feat(option): add ability to disable clickjacking defense script in d…

…efault spa.html via option security.client.clickjacking

README.md

@@ -163,7 +163,7 @@ package.json
 # spa.description                                   = (string)  defaults to package.json description = html meta description tag value
 # spa.src.filePath                                  = (string)  set if you want to use your own spa file and not the build system's (file must be located in your client src directory)
 # spa.dist.fileName                                 = (string)  defaults to file name of spa.src.filePath or 'spa.html' = provide if you want the dist spa file to be named differently, example: 'index.html'
-# spa.placeholders                                  = (array of strings) = set to retain spa file placeholders, optional values are: ['scripts', 'styles', 'description', 'moduleName', 'title'] or ['all']
+# spa.placeholders                                  = (array of strings) = set to retain spa file placeholders, optional values are: ['clickjacking', 'description', 'moduleName', 'scripts', 'styles', 'title'] or ['all']
 # minify.css.styles                                 = (boolean) defaults to true = for prod build, minify the css
 # minify.css.fileName                               = (string)  defaults to 'styles.min.css'
 # minify.css.splitMinFile                           = (boolean) defaults to true = for prod build, task for ie9 and below, split styles.min.css into multiple files if selector count > 4,095
@@ -193,6 +193,7 @@ package.json
 # extra.compile.client[coffee|es6|less|sass]        = (array of strings) = file paths: additional files to compile to dist/client that the build didn't compile
 # extra.compile.server[less|sass]                   = (array of strings) = file paths: additional files to compile to dist/server that the build didn't compile
 # extra.minify.client[css|js]                       = (array of strings) = file paths: additional files to minify in dist/client that the build didn't minify (by default, the build does not minify files in libs or bower_components)
+# security.client.clickjacking                      = (boolean) defaults to true = includes a clickjacking defense script in the default spa.html (set to false to disable)
 # =====================================================================================================================================================================================================================================
 ```
 

docs/src/client/spa.html

@@ -10,11 +10,7 @@
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<link rel="icon" type="image/png" sizes="16x16" href="/images/icons/rapid-build-icon-16x16.png">
 	<link rel="icon" type="image/png" sizes="32x32" href="/images/icons/rapid-build-icon-32x32.png">
-
-	<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
-	<style id="antiClickjack">body{display:none !important;}</style>
-	<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
-	<!-- ClickJacking Defense end -->
+	<!--#include clickjacking-->
 
 	<!--#include styles-->
 	<!-- When you load angular at the bottom, you need to create the "ng-cloak" rules yourself -->

src/config/config-options.coffee

@@ -18,6 +18,7 @@ module.exports = (config, options) ->
 	options = require("#{config.req.config.options}/option-http-proxy")   config, options
 	options = require("#{config.req.config.options}/option-browser")      config, options
 	options = require("#{config.req.config.options}/option-extra")        config, options
+	options = require("#{config.req.config.options}/option-security")     config, options
 
 	# logs
 	# ====

src/config/config.coffee

@@ -19,6 +19,7 @@ module.exports = (rbDir, options) ->
 	config  = require("#{config.req.config.configs}/config-browser")       config, options
 	config  = require("#{config.req.config.configs}/config-minify")        config, options
 	config  = require("#{config.req.config.configs}/config-file-names")    config
+	config  = require("#{config.req.config.configs}/config-security")      config, options
 	config  = require("#{config.req.config.configs}/config-dist-and-src")  config, options
