logtail: prevent js/wasm clients from picking TLS client cert

Corp details: https://github.com/tailscale/corp/issues/18177#issuecomment-2026598715 https://github.com/tailscale/corp/pull/18775#issuecomment-2027505036 Updates tailscale/corp#18177 Change-Id: I7c03a4884540b8519e0996088d085af77991f477 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago · e7599c1f7e
parent 5fb721d4ad
commit e7599c1f7e
1 changed files with 14 additions and 0 deletions
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@ -18,6 +18,7 @@ import (
 	"net/netip"
 	"os"
 	"regexp"
+	"runtime"
 	"strconv"
 	"sync"
 	"sync/atomic"
@ -491,6 +492,19 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (retryAft
 		req.Header.Add("Content-Encoding", "zstd")
 		req.Header.Add("Orig-Content-Length", strconv.Itoa(origlen))
 	}
+	if runtime.GOOS == "js" {
+		// We once advertised we'd accept optional client certs (for internal use)
+		// on log.tailscale.io but then Tailscale SSH js/wasm clients prompted
+		// users (on some browsers?) to pick a client cert. We'll fix the server's
+		// TLS ServerHello, but we can also fix it client side for good measure.
+		//
+		// Corp details: https://github.com/tailscale/corp/issues/18177#issuecomment-2026598715
+		// and https://github.com/tailscale/corp/pull/18775#issuecomment-2027505036
+		//
+		// See https://github.com/golang/go/wiki/WebAssembly#configuring-fetch-options-while-using-nethttp
+		// and https://developer.mozilla.org/en-US/docs/Web/API/fetch#credentials
+		req.Header.Set("js.fetch:credentials", "omit")
+	}
 	req.Header["User-Agent"] = nil // not worth writing one; save some bytes

 	compressedNote := "not-compressed"