From 56b92dc4a46995954f409899bb17dfbf0ed0ba64 Mon Sep 17 00:00:00 2001
From: Judd Younce <jyounce@yahoo.com>
Date: Tue, 3 May 2016 20:34:22 -0500
Subject: [PATCH] feat(option): add ability to disable clickjacking defense
 script in default spa.html via option security.client.clickjacking

---
 README.md                                  |  3 ++-
 docs/src/client/spa.html                   |  6 +----
 src/config/config-options.coffee           |  1 +
 src/config/config.coffee                   |  1 +
 src/config/configs/config-security.coffee  | 27 ++++++++++++++++++++++
 src/config/configs/config-templates.coffee |  9 ++++++--
 src/config/options/option-security.coffee  | 19 +++++++++++++++
 src/src/client/spa.html                    |  6 +----
 src/tasks/build/build-spa.coffee           | 17 ++++++++++----
 src/templates/clickjacking.tpl             |  5 ++++
 10 files changed, 76 insertions(+), 18 deletions(-)
 create mode 100644 src/config/configs/config-security.coffee
 create mode 100644 src/config/options/option-security.coffee
 create mode 100644 src/templates/clickjacking.tpl

diff --git a/README.md b/README.md
index 2141b9a..238c55c 100644
--- a/README.md
+++ b/README.md
@@ -163,7 +163,7 @@ package.json
 # spa.description                                   = (string)  defaults to package.json description = html meta description tag value
 # spa.src.filePath                                  = (string)  set if you want to use your own spa file and not the build system's (file must be located in your client src directory)
 # spa.dist.fileName                                 = (string)  defaults to file name of spa.src.filePath or 'spa.html' = provide if you want the dist spa file to be named differently, example: 'index.html'
-# spa.placeholders                                  = (array of strings) = set to retain spa file placeholders, optional values are: ['scripts', 'styles', 'description', 'moduleName', 'title'] or ['all']
+# spa.placeholders                                  = (array of strings) = set to retain spa file placeholders, optional values are: ['clickjacking', 'description', 'moduleName', 'scripts', 'styles', 'title'] or ['all']
 # minify.css.styles                                 = (boolean) defaults to true = for prod build, minify the css
 # minify.css.fileName                               = (string)  defaults to 'styles.min.css'
 # minify.css.splitMinFile                           = (boolean) defaults to true = for prod build, task for ie9 and below, split styles.min.css into multiple files if selector count > 4,095
@@ -193,6 +193,7 @@ package.json
 # extra.compile.client[coffee|es6|less|sass]        = (array of strings) = file paths: additional files to compile to dist/client that the build didn't compile
 # extra.compile.server[less|sass]                   = (array of strings) = file paths: additional files to compile to dist/server that the build didn't compile
 # extra.minify.client[css|js]                       = (array of strings) = file paths: additional files to minify in dist/client that the build didn't minify (by default, the build does not minify files in libs or bower_components)
+# security.client.clickjacking                      = (boolean) defaults to true = includes a clickjacking defense script in the default spa.html (set to false to disable)
 # =====================================================================================================================================================================================================================================
 ```
 
diff --git a/docs/src/client/spa.html b/docs/src/client/spa.html
index 2f45673..a036dad 100644
--- a/docs/src/client/spa.html
+++ b/docs/src/client/spa.html
@@ -10,11 +10,7 @@
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<link rel="icon" type="image/png" sizes="16x16" href="/images/icons/rapid-build-icon-16x16.png">
 	<link rel="icon" type="image/png" sizes="32x32" href="/images/icons/rapid-build-icon-32x32.png">
-
-	<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
-	<style id="antiClickjack">body{display:none !important;}</style>
-	<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
-	<!-- ClickJacking Defense end -->
+	<!--#include clickjacking-->
 
 	<!--#include styles-->
 	<!-- When you load angular at the bottom, you need to create the "ng-cloak" rules yourself -->
diff --git a/src/config/config-options.coffee b/src/config/config-options.coffee
index 5286962..4ef94ef 100644
--- a/src/config/config-options.coffee
+++ b/src/config/config-options.coffee
@@ -18,6 +18,7 @@ module.exports = (config, options) ->
 	options = require("#{config.req.config.options}/option-http-proxy")   config, options
 	options = require("#{config.req.config.options}/option-browser")      config, options
 	options = require("#{config.req.config.options}/option-extra")        config, options
+	options = require("#{config.req.config.options}/option-security")     config, options
 
 	# logs
 	# ====
diff --git a/src/config/config.coffee b/src/config/config.coffee
index e4efb99..5b2eebd 100644
--- a/src/config/config.coffee
+++ b/src/config/config.coffee
@@ -19,6 +19,7 @@ module.exports = (rbDir, options) ->
 	config  = require("#{config.req.config.configs}/config-browser")       config, options
 	config  = require("#{config.req.config.configs}/config-minify")        config, options
 	config  = require("#{config.req.config.configs}/config-file-names")    config
