From e7599c1f7e3bb768b54c7ddb631077ce7ff62ef8 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Fri, 29 Mar 2024 10:26:31 -0700 Subject: [PATCH] logtail: prevent js/wasm clients from picking TLS client cert Corp details: https://github.com/tailscale/corp/issues/18177#issuecomment-2026598715 https://github.com/tailscale/corp/pull/18775#issuecomment-2027505036 Updates tailscale/corp#18177 Change-Id: I7c03a4884540b8519e0996088d085af77991f477 Signed-off-by: Brad Fitzpatrick --- logtail/logtail.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/logtail/logtail.go b/logtail/logtail.go index da19c3bbc..a1a6c196e 100644 --- a/logtail/logtail.go +++ b/logtail/logtail.go @@ -18,6 +18,7 @@ import ( "net/netip" "os" "regexp" + "runtime" "strconv" "sync" "sync/atomic" @@ -491,6 +492,19 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (retryAft req.Header.Add("Content-Encoding", "zstd") req.Header.Add("Orig-Content-Length", strconv.Itoa(origlen)) } + if runtime.GOOS == "js" { + // We once advertised we'd accept optional client certs (for internal use) + // on log.tailscale.io but then Tailscale SSH js/wasm clients prompted + // users (on some browsers?) to pick a client cert. We'll fix the server's + // TLS ServerHello, but we can also fix it client side for good measure. + // + // Corp details: https://github.com/tailscale/corp/issues/18177#issuecomment-2026598715 + // and https://github.com/tailscale/corp/pull/18775#issuecomment-2027505036 + // + // See https://github.com/golang/go/wiki/WebAssembly#configuring-fetch-options-while-using-nethttp + // and https://developer.mozilla.org/en-US/docs/Web/API/fetch#credentials + req.Header.Set("js.fetch:credentials", "omit") + } req.Header["User-Agent"] = nil // not worth writing one; save some bytes compressedNote := "not-compressed"