Option for disabling GraphQL playground from being loaded into an iframe to prevent clickjacking

[fairnightzz]

This issue pertains to the following package(s):

• GraphQL Playground - Electron App
• GraphQL Playground HTML
• GraphQL Playground
• GraphQL Playground Express Middleware
• GraphQL Playground Hapi Middleware
• GraphQL Playground Koa Middleware
• GraphQL Playground Lambda Middleware

What OS and OS version are you experiencing the issue(s) on?

All

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

All

What is the expected behavior?

Have an option to prevent loading into an iframe. Should be two headers that will prevent this (frame ancestors and denying x frame options).

What is the actual behavior?

Since any graphql explorer endpoint can be loaded into an iframe, attackers can perform clickjacking (ui redress) to make changes in graphql apis. Auth tokens could be stolen if the data in the graphql endpoint is persisted.

What steps may we take to reproduce the behavior?

Any html site and load an iframe of localhost, or the link in which the graphql endpoint may be on.