ipn/{localapi,ipnserver}: set a CSP for ServeHTMLStatus, refactor hos…

…t check Signed-off-by: Tom DNetto <tom@tailscale.com> (cherry picked from commit 2a991a3)
tailscale · Nov 19, 2022 · b7d0a67 · b7d0a67
1 parent 7045359
commit b7d0a67
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/ipn/ipnserver/server.go b/ipn/ipnserver/server.go
@@ -1079,11 +1079,14 @@ func (s *Server) localhostHandler(ci connIdentity) http.Handler {
 func (s *Server) ServeHTMLStatus(w http.ResponseWriter, r *http.Request) {
 	// As this is only meant for debug, verify there's no DNS name being used to
 	// access this.
-	if strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
+	if !strings.HasPrefix(r.Host, "localhost:") && strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
 		http.Error(w, "invalid host", http.StatusForbidden)
 		return
 	}
 
+	w.Header().Set("Content-Security-Policy", `default-src 'none'; frame-ancestors 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'`)
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	st := s.b.Status()
 	// TODO(bradfitz): add LogID and opts to st?