From 1ce0e558a792b792dd8cb24c2724eace759260c5 Mon Sep 17 00:00:00 2001
From: Mihai Parparita <mihai@tailscale.com>
Date: Thu, 15 Sep 2022 15:13:58 -0700
Subject: [PATCH] cmd/derper, control/controlhttp: disable WebSocket
 compression

The data that we send over WebSockets is encrypted and thus not
compressible. Additionally, Safari has a broken implementation of compression
(see nhooyr/websocket#218) that makes enabling it actively harmful.

Fixes tailscale/corp#6943

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
---
 cmd/derper/websocket.go       | 6 ++++++
 control/controlhttp/server.go | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/cmd/derper/websocket.go b/cmd/derper/websocket.go
index 23e1376d6..c44ca5e91 100644
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -33,6 +33,12 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 			Subprotocols:   []string{"derp"},
 			OriginPatterns: []string{"*"},
+			// Disable compression because we transmit WireGuard messages that
+			// are not compressible.
+			// Additionally, Safari has a broken implementation of compression
+			// (see https://github.com/nhooyr/websocket/issues/218) that makes
+			// enabling it actively harmful.
+			CompressionMode: websocket.CompressionDisabled,
 		})
 		if err != nil {
 			log.Printf("websocket.Accept: %v", err)
diff --git a/control/controlhttp/server.go b/control/controlhttp/server.go
index 816d17ca3..1e9ccd0ca 100644
--- a/control/controlhttp/server.go
+++ b/control/controlhttp/server.go
@@ -82,6 +82,12 @@ func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request
 	c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 		Subprotocols:   []string{upgradeHeaderValue},
 		OriginPatterns: []string{"*"},
+		// Disable compression because we transmit Noise messages that are not
+		// compressible.
+		// Additionally, Safari has a broken implementation of compression
+		// (see https://github.com/nhooyr/websocket/issues/218) that makes
+		// enabling it actively harmful.
+		CompressionMode: websocket.CompressionDisabled,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("Could not accept WebSocket connection %v", err)