all files / esecurity/lib/middleware/ clickJacking.js

96.15% Statements 25/26
96.43% Branches 27/28
100% Functions 2/2
95.65% Lines 22/23
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46                                               
 
module.exports = function ClickJackingConstructor(opts) {
 
    opts = opts || {};
    opts.deny = typeof opts.deny != "undefined" ? opts.deny : false;
    opts.sameOrigin = opts.sameOrigin || false;
    opts.allowFrom = opts.allowFrom || false;
    opts.jsUrl = opts.jsUrl || "clickjacking_protection.js";
    
    return function clickJacking(req, res, next) {
        
        // self-awareness
        if (req._esecurity_clickjacking)
            return next();
 
        req._esecurity_clickjacking = true;
        
        if (opts.jsUrl && opts.jsUrl.charAt(0) !== "/")
            opts.jsUrl = "/" + opts.jsUrl;
        
        if (opts.jsUrl && opts.jsUrl === req.url) {
            
            var sendFileOpts = {
                root: __dirname,
                maxAge: opts.maxAge
            };
 
            // res.sendfile is deprecated
            Eif (res.sendFile) {
                return res.sendFile("utils/clickjackingProtection.js", sendFileOpts);
            }
 
            return res.sendfile("utils/clickjackingProtection.js", sendFileOpts);
        }
            
        var frameOptions = "DENY";
        if (opts.deny) frameOptions = "DENY";
        else if (opts.sameOrigin) frameOptions = "SAMEORIGIN";
        else if (opts.allowFrom) frameOptions = "ALLOW-FROM " + opts.allowFrom;
        
        res.set("X-Frame-Options", frameOptions);
        
        return next();
    };
};