frameguard - npm Package Compare versions

Comparing version 0.2.2 to 1.0.0

index.js

@@ -1,21 +0,20 @@
-var isString = require('lodash.isstring');
+var isString = require('lodash.isstring')
 
-module.exports = function frameguard(action, options) {
+module.exports = function frameguard (action, options) {
+  var header
 
-  var header;
-
   if (action === undefined) {
-    header = 'SAMEORIGIN';
+    header = 'SAMEORIGIN'
   } else if (isString(action)) {
-    header = action.toUpperCase();
+    header = action.toUpperCase()
   }
 
   if (header === 'ALLOWFROM') {
-    header = 'ALLOW-FROM';
+    header = 'ALLOW-FROM'
   } else if (header === 'SAME-ORIGIN') {
-    header = 'SAMEORIGIN';
+    header = 'SAMEORIGIN'
   }
 
   if (['DENY', 'ALLOW-FROM', 'SAMEORIGIN'].indexOf(header) === -1) {
-    throw new Error('X-Frame must be undefined, "DENY", "ALLOW-FROM", or "SAMEORIGIN"');
+    throw new Error('X-Frame must be undefined, "DENY", "ALLOW-FROM", or "SAMEORIGIN"')
   }
@@ -25,12 +24,11 @@
     if (!isString(options)) {
-      throw new Error('X-Frame: ALLOW-FROM requires a second parameter');
+      throw new Error('X-Frame: ALLOW-FROM requires a second parameter')
     }
-    header = 'ALLOW-FROM ' + options;
+    header = 'ALLOW-FROM ' + options
   }
 
-  return function frameguard(req, res, next) {
-    res.setHeader('X-Frame-Options', header);
-    next();
-  };
-
-};
+  return function frameguard (req, res, next) {
+    res.setHeader('X-Frame-Options', header)
+    next()
+  }
+}

package.json

@@ -8,3 +8,4 @@ {
   "description": "Middleware to set X-Frame-Options headers",
-  "version": "0.2.2",
+  "version": "1.0.0",
+  "license": "MIT",
   "keywords": [
@@ -25,12 +26,20 @@ "helmet",
   "scripts": {
-    "test": "mocha"
+    "test": "standard && mocha"
   },
   "devDependencies": {
-    "connect": "^3.3.1",
-    "mocha": "^2.0.1",
-    "supertest": "^0.15.0"
+    "connect": "^3.4.0",
+    "mocha": "^2.3.4",
+    "standard": "^5.4.1",
+    "supertest": "^1.1.0"
   },
   "dependencies": {
     "lodash.isstring": "3.0.1"
+  },
+  "standard": {
+    "globals": [
+      "describe",
+      "beforeEach",
+      "it"
+    ]
   }
 }

README.md

@@ -1,25 +0,24 @@
-# Frameguard
-
+Frameguard
+==========
 [![Build Status](https://travis-ci.org/helmetjs/frameguard.svg?branch=master)](https://travis-ci.org/helmetjs/frameguard)
+[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)
 
-**Trying to prevent:** Your page being put in a `<frame>` or `<iframe>` without your consent. This helps to prevent things like [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking).
+The `X-Frame-Options` HTTP header restricts who can put your site in a frame which can help mitigate things like [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). It has three modes: `DENY`, `SAMEORIGIN`, and `ALLOW-FROM`. If your app does not need to be framed (and most don't) you can use the default `DENY`. If your site can be in frames from the same origin, you can set it to `SAMEORIGIN`. If you want to allow it from a specific URL, you can allow that with `ALLOW-FROM` and a URL.
 
-**How do we mitigate this:** The `X-Frame-Options` HTTP header restricts who can put your site in a frame. It has three modes: `DENY`, `SAMEORIGIN`, and `ALLOW-FROM`. If your app does not need to be framed (and most don't) you can use the default `DENY`. If your site can be in frames from the same origin, you can set it to `SAMEORIGIN`. If you want to allow it from a specific URL, you can allow that with `ALLOW-FROM` and a URL.
-
 Usage:
 
 ```javascript
-var frameguard = require('frameguard');
+var frameguard = require('frameguard')
 
 // Don't allow me to be in ANY frames:
-app.use(frameguard('deny'));
+app.use(frameguard('deny'))
 
 // Only let me be framed by people of the same origin:
-app.use(frameguard('sameorigin'));
-app.use(frameguard());  // defaults to this
+app.use(frameguard('sameorigin'))
+app.use(frameguard())  // defaults to this
 
 // Allow from a specific host:
-app.use(frameguard('allow-from', 'http://example.com'));
+app.use(frameguard('allow-from', 'http://example.com'))
 ```
 
