Skip to content

weizman/shield

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

aaa.png

aaa.png

 
 

bbb.png

bbb.png

 
 

index.html

index.html

 
 

package.json

package.json

 
 

shield.js

shield.js

 
 

shield.min.js

shield.min.js

 
 

test.js

test.js

 
 

Repository files navigation

Shield JS 🛡

Shield (npm) is a tiny JavaScript shim/library that applies protection against DOM Clobbering attacks at runtime with close to zero integration friction.

See for yourself - visit live demo/playground

About

Shield aspires to finally provide appropriate protection against DOM Clobbering attacks without forcing any adjustments/changes to the protected web app.

By simply including Shield as a remote script, Shield will keep an eye for new "clobberable" properties (id/name) that are introduced to the DOM.

If such are detected, Shield will redefine the window object of the application to detect and block JavaScript access to these properties, which effectively shields the window from being DOM clobbered, while allowing the app to function exactly to how it does without Shield's help.

Installation

Include Shield via a script tag:

<script src="https://cdn.jsdelivr.net/npm/@weizman/shield/shield.min.js"></script>

That's it.

It's best to include it as close as possible to the beginning of the <head> (the earliest it runs, the better it protects).

Usage

Shield supports optional configuration:

<script src="https://cdn.jsdelivr.net/npm/@weizman/shield/shield.min.js"
        allowlist="id1,id2"
        reportOnly="false"
        reportTo="https://report-server/report/"
></script>
  • allowlist - a list of ids you allow to be clobbered into the DOM (shield will overlook them when applying its protection).
  • reportOnly - whether to report forbidden access attempt or to throw an error. If enabled, reportTo must also be provided.
  • reportTo - a valid https: URL to report forbidden access attempt to in case reportOnly is enabled (CSP format):
{
    "csp-report": {
        "blocked-property": "id3",
        "disposition": "report",
        "document-uri": "https://my-app.com/some-route/",
        "effective-directive": "dom-clobbering",
        "original-policy": "no-access",
        "referrer": "https://my-app.com/some-route/",
        "violated-directive": "dom-clobbering"
    }
}

Result

Shield will collect the values of all id/name properties that were introduced to DOM at runtime and will redefine them on the window to throw an error when JavaScript code attempts to access them.

That's because while we use id/name attributes for our DOM nodes, we don't expect JavaScript code to access them, so when this happens it can only be done by a malicious entity - and that's what Shield blocks:

Unless the id/name was explicitly provided via the allowlist argument, which in that case Shield will allow JavaScript to access it:

Making Shield a very simple and elegant solution that requires you to do nothing but include the script in your app - shield will do the rest!

About

About

Shield your DOM against clobbering attacks effortlessly

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages