Implementing Clickjacking Framing Protection in Your Developments

To check if the clickjacking service is enabled on SAP NetWeaver AS for Java, call the clickjacking servlet in your browser. This servlet is available on SAP NetWeaver AS for Java assuming that the software components are on the support package stacks as defined by SAP Note 2170590 . See section Support Packages and Patches.

To determine if the service is active programmatically, use the method public Boolean isClickjackingProtectionEnabled() ;. The method returns a Boolean flag, which indicates whether the clickjacking protection is enabled.

To access the clickjacking servlet, enter the following in your web browser:

http://<host>:<port>/sap.com~tc~lm~itsam~servlet~clickjacking/check

• The following is an example of the response when the service is off.

  {"version" : "1.0","active" : false, "status" : "OFF"}

  Activate the service.

• The following is an example of the response when the service is on.

  {"version" : "1.0","active" : true, "origin" : "null","framing" : false}

Other applications servers are not supported by SAP by default. It depends on the server-specific implementation for how support could be determined.

Download the JavaScript required for clickjacking protection from the sever using the following static URL:

http://<host>:<port>/sap.com~tc~lm~itsam~servlet~clickjacking/js/ClickjackingProtection.js

Other applications servers are not supported by SAP by default. It depends on the server-specific implementation for how support could be determined.

For SAP NetWeaver AS for Java, call the clickjacking.ejb to get either a style sheet with the default values or one with customized values.

Use one of the following methods to get the stylesheet:

• public String getDefaultProtection(HttpServletRequest request

  The method provides the default protection script for clickjacking protection.

• public String getCustomProtection(HttpServletRequest request, ClickJackingProtectionConfiguration contentData);

  The method provides the custom protection script for clickjacking protection using the custom configurable parameters.

  To get the configurable parameters for the custom protection script, use the following method:

  public ClickJackingProtectionConfiguration getDefaultConfigParams(HttpServletRequest request);

For more information, see SAP Note 2170590 .

Other applications servers are not supported by SAP by default. It depends on the server-specific implementation for support could be determined.

If you are using another application server than SAP NetWeaver Application Server, implement your own service to provide a whitelist to the applications. The service must be reachable via URL in form according to one of the following examples:

• <protocol>://host.domain.com(:<port>)/<serviceUrl>?parentOrigin=<URL of parent>

• <protocol>://host.domain.com(:<port>)/<serviceUrl>??parm1=value1&…&parentOrigin=<URL of parent>

The <serviceURL> must be specified when calling the JavaScript as a parameter. For example in SAP NetWeaver AS for Java this URL is sap.com~tc~lm~itsam~servlet~clickjacking/check.

The origin of the parent is determined by the script using postMessage technology. The path of the application is required to have a possibility to filter by application. Application-based whitelisting is currently not supported.

The javascript implementation of ClickjackingProtection.js works with responses from the whitelist service, which is as follows:

{"version":"1.0","active":true,"origin":"<parentorigin>","framing":false}

{"version":"1.0","active":true,"origin":"<parentorigin>","framing":true}

Find the right location and merge the style sheet and the JavaScript into the content.