Home Explore Help
Sign In
Tailscale
/
tailscale
mirror of https://github.com/tailscale/tailscale.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

safeweb: Set Cross-Origin-Opener-Policy for browser requests (#15936)

Set Cross-Origin-Opener-Policy: same-origin for all browser requests to
prevent window.location manipulation by malicious origins.

Updates tailscale/corp#28480

Thank you to Triet H.M. Pham for the report.

Signed-off-by: Patrick O'Doherty <[email protected]>
Patrick O'Doherty 9 months ago
parent
3c98964065
commit
3177e50b14
1 changed files with 1 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      safeweb/http.go

+ 1 - 0
safeweb/http.go
View File 

@@ -376,6 +376,7 @@ func (s *Server) serveBrowser(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Security-Policy", s.csp)
 
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 
 	w.Header().Set("Referer-Policy", "same-origin")
 
+	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 
 	if s.SecureContext {
 
 		w.Header().Set("Strict-Transport-Security", cmp.Or(s.StrictTransportSecurityOptions, DefaultStrictTransportSecurityOptions))
 
 	}