Skip to content
Permalink
Browse files

feat(option): add ability to disable clickjacking defense script in d…

…efault spa.html via option security.client.clickjacking
  • Loading branch information
jyounce committed May 4, 2016
1 parent c629b29 commit 56b92dc4a46995954f409899bb17dfbf0ed0ba64
@@ -163,7 +163,7 @@ package.json
# spa.description = (string) defaults to package.json description = html meta description tag value
# spa.src.filePath = (string) set if you want to use your own spa file and not the build system's (file must be located in your client src directory)
# spa.dist.fileName = (string) defaults to file name of spa.src.filePath or 'spa.html' = provide if you want the dist spa file to be named differently, example: 'index.html'
# spa.placeholders = (array of strings) = set to retain spa file placeholders, optional values are: ['scripts', 'styles', 'description', 'moduleName', 'title'] or ['all']
# spa.placeholders = (array of strings) = set to retain spa file placeholders, optional values are: ['clickjacking', 'description', 'moduleName', 'scripts', 'styles', 'title'] or ['all']
# minify.css.styles = (boolean) defaults to true = for prod build, minify the css
# minify.css.fileName = (string) defaults to 'styles.min.css'
# minify.css.splitMinFile = (boolean) defaults to true = for prod build, task for ie9 and below, split styles.min.css into multiple files if selector count > 4,095
@@ -193,6 +193,7 @@ package.json
# extra.compile.client[coffee|es6|less|sass] = (array of strings) = file paths: additional files to compile to dist/client that the build didn't compile
# extra.compile.server[less|sass] = (array of strings) = file paths: additional files to compile to dist/server that the build didn't compile
# extra.minify.client[css|js] = (array of strings) = file paths: additional files to minify in dist/client that the build didn't minify (by default, the build does not minify files in libs or bower_components)
# security.client.clickjacking = (boolean) defaults to true = includes a clickjacking defense script in the default spa.html (set to false to disable)
# =====================================================================================================================================================================================================================================
```

@@ -10,11 +10,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/png" sizes="16x16" href="/images/icons/rapid-build-icon-16x16.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/icons/rapid-build-icon-32x32.png">

<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
<style id="antiClickjack">body{display:none !important;}</style>
<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
<!-- ClickJacking Defense end -->
<!--#include clickjacking-->

<!--#include styles-->
<!-- When you load angular at the bottom, you need to create the "ng-cloak" rules yourself -->
@@ -18,6 +18,7 @@ module.exports = (config, options) ->
options = require("#{config.req.config.options}/option-http-proxy") config, options
options = require("#{config.req.config.options}/option-browser") config, options
options = require("#{config.req.config.options}/option-extra") config, options
options = require("#{config.req.config.options}/option-security") config, options

# logs
# ====
@@ -19,6 +19,7 @@ module.exports = (rbDir, options) ->
config = require("#{config.req.config.configs}/config-browser") config, options
config = require("#{config.req.config.configs}/config-minify") config, options
config = require("#{config.req.config.configs}/config-file-names") config
config = require("#{config.req.config.configs}/config-security") config, options
config = require("#{config.req.config.configs}/config-dist-and-src") config, options
config = require("#{config.req.config.configs}/config-angular") config, options
config = require("#{config.req.config.configs}/config-spa") config, options
@@ -0,0 +1,27 @@
module.exports = (config, options) ->
log = require "#{config.req.helpers}/log"
test = require("#{config.req.helpers}/test")()

# init security
# =============
security = {}
security.client = {}
security.client.clickjacking = if options.security.client.clickjacking is false then false else true

# add security to config
# ======================
config.security = security

# logs
# ====
# log.json security, 'security ='

# tests
# =====
test.log 'true', config.security, 'add security to config'

# return
# ======
config


@@ -8,12 +8,15 @@ module.exports = (config) ->
# helpers
# =======
getInfo = (srcFile, destFile, destDir) ->
src:
info = {}
info.src =
path: path.join templates.dir, srcFile
dest:
return info unless destFile
info.dest =
file: destFile
dir: destDir
path: path.join destDir, destFile
info

# init templates
# ==============
@@ -28,6 +31,8 @@ module.exports = (config) ->
config.src.rb.client.scripts.dir
)

templates.clickjacking = getInfo 'clickjacking.tpl'

# add templates to config
# =======================
config.templates = templates
@@ -0,0 +1,19 @@
module.exports = (config, options) ->
isType = require "#{config.req.helpers}/isType"

# init security options
# =====================
security = options.security
security = {} unless isType.object security
security.client = {} unless isType.object security.client
security.client.clickjacking = null unless isType.boolean security.client.clickjacking

# add security options
# ====================
options.security = security

# return
# ======
options


@@ -6,11 +6,7 @@
<title><!--#include title--></title>
<meta name="description" content="<!--#include description-->" />
<meta name="viewport" content="width=device-width, initial-scale=1" />

<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
<style id="antiClickjack">body{display:none !important;}</style>
<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
<!-- ClickJacking Defense end -->
<!--#include clickjacking-->

<!--#include styles-->
<!-- When you load angular at the bottom, you need to create the "ng-cloak" rules yourself -->
@@ -1,5 +1,6 @@
module.exports = (config, gulp, taskOpts={}) ->
q = require 'q'
fs = require 'fs'
path = require 'path'
gulpif = require 'gulp-if'
rename = require 'gulp-rename'
@@ -29,6 +30,7 @@ module.exports = (config, gulp, taskOpts={}) ->
defer = q.defer()
gulp.src src
.pipe rename file
.pipe runReplace 'clickjacking'
.pipe runReplace 'description'
.pipe runReplace 'moduleName'
.pipe runReplace 'scripts'
@@ -52,14 +54,19 @@ module.exports = (config, gulp, taskOpts={}) ->
files.scripts = format.paths.to.html files.scripts, 'scripts', join: true, lineEnding: '\n\t'
files

getClickjackingTpl = ->
return '' unless config.security.client.clickjacking
fs.readFileSync(config.templates.clickjacking.src.path).toString()

getData = (jsonEnvFile) ->
files = getFilesJson jsonEnvFile
data =
scripts: files.scripts
styles: files.styles
moduleName: config.angular.moduleName
title: config.spa.title
description: config.spa.description
clickjacking: getClickjackingTpl()
description: config.spa.description
moduleName: config.angular.moduleName
scripts: files.scripts
styles: files.styles
title: config.spa.title

# API
# ===
@@ -0,0 +1,5 @@

<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
<style id="antiClickjack">body{display:none !important;}</style>
<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
<!-- ClickJacking Defense end -->

0 comments on commit 56b92dc

Please sign in to comment.
You can’t perform that action at this time.