ipn/{localapi,ipnserver}: set a CSP for ServeHTMLStatus, refactor host check

Signed-off-by: Tom DNetto <tom@tailscale.com> (cherry picked from commit 2a991a3541)
2 years ago · b7d0a67f5e
parent 7045359322
commit b7d0a67f5e
1 changed files with 4 additions and 1 deletions
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@ -1079,11 +1079,14 @@ func (s *Server) localhostHandler(ci connIdentity) http.Handler {
 func (s *Server) ServeHTMLStatus(w http.ResponseWriter, r *http.Request) {
 	// As this is only meant for debug, verify there's no DNS name being used to
 	// access this.
-	if strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
+	if !strings.HasPrefix(r.Host, "localhost:") && strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
 		http.Error(w, "invalid host", http.StatusForbidden)
 		return
 	}

+	w.Header().Set("Content-Security-Policy", `default-src 'none'; frame-ancestors 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'`)
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	st := s.b.Status()
 	// TODO(bradfitz): add LogID and opts to st?