client/web: don't require secure cookies for csrf

Under normal circumstances, you would typically want to keep the default
behavior of requiring secure cookies.  In the case of the Tailscale web
client, we are regularly serving on localhost (where secure cookies
don't really matter), and/or we are behind a reverse proxy running on a
network appliance like a NAS or Home Assistant. In those cases, those
devices are regularly accessed over local IP addresses without https
configured, so would not work with secure cookies.

Updates tailscale/corp#13775

Signed-off-by: Will Norris <will@tailscale.com>

client/web/web.go

@@ -77,9 +77,12 @@ func NewServer(devMode bool, lc *tailscale.LocalClient) (s *Server, cleanup func
 		cleanup = s.startDevServer()
 		s.addProxyToDevServer()
 
-		// Create new handler for "/api" requests.
-		// And protect with gorilla csrf.
-		csrfProtect := csrf.Protect(csrfKey())
+		// Create handler for "/api" requests with CSRF protection.
+		// We don't require secure cookies, since the web client is regularly used
+		// on network appliances that are served on local non-https URLs.
+		// The client is secured by limiting the interface it listens on,
+		// or by authenticating requests before they reach the web client.
+		csrfProtect := csrf.Protect(csrfKey(), csrf.Secure(false))
 		s.apiHandler = csrfProtect(&api{s: s})
 	}
 	s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)