Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent clickjacking #12

Merged
merged 2 commits into from
May 16, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions jest.config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ const config: Config.InitialOptions = {
global: {
branches: 20,
functions: 50,
lines: 67,
statements: 67,
lines: 66,
statements: 66,
},
},

Expand Down
32 changes: 28 additions & 4 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,35 @@ window.addEventListener('load', async () => {
}
});

// Skip stream initialization on extension startup, when this page is loaded
// in a hidden iframe. No need to setup streams to handle user interaction in
// that case.
// Skip stream initialization on extension startup (when this page is loaded
// in a hidden iframe), and in sub-frames. In both cases, the user interactions
// handled by the streams are not possible.
if (!isExtensionStartup()) {
window.document.addEventListener('DOMContentLoaded', start);
if (window.top === window.self) {
window.document.addEventListener('DOMContentLoaded', start);
} else {
// The sub-frame case requires the "open in new tab" href to be set
// dynamically because a relative `href` attribute would not preserve
// the URL hash.
window.document.addEventListener(
'DOMContentLoaded',
setupOpenSelfInNewTabLink,
);
}
}

/**
* Setup the "Open in new tab" link.
*
* This is necessary so that the "open in new tab" link includes the current
* URL hash. A statically-set relative `href` would drop the URL hash.
*/
function setupOpenSelfInNewTabLink() {
const newTabLink = window.document.getElementById('open-self-in-new-tab');
if (!newTabLink) {
throw new Error('Unable to locate "Open in new tab" link');
}
newTabLink.setAttribute('href', window.location.href);
}

/**
Expand Down
22 changes: 14 additions & 8 deletions static/index.css
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,16 @@ body {
font-family: Euclid, Roboto, Helvetica, Arial, sans-serif;
}

p {
margin: 2em;
}

p a {
text-decoration: underline;
color: var(--color-primary-default);
cursor: pointer;
}

.content {
display: flex;
flex-direction: column;
Expand Down Expand Up @@ -81,12 +91,8 @@ body {
color: var(--color-text-default);
}

.content__body p {
margin: 2em;
}

.content__body p a {
text-decoration: underline;
color: var(--color-primary-default);
cursor: pointer;
.content__framed-body {
background-color: var(--color-background-alternative);
font-size: 1rem;
color: var(--color-text-default);
}
25 changes: 24 additions & 1 deletion static/index.html
Original file line number Diff line number Diff line change
@@ -1,6 +1,17 @@
<!DOCTYPE html>
<html lang="en">
<head>
<style id="antiClickjack">
#content__body {
display: none !important;
Gudahtt marked this conversation as resolved.
Show resolved Hide resolved
}
</style>
<script type="text/javascript">
if (self === top) {
document.getElementById('antiClickjack').innerHTML =
'#content__framed-body { display: none !important; }';
}
</script>
<title>MetaMask Phishing Detection</title>
<script
src="./globalthis.js"
Expand Down Expand Up @@ -41,7 +52,7 @@ <h1>
MetaMask Phishing Detection
</h1>
</div>
<div class="content__body">
<div id="content__body" class="content__body">
<p>
This domain is currently on the MetaMask domain warning list. This
means that based on information available to us, MetaMask believes
Expand Down Expand Up @@ -85,6 +96,18 @@ <h1>
>.
</p>
</div>
<div id="content__framed-body" class="content__framed-body">
<p>
This domain is currently on the MetaMask domain warning list. This
means that based on information available to us, MetaMask believes
this domain could currently compromise your security and, as an added
safety feature, MetaMask has restricted access to the site.
</p>
<p>
<a id="open-self-in-new-tab" target="_blank">Open this warning in a new tab</a> for more information
on why this domain is blocked, and how to continue at your own risk.
</p>
</div>
</div>
</body>
</html>