client/web: don't require secure cookies for csrf

Under normal circumstances, you would typically want to keep the default
behavior of requiring secure cookies.  In the case of the Tailscale web
client, we are regularly serving on localhost (where secure cookies
don't really matter), and/or we are behind a reverse proxy running on a
network appliance like a NAS or Home Assistant. In those cases, those
devices are regularly accessed over local IP addresses without https
configured, so would not work with secure cookies.

Updates tailscale/corp#13775

Signed-off-by: Will Norris <will@tailscale.com>
pull/9053/head
Will Norris 1 year ago committed by Will Norris
parent f61dd12f05
commit 9ea3942b1a

@ -77,9 +77,12 @@ func NewServer(devMode bool, lc *tailscale.LocalClient) (s *Server, cleanup func
cleanup = s.startDevServer() cleanup = s.startDevServer()
s.addProxyToDevServer() s.addProxyToDevServer()
// Create new handler for "/api" requests. // Create handler for "/api" requests with CSRF protection.
// And protect with gorilla csrf. // We don't require secure cookies, since the web client is regularly used
csrfProtect := csrf.Protect(csrfKey()) // on network appliances that are served on local non-https URLs.
// The client is secured by limiting the interface it listens on,
// or by authenticating requests before they reach the web client.
csrfProtect := csrf.Protect(csrfKey(), csrf.Secure(false))
s.apiHandler = csrfProtect(&api{s: s}) s.apiHandler = csrfProtect(&api{s: s})
} }
s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1) s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)

Loading…
Cancel
Save