farcasclaudiu/openclaw
1
0
Fork 0
mirror of https://github.com/farcasclaudiu/openclaw.git synced 2026-06-29 09:02:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden control ui framing + ws origin

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-03 16:00:57 -08:00
parent 0223416c61
commit 66d8117d44
11 changed files with 265 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/web/index.md
+2
View File
@@ -99,6 +99,8 @@ Open:
- Non-loopback binds still **require** a shared token/password (`gateway.auth` or env).
- The wizard generates a gateway token by default (even on loopback).
- The UI sends `connect.params.auth.token` or `connect.params.auth.password`.
- The Control UI sends anti-clickjacking headers and only accepts same-origin browser
websocket connections unless `gateway.controlUi.allowedOrigins` is set.
- With Serve, Tailscale identity headers can satisfy auth when
`gateway.auth.allowTailscale` is `true` (no token/password required). Set
`gateway.auth.allowTailscale: false` to require explicit credentials. See