npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@fastly/ember-anti-clickjacking

v1.0.0

Published

Anti-clickjacking support for ember

Downloads

9

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sgehly-fastlysgehly-fastlyalfoncealfoncejparrishjparrishpsbankapsbankalfloreslfloreschrisfarberchrisfarberchicagoingchicagoingclayferrisclayferris

Keywords

ember-addonowaspclickjacking

Readme

Background

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header.

What this library does

ember-anti-clickjacking adds some JavaScript that runs before the application boots and prevents it from being rendered within the context of another page.

Is this all I need?

No! Defense in depth is important for protecting against clickjacking because of variations among browsers.

You should also be setting an appropriate X-Frame-Options header. If there are no cases in which your application can be embedded, the safest thing to do is deny framing altogether:

X-Frame-Options: DENY

If you're using a Content Security Policy (and you should be!), you should also set an appropriate frame-ancestors list. To prevent embedding altogether, set it to "none":

Content-Security-Policy: frame-ancestors "none";

Options

By default, ember-anti-clickjacking will inject

<style id="antiClickjack">body{display:none !important;}</style>

into your index.html. This is a protection for some older browsers that allow attackers to clobber top.location. Unfortunately, it doesn't play well with <noscript>. If you're using a Content Security Policy, the <style> tag also requires the style-src 'unsafe-inline' directive.

You can turn off the injection of the <style> tag as follows:

// config/environment.js:

module.exports = function(environment) {
  var ENV = {
    'ember-anti-clickjacking': {
      style: false
    }
  }
  // ...
};