From b7d0a67f5e717d0f4837de5cd280443304812dbc Mon Sep 17 00:00:00 2001
From: Tom DNetto <tom@tailscale.com>
Date: Fri, 18 Nov 2022 09:47:06 -0800
Subject: [PATCH] ipn/{localapi,ipnserver}: set a CSP for ServeHTMLStatus,
 refactor host check

Signed-off-by: Tom DNetto <tom@tailscale.com>
(cherry picked from commit 2a991a3541ae5d567a5bf26c6fe60a7349bda9bb)
---
 ipn/ipnserver/server.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipn/ipnserver/server.go b/ipn/ipnserver/server.go
index 83abc3a10..2ba583479 100644
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -1079,11 +1079,14 @@ func (s *Server) localhostHandler(ci connIdentity) http.Handler {
 func (s *Server) ServeHTMLStatus(w http.ResponseWriter, r *http.Request) {
 	// As this is only meant for debug, verify there's no DNS name being used to
 	// access this.
-	if strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
+	if !strings.HasPrefix(r.Host, "localhost:") && strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
 		http.Error(w, "invalid host", http.StatusForbidden)
 		return
 	}
 
+	w.Header().Set("Content-Security-Policy", `default-src 'none'; frame-ancestors 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'`)
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	st := s.b.Status()
 	// TODO(bradfitz): add LogID and opts to st?