-**Limitations:** This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. It only prevents against a certain class of attack, but does so pretty well. It also prevents your site from being framed, which you might want for legitimate reasons.
+This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. The `ALLOW-FROM` header option is [not supported in most browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility). Those browsers will ignore the entire header, [and the frame *will* be displayed](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2).

test/index.js

@@ -1,144 +0,134 @@
-var frameguard = require('..');
+var frameguard = require('..')
 
-var connect = require('connect');
-var request = require('supertest');
-var assert = require('assert');
+var connect = require('connect')
+var request = require('supertest')
+var assert = require('assert')
 
 describe('frameguard', function () {
-
   describe('with proper input', function () {
+    function hello (req, res) {
+      res.end('Hello world!')
+    }
 
-    function hello(req, res) {
-      res.end('Hello world!');
-    };
-
-    var app;
+    var app
     beforeEach(function () {
-      app = connect();
-    });
+      app = connect()
+    })
 
     it('sets header to SAMEORIGIN with no arguments', function (done) {
-      app.use(frameguard()).use(hello);
+      app.use(frameguard()).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'SAMEORIGIN', done);
-    });
+        .expect('X-Frame-Options', 'SAMEORIGIN', done)
+    })
 
     it('sets header to DENY when called with lowercase "deny"', function (done) {
-      app.use(frameguard('deny')).use(hello);
+      app.use(frameguard('deny')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'DENY', done);
-    });
+        .expect('X-Frame-Options', 'DENY', done)
+    })
 
     it('sets header to DENY when called with uppercase "DENY"', function (done) {
-      app.use(frameguard('DENY')).use(hello);
+      app.use(frameguard('DENY')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'DENY', done);
-    });
+        .expect('X-Frame-Options', 'DENY', done)
+    })
 
     it('sets header to SAMEORIGIN when called with lowercase "sameorigin"', function (done) {
-      app.use(frameguard('sameorigin')).use(hello);
+      app.use(frameguard('sameorigin')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'SAMEORIGIN', done);
-    });
+        .expect('X-Frame-Options', 'SAMEORIGIN', done)
+    })
 
     it('sets header to SAMEORIGIN when called with lowercase "same-origin"', function (done) {
-      app.use(frameguard('same-origin')).use(hello);
+      app.use(frameguard('same-origin')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'SAMEORIGIN', done);
-    });
+        .expect('X-Frame-Options', 'SAMEORIGIN', done)
+    })
 
     it('sets header to SAMEORIGIN when called with uppercase "SAMEORIGIN"', function (done) {
-      app.use(frameguard('SAMEORIGIN')).use(hello);
+      app.use(frameguard('SAMEORIGIN')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'SAMEORIGIN', done);
-    });
+        .expect('X-Frame-Options', 'SAMEORIGIN', done)
+    })
 
     it('sets header properly when called with lowercase "allow-from"', function (done) {
-      app.use(frameguard('allow-from', 'http://example.com')).use(hello);
+      app.use(frameguard('allow-from', 'http://example.com')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
-    });
+        .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done)
+    })
 
     it('sets header properly when called with uppercase "ALLOW-FROM"', function (done) {
-      app.use(frameguard('ALLOW-FROM', 'http://example.com')).use(hello);
+      app.use(frameguard('ALLOW-FROM', 'http://example.com')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
-    });
+        .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done)
+    })
 
     it('sets header properly when called with lowercase "allowfrom"', function (done) {
-      app.use(frameguard('allowfrom', 'http://example.com')).use(hello);
+      app.use(frameguard('allowfrom', 'http://example.com')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
-    });
+        .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done)
+    })
 
     it('sets header properly when called with uppercase "ALLOWFROM"', function (done) {
-      app.use(frameguard('ALLOWFROM', 'http://example.com')).use(hello);
+      app.use(frameguard('ALLOWFROM', 'http://example.com')).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
-    });
+        .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done)
+    })
 
     it('works with String object set to "SAMEORIGIN" and doesn\'t change them', function (done) {
-      /* jshint -W053 */
-      var str = new String('SAMEORIGIN');
-      /* jshint +W053 */
-      app.use(frameguard(str)).use(hello);
+      var str = new String('SAMEORIGIN')  // eslint-disable-line
+      app.use(frameguard(str)).use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'SAMEORIGIN', done);
-      assert.equal(str, 'SAMEORIGIN');
-    });
+        .expect('X-Frame-Options', 'SAMEORIGIN', done)
+      assert.equal(str, 'SAMEORIGIN')
+    })
 
-    it('works with ALLOW-FROM with String objects and doesn\'t change them', function (done) {
-      /* jshint -W053 */
-      var directive = new String('ALLOW-FROM');
-      var url = new String('http://example.com');
-      /* jshint +W053 */
-      app.use(frameguard(directive, url));
-      app.use(hello);
+    it("works with ALLOW-FROM with String objects and doesn't change them", function (done) {
+      var directive = new String('ALLOW-FROM')  // eslint-disable-line
+      var url = new String('http://example.com')  // eslint-disable-line
+      app.use(frameguard(directive, url))
+      app.use(hello)
       request(app).get('/')
-      .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
-      assert.equal(directive, 'ALLOW-FROM');
-      assert.equal(url, 'http://example.com');
-    });
+        .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done)
+      assert.equal(directive, 'ALLOW-FROM')
+      assert.equal(url, 'http://example.com')
+    })
+  })
 
-  });
-
   it('names its function and middleware', function () {
-    assert.equal(frameguard.name, 'frameguard');
-    assert.equal(frameguard.name, frameguard().name);
-  });
+    assert.equal(frameguard.name, 'frameguard')
+    assert.equal(frameguard.name, frameguard().name)
+  })
 
   describe('with improper input', function () {
-
-    function callWith() {
-      var args = arguments;
+    function callWith () {
+      var args = arguments
       return function () {
-        return frameguard.apply(this, args);
-      };
+        return frameguard.apply(this, args)
+      }
     }
 
     it('fails with a bad first argument', function () {
-      assert.throws(callWith(' '));
-      assert.throws(callWith('denyy'));
-      assert.throws(callWith('DENNY'));
-      assert.throws(callWith(' deny '));
-      assert.throws(callWith(' DENY '));
-      assert.throws(callWith(123));
-      assert.throws(callWith(false));
-      assert.throws(callWith(null));
-      assert.throws(callWith({}));
-      assert.throws(callWith([]));
-      assert.throws(callWith(['ALLOW-FROM', 'http://example.com']));
-      assert.throws(callWith(/cool_regex/g));
-    });
+      assert.throws(callWith(' '))
+      assert.throws(callWith('denyy'))
+      assert.throws(callWith('DENNY'))
+      assert.throws(callWith(' deny '))
+      assert.throws(callWith(' DENY '))
+      assert.throws(callWith(123))
+      assert.throws(callWith(false))
+      assert.throws(callWith(null))
+      assert.throws(callWith({}))
+      assert.throws(callWith([]))
+      assert.throws(callWith(['ALLOW-FROM', 'http://example.com']))
+      assert.throws(callWith(/cool_regex/g))
+    })
 
     it('fails with a bad second argument if the first is "ALLOW-FROM"', function () {
-      assert.throws(callWith('ALLOW-FROM'));
-      assert.throws(callWith('ALLOW-FROM', null));
-      assert.throws(callWith('ALLOW-FROM', false));
-      assert.throws(callWith('ALLOW-FROM', 123));
-      assert.throws(callWith('ALLOW-FROM', ['http://website.com', 'http//otherwebsite.com']));
-    });
-
-  });
-
-});
+      assert.throws(callWith('ALLOW-FROM'))
+      assert.throws(callWith('ALLOW-FROM', null))
+      assert.throws(callWith('ALLOW-FROM', false))
+      assert.throws(callWith('ALLOW-FROM', 123))
+      assert.throws(callWith('ALLOW-FROM', ['http://website.com', 'http//otherwebsite.com']))
+    })
+  })
+})

New alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Fixed alerts

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

9382

2.2%

Number of low quality alerts

1

-50%

Worsened metrics

Dev dependency count

4

33.33%

Lines of code

142

-2.74%

Number of lines in readme file

25

-3.85%

Number of medium supply chain risk alerts

1

Infinity%

No dependency changes