feat(security): add route-scoped frame-defense guard against clickjacking#1988
Draft
HARISHWAR-T wants to merge 1 commit into
Draft
feat(security): add route-scoped frame-defense guard against clickjacking#1988HARISHWAR-T wants to merge 1 commit into
HARISHWAR-T wants to merge 1 commit into
Conversation
…king Add FrameBustingService (frame detection) and FrameDefenseGuard (CanActivate), wired onto the authenticated /calendar and /contacts routes so the app refuses to render those flows inside a frame. Add a conservative meta CSP (object-src 'none'; base-uri 'self') and a SECURITY.md documenting the authoritative frame-ancestors / X-Frame-Options response headers to set at the edge. Scoped per-route rather than globally so legitimate full-app embedding is not broken. Developed with assistance from Claude (Anthropic), per the AI-use policy in CONTRIBUTING.md; all code reviewed by the author. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Defence-in-depth hardening against clickjacking / UI-redress. The app currently
ships no client-side frame defence and
index.htmlcarries no CSP /X-Frame-Options. This PR adds:
FrameBustingService.isFramed()— frame detection (injectable window for tests).FrameDefenseGuard(CanActivate) wired onto the authenticated/calendarand
/contactsroutes: whenwindow.self !== window.topit refuses toactivate the route, so those flows are not rendered inside a frame.
<meta>CSP inindex.html(object-src 'none'; base-uri 'self'),both directives honoured in meta and chosen to not constrain Angular's
script/style/worker/connect needs.
SECURITY.mdrecommending the authoritative server headers(
Content-Security-Policy: frame-ancestors 'none'+X-Frame-Options: DENY).Why route-scoped, not global
Every framing usage in the repo is the app acting as a parent (sandboxed
mail-content iframe, print frame, logout iframe) — none bootstrap the app as a
framed child. But a legitimate external embedder can't be ruled out, so a
global break-out /
display:nonecould break real usage. Scoping the refusalto specific sensitive routes closes the vector while leaving any whole-app
embedding intact.
frame-ancestorsis deliberately omitted from<meta>because browsers ignore it there — it must be a response header.
Tests
frame-busting.service.spec.ts— framed / not-framed / cross-origin-throws.frame-defense.guard.spec.ts—canActivate()istruewhentop === self,falsewhentop !== self.Run:
npm run ci-tests.Notes
node src/build/build-changelog.js) not regenerated yet; happy toadd it if preferred.
npm run ci-testsrun.AI disclosure
Drafted with assistance from Claude (Anthropic); all code reviewed and verified
by the author, per CONTRIBUTING's AI-use policy.