What OS and OS version are you experiencing the issue(s) on?
All
What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?
All
What is the expected behavior?
Have an option to prevent loading into an iframe. Should be two headers that will prevent this (frame ancestors and denying x frame options).
What is the actual behavior?
Since any graphql explorer endpoint can be loaded into an iframe, attackers can perform clickjacking (ui redress) to make changes in graphql apis. Auth tokens could be stolen if the data in the graphql endpoint is persisted.
What steps may we take to reproduce the behavior?
Any html site and load an iframe of localhost, or the link in which the graphql endpoint may be on.
This issue pertains to the following package(s):
What OS and OS version are you experiencing the issue(s) on?
All
What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?
All
What is the expected behavior?
Have an option to prevent loading into an iframe. Should be two headers that will prevent this (frame ancestors and denying x frame options).
What is the actual behavior?
Since any graphql explorer endpoint can be loaded into an iframe, attackers can perform clickjacking (ui redress) to make changes in graphql apis. Auth tokens could be stolen if the data in the graphql endpoint is persisted.
What steps may we take to reproduce the behavior?
Any html site and load an iframe of localhost, or the link in which the graphql endpoint may be on.