+	config  = require("#{config.req.config.configs}/config-security")      config, options
 	config  = require("#{config.req.config.configs}/config-dist-and-src")  config, options
 	config  = require("#{config.req.config.configs}/config-angular")       config, options
 	config  = require("#{config.req.config.configs}/config-spa")           config, options
diff --git a/src/config/configs/config-security.coffee b/src/config/configs/config-security.coffee
new file mode 100644
index 0000000..130c2a9
--- /dev/null
+++ b/src/config/configs/config-security.coffee
@@ -0,0 +1,27 @@
+module.exports = (config, options) ->
+	log  = require "#{config.req.helpers}/log"
+	test = require("#{config.req.helpers}/test")()
+
+	# init security
+	# =============
+	security = {}
+	security.client = {}
+	security.client.clickjacking = if options.security.client.clickjacking is false then false else true
+
+	# add security to config
+	# ======================
+	config.security = security
+
+	# logs
+	# ====
+	# log.json security, 'security ='
+
+	# tests
+	# =====
+	test.log 'true', config.security, 'add security to config'
+
+	# return
+	# ======
+	config
+
+
diff --git a/src/config/configs/config-templates.coffee b/src/config/configs/config-templates.coffee
index c8530f8..e557b65 100644
--- a/src/config/configs/config-templates.coffee
+++ b/src/config/configs/config-templates.coffee
@@ -8,12 +8,15 @@ module.exports = (config) ->
 	# helpers
 	# =======
 	getInfo = (srcFile, destFile, destDir) ->
-		src:
+		info = {}
+		info.src =
 			path: path.join templates.dir, srcFile
-		dest:
+		return info unless destFile
+		info.dest =
 			file: destFile
 			dir:  destDir
 			path: path.join destDir, destFile
+		info
 
 	# init templates
 	# ==============
@@ -28,6 +31,8 @@ module.exports = (config) ->
 		config.src.rb.client.scripts.dir
 	)
 
+	templates.clickjacking = getInfo 'clickjacking.tpl'
+
 	# add templates to config
 	# =======================
 	config.templates = templates
diff --git a/src/config/options/option-security.coffee b/src/config/options/option-security.coffee
new file mode 100644
index 0000000..f3e56a2
--- /dev/null
+++ b/src/config/options/option-security.coffee
@@ -0,0 +1,19 @@
+module.exports = (config, options) ->
+	isType = require "#{config.req.helpers}/isType"
+
+	# init security options
+	# =====================
+	security = options.security
+	security = {} unless isType.object security
+	security.client = {} unless isType.object security.client
+	security.client.clickjacking = null unless isType.boolean security.client.clickjacking
+
+	# add security options
+	# ====================
+	options.security = security
+
+	# return
+	# ======
+	options
+
+
diff --git a/src/src/client/spa.html b/src/src/client/spa.html
index beb2ca4..f6b84cd 100644
--- a/src/src/client/spa.html
+++ b/src/src/client/spa.html
@@ -6,11 +6,7 @@
 	<title><!--#include title--></title>
 	<meta name="description" content="<!--#include description-->" />
 	<meta name="viewport" content="width=device-width, initial-scale=1" />
-
-	<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
-	<style id="antiClickjack">body{display:none !important;}</style>
-	<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
-	<!-- ClickJacking Defense end -->
+	<!--#include clickjacking-->
 
 	<!--#include styles-->
 	<!-- When you load angular at the bottom, you need to create the "ng-cloak" rules yourself -->
diff --git a/src/tasks/build/build-spa.coffee b/src/tasks/build/build-spa.coffee
index e7630d2..f6935d9 100644
--- a/src/tasks/build/build-spa.coffee
+++ b/src/tasks/build/build-spa.coffee
@@ -1,5 +1,6 @@
 module.exports = (config, gulp, taskOpts={}) ->
 	q           = require 'q'
+	fs          = require 'fs'
 	path        = require 'path'
 	gulpif      = require 'gulp-if'
 	rename      = require 'gulp-rename'
@@ -29,6 +30,7 @@ module.exports = (config, gulp, taskOpts={}) ->
 		defer = q.defer()
 		gulp.src src
 			.pipe rename file
+			.pipe runReplace 'clickjacking'
 			.pipe runReplace 'description'
 			.pipe runReplace 'moduleName'
 			.pipe runReplace 'scripts'
@@ -52,14 +54,19 @@ module.exports = (config, gulp, taskOpts={}) ->
 		files.scripts = format.paths.to.html files.scripts, 'scripts', join: true, lineEnding: '\n\t'
 		files
 
+	getClickjackingTpl = ->
+		return '' unless config.security.client.clickjacking
+		fs.readFileSync(config.templates.clickjacking.src.path).toString()
+
 	getData = (jsonEnvFile) ->
 		files = getFilesJson jsonEnvFile
 		data =
-			scripts:     files.scripts
-			styles:      files.styles
-			moduleName:  config.angular.moduleName
-			title:       config.spa.title
-			description: config.spa.description
+			clickjacking: getClickjackingTpl()
+			description:  config.spa.description
+			moduleName:   config.angular.moduleName
+			scripts:      files.scripts
+			styles:       files.styles
+			title:        config.spa.title
 
 	# API
 	# ===
diff --git a/src/templates/clickjacking.tpl b/src/templates/clickjacking.tpl
new file mode 100644
index 0000000..87ae359
--- /dev/null
+++ b/src/templates/clickjacking.tpl
@@ -0,0 +1,5 @@
+
+	<!-- ClickJacking Defense begin (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) -->
+	<style id="antiClickjack">body{display:none !important;}</style>
+	<script>(function(w){if(w.top===w.self){var a=w.document.getElementById('antiClickjack');a.parentNode.removeChild(a);}else{w.top.location=w.self.location;}}(window));</script>
+	<!-- ClickJacking Defense end -->
\ No newline at end of file