graphql-playground Option for disabling GraphQL playground from being loaded into an iframe to prevent clickjacking

Option for disabling GraphQL playground from being loaded into an iframe to prevent clickjacking

Open fairnightzz opened this issue 2 years ago • 0 comments

This issue pertains to the following package(s):

[ ] GraphQL Playground - Electron App
[x] GraphQL Playground HTML
[x] GraphQL Playground
[x] GraphQL Playground Express Middleware
[ ] GraphQL Playground Hapi Middleware
[ ] GraphQL Playground Koa Middleware
[ ] GraphQL Playground Lambda Middleware

What OS and OS version are you experiencing the issue(s) on?

All

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

All

What is the expected behavior?

Have an option to prevent loading into an iframe. Should be two headers that will prevent this (frame ancestors and denying x frame options).

What is the actual behavior?

Since any graphql explorer endpoint can be loaded into an iframe, attackers can perform clickjacking (ui redress) to make changes in graphql apis. Auth tokens could be stolen if the data in the graphql endpoint is persisted.

What steps may we take to reproduce the behavior?

Any html site and load an iframe of localhost, or the link in which the graphql endpoint may be on.

Jun 02 '22 20:06 fairnightzz

graphql-playground graphql-playground copied to clipboard

Option for disabling GraphQL playground from being loaded into an iframe to prevent clickjacking

This issue pertains to the following package(s):

What OS and OS version are you experiencing the issue(s) on?

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

What is the expected behavior?

What is the actual behavior?

What steps may we take to reproduce the behavior?

graphql-playground
graphql-playground copied to clipboard