatus(w http.ResponseWriter, r *http.Request) {
// As this is only meant for debug, verify there's no DNS name being used to // As this is only meant for debug, verify there's no DNS name being used to
// access this. // access this.
if strings.IndexFunc(r.Host, unicode.IsLetter) != -1 { if !strings.HasPrefix(r.Host, "localhost:") && strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
http.Error(w, "invalid host", http.StatusForbidden) http.Error(w, "invalid host", http.StatusForbidden)
return return
} }
w.Header().Set("Content-Security-Policy", `default-src 'none'; frame-ancestors 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'`)
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Content-Type", "text/html; charset=utf-8") w.Header().Set("Content-Type", "text/html; charset=utf-8")
st := s.b.Status() st := s.b.Status()
// TODO(bradfitz): add LogID and opts to st? // TODO(bradfitz): add LogID and opts to st?