To add the custom tag, modify the web.xml and then the declaration
section of the JSP. You can customize the script for the framed JSP.
Context
Remember
Include the ClickJacking Protection Custom tag in both framing
and framed JSPs.
Procedure
- Add the mapping of the taglib to the
web.xml of the application.
Sample Code
…
<jsp-config>
<taglib>
<taglib-uri>preventClickJacking.tld</taglib-uri>
<taglib-location>
/WEB-INF/preventClickJacking.tld
</taglib-location>
</taglib>
</jsp-config>
…
- Add the taglib command to the declaration section of the
JSP.
Use the following syntax:
<%@ taglib prefix="<prefix>"
uri="preventClickJacking.tld" %>
You are free to determine the prefix. The prefix is used later in the JSP to
refer to the custom tag. For example:
<%@ taglib prefix="cjp" uri="preventClickJacking.tld"
%>
- Call the custom tag in the head section of the generated HTML
in the JSP.
Use the following syntax:
<head>
…
<prefix:preventClickJacking/>
…
</head>
For example, if you chose to use cjp as the prefix,
the result would be as follows:
<head>
…
<cjp:preventClickJacking/>
…
</head>
- Perform customization of the clickjacking protection custom tag.
Note
You can define custom attributes for the protection script. Customization
is only for the child JSP, that is, the JSP to be framed.
To perform customization, use the following syntax:
<<prefix>:preventClickJacking
<attribute1>="custom_value1"
<attribute2>="custom_value2" ...
<attributeN>="custom_valueN"/>
For example, a call to the custom tag with a customized error message would
be as follows:
<cjp:preventClickJacking deniedMessage="Framing of this page is
forbidden for this domain!"/>
You can modify the following attributes:
-
styleId
-
styleBody
-
dataCheckDefault
-
deniedMessage
-
releaseTimeoutMessage
-
whiteList
-
protectionCallBack
Note
If you set custom values for attributes, the clickjacking application XSS
encodes all of them except for the styleBody
attribute.