JSPM

clickjacket

0.0.1
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 2
  • Score
    100M100P100Q22773F
  • License MIT

A simple JavaScript library for click-jacking protection.

Package Exports

  • clickjacket

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (clickjacket) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

ClickJacket

"Best-for-now" iframe protection to only allow iframes for any given protocols and/or domains. Replaces page html when viewed from an origin that is not allowed.

Config

allowedDomains

type: [String]

The domains to allow from an iframe. Allows all domains if not given.

allowedProtocols

type: [String]

The protocols to allow from an iframe. Allows all protocols if not given.

failureMessage

type: String

If an iframe fails to pass validation, this message replaces the page's html. Defaults to '';

Usage

<!-- Allow specific domains -->
<!doctype html>
<html>
<head>
    <meta charset="utf-8">
    <title>Cool Site</title>
</head>
<body>
    <script src="clickjacket.min.js"></script>
    <script>
    // Replaces the page html when viewed in an
    // iframe not at the cooldomain.com or cooldomain.io domains.
    (new ClickJacket({
        allowedDomains: ['cooldomain.com', 'cooldomain.io']
    })).runCheck();
    </script>
</body>
</html>
<!-- Allow specific protocols -->
<!doctype html>
<html>
<head>
    <meta charset="utf-8">
    <title>Cool Site</title>
</head>
<body>
    <script src="clickjacket.min.js"></script>
    <script>
     // Replaces the page html when viewed in an
    // iframe not using an https protocol.
    (new ClickJacket({
        allowedProtocols: ['https']
    })).runCheck();
    </script>
</body>
</html>
<!-- Show specialized message -->
<!doctype html>
<html>
<head>
    <meta charset="utf-8">
    <title>Cool Site</title>
</head>
<body>
    <script src="clickjacket.min.js"></script>
    <script>
     // Replaces the page html with a failure message.
    (new ClickJacket({
        allowedDomains: ['cooldomain.com', 'cooldomain.io'],
        allowedProtocols: ['https'],
        failureMessage: 'This site cannot be viewed from this iframe.'
    })).runCheck();
    </script>
</body>
</html>