tsweb: relax CSP for debug handlers (#8649)

Allow inline CSS for debug handlers to make prototyping easier. These are generally not accessible to the public and the small risk of CSS injection via user content seems acceptable. Also allow form submissions on the same domain, instead of banning all forms. An example of such form is http://webhooks.corp.ts.net:6359/debug/private-nodes/ Updates #3576 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
10 months ago · 7c04846eac
parent 9ab70212f4
commit 7c04846eac
2 changed files with 16 additions and 2 deletions
--- a/tsweb/debug.go
+++ b/tsweb/debug.go
@ -98,7 +98,7 @@ func (d *DebugHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 // entry in /debug/ for it.
 func (d *DebugHandler) Handle(slug, desc string, handler http.Handler) {
 	href := "/debug/" + slug
-	d.mux.Handle(href, Protected(BrowserHeaderHandler(handler)))
+	d.mux.Handle(href, Protected(debugBrowserHeaderHandler(handler)))
 	d.URL(href, desc)
 }

@ -141,3 +141,17 @@ func gcHandler(w http.ResponseWriter, r *http.Request) {
 	runtime.GC()
 	w.Write([]byte("Done.\n"))
 }
+
+// debugBrowserHeaderHandler is a wrapper around BrowserHeaderHandler with a
+// more relaxed Content-Security-Policy that's acceptable for internal debug
+// pages. It should not be used on any public-facing handlers!
+func debugBrowserHeaderHandler(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		AddBrowserHeaders(w)
+		// The only difference from AddBrowserHeaders is that this policy
+		// allows inline CSS styles. They make debug pages much easier to
+		// prototype, while the risk of user-injected CSS is relatively low.
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'; style-src 'self' 'unsafe-inline'")
+		h.ServeHTTP(w, r)
+	})
+}
--- a/tsweb/tsweb.go
+++ b/tsweb/tsweb.go
@ -435,7 +435,7 @@ func VarzHandler(w http.ResponseWriter, r *http.Request) {
 // https://infosec.mozilla.org/guidelines/web_security
 func AddBrowserHeaders(w http.ResponseWriter) {
 	w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
-	w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
+	w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
 	w.Header().Set("X-Frame-Options", "DENY")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 }