 	config  = require("#{config.req.config.configs}/config-angular")       config, options
 	config  = require("#{config.req.config.configs}/config-spa")           config, options

src/config/configs/config-security.coffee

@@ -0,0 +1,27 @@
+module.exports = (config, options) ->
+	log  = require "#{config.req.helpers}/log"
+	test = require("#{config.req.helpers}/test")()
+
+	# init security
+	# =============
+	security = {}
+	security.client = {}
+	security.client.clickjacking = if options.security.client.clickjacking is false then false else true
+
+	# add security to config
+	# ======================
+	config.security = security
+
+	# logs
+	# ====
+	# log.json security, 'security ='
+
+	# tests
+	# =====
+	test.log 'true', config.security, 'add security to config'
+
+	# return
+	# ======
+	config
+
+

src/config/configs/config-templates.coffee

@@ -8,12 +8,15 @@ module.exports = (config) ->
 	# helpers
 	# =======
 	getInfo = (srcFile, destFile, destDir) ->
-		src:
+		info = {}
+		info.src =
 			path: path.join templates.dir, srcFile
-		dest:
+		return info unless destFile
+		info.dest =
 			file: destFile
 			dir:  destDir
 			path: path.join destDir, destFile
+		info
 
 	# init templates
 	# ==============
@@ -28,6 +31,8 @@ module.exports = (config) ->
 		config.src.rb.client.scripts.dir
 	)
 
+	templates.clickjacking = getInfo 'clickjacking.tpl'
+
 	# add templates to config
 	# =======================
 	config.templates = templates

src/config/options/option-security.coffee

@@ -0,0 +1,19 @@
+module.exports = (config, options) ->
+	isType = require "#{config.req.helpers}/isType"
+
+	# init security options
+	# =====================
+	security = options.security
+	security = {} unless isType.object security
+	security.client = {} unless isType.object security.client
+	security.client.clickjacking = null unless isType.boolean security.client.clickjacking
+
+	# add security options
+	# ====================
+	options.security = security
+
+	# return
+	# ======
+	options
+
+

src/src/client/spa.html

@@ -6,11 +6,7 @@
 	<title><!--#include title--></title>
 	<meta name="description" content="<!--#include description-->" />
 	<meta name="viewport" content="width=device-width, initial-scale=1" />
-
-	<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
-	<style id="antiClickjack">body{display:none !important;}</style>
-	<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
-	<!-- ClickJacking Defense end -->
+	<!--#include clickjacking-->
 
 	<!--#include styles-->
 	<!-- When you load angular at the bottom, you need to create the "ng-cloak" rules yourself -->

src/tasks/build/build-spa.coffee

@@ -1,5 +1,6 @@
 module.exports = (config, gulp, taskOpts={}) ->
 	q           = require 'q'
+	fs          = require 'fs'
 	path        = require 'path'
 	gulpif      = require 'gulp-if'
 	rename      = require 'gulp-rename'
@@ -29,6 +30,7 @@ module.exports = (config, gulp, taskOpts={}) ->
 		defer = q.defer()
 		gulp.src src
 			.pipe rename file
+			.pipe runReplace 'clickjacking'
 			.pipe runReplace 'description'
 			.pipe runReplace 'moduleName'
 			.pipe runReplace 'scripts'
@@ -52,14 +54,19 @@ module.exports = (config, gulp, taskOpts={}) ->
 		files.scripts = format.paths.to.html files.scripts, 'scripts', join: true, lineEnding: '\n\t'
 		files
 
+	getClickjackingTpl = ->
+		return '' unless config.security.client.clickjacking
+		fs.readFileSync(config.templates.clickjacking.src.path).toString()
+
 	getData = (jsonEnvFile) ->
 		files = getFilesJson jsonEnvFile
 		data =
-			scripts:     files.scripts
-			styles:      files.styles
-			moduleName:  config.angular.moduleName
-			title:       config.spa.title
-			description: config.spa.description
+			clickjacking: getClickjackingTpl()
+			description:  config.spa.description
+			moduleName:   config.angular.moduleName
+			scripts:      files.scripts
+			styles:       files.styles
+			title:        config.spa.title
 
 	# API
 	# ===

src/templates/clickjacking.tpl

@@ -0,0 +1,5 @@
+
+	<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
+	<style id="antiClickjack">body{display:none !important;}</style>
+	<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
+	<!-- ClickJacking Defense end -->