Anti-clickjacking in a Shiny app
126 views
Skip to first unread message
Gary Whiteford
May 25, 2017, 4:35:50 PM5/25/17
to Shiny - Web Framework for R
In a Shiny app, how do I implement a frame-breaking script to prevent clickjacking in legacy browsers (e.g., IE6 or IE8)?
Where loupe.js is as suggested in the article:
Don't really understand all of the code, so any help would be welcome.
----------- Quote from Reference below this line ----------
Best-for-now Legacy Browser Frame Breaking Script
One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header.
In the document HEAD element, add the following:
First apply an ID to the style element itself:
<style id="antiClickjack">body{display:none !important;}</style>And then delete that style by its ID immediately after in the script:
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
This way, everything can be in the document HEAD and you only need one method/taglib in your API.
Reference: https://www.codemagi.com/blog/post/194
----------------------------------------------------------------------------
I tried the following in my ui.R, but it didn't work:
tags$style(id = "antiClickjack", HTML("body{display:none !important;}"))
fn <- "loupe.js"
fnpath <- list.files(pattern = fn, full.names = TRUE, recursive = TRUE)
includeScript(fnpath, type = "text/javascript")
Where loupe.js is as suggested in the article:
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
Don't really understand all of the code, so any help would be welcome.
Joe Cheng
May 27, 2017, 1:33:50 AM5/27/17
to Gary Whiteford, Shiny - Web Framework for R
That should work but make sure the tags$style() and includeScript() calls are part of your actual UI object (i.e. somewhere inside the call to fluidPage(...) or whatever), not just in the ui.R file.
--
You received this message because you are subscribed to the Google Groups "Shiny - Web Framework for R" group.
To unsubscribe from this group and stop receiving emails from it, send an email to shiny-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/shiny-discuss/62c89a59-dd53-45de-893a-019efc5fa2c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Gary Whiteford
May 27, 2017, 1:48:18 AM5/27/17
to Shiny - Web Framework for R
Ah! That's what I needed. Thanks!
Sent from my iPod
jiger...@ascentius.com
Jul 13, 2017, 6:38:03 AM7/13/17
to Shiny - Web Framework for R
Hi,
I have been trying to find a solution for clickjacking since a week and am still struggling,
Can you please share the working code ?
Appreciate your help.
Regards,
Jiger
Reply all
Reply to author
Forward
0 new messages