@fastly/ember-anti-clickjacking
Advanced tools
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header.
ember-anti-clickjacking adds some JavaScript that runs before the application boots and prevents it from being rendered within the context of another page.
No! Defense in depth is important for protecting against clickjacking because of variations among browsers.
You should also be setting an appropriate X-Frame-Options header. If there are
no cases in which your application can be embedded, the safest thing to do is
deny framing altogether:
X-Frame-Options: DENY
If you're using a
Content Security Policy
(and you should be!), you should also set an appropriate frame-ancestors list.
To prevent embedding altogether, set it to "none":
Content-Security-Policy: frame-ancestors "none";
By default, ember-anti-clickjacking will inject
<style id="antiClickjack">body{display:none !important;}</style>
into your index.html. This is a protection for some older browsers that allow
attackers to clobber top.location. Unfortunately, it doesn't play well with
<noscript>. If you're using a Content Security Policy, the <style> tag also
requires the style-src 'unsafe-inline' directive.
You can turn off the injection of the <style> tag as follows:
// config/environment.js:
module.exports = function(environment) {
var ENV = {
'ember-anti-clickjacking': {
style: false
}
}
// ...
};
FAQs
Anti-clickjacking support for ember
We found that @fastly/ember-anti-clickjacking